CVE-2021-22681
Published: 03 March 2021
Summary
CVE-2021-22681 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Rockwellautomation Factorytalk Services Platform. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
Rockwell Automation Studio 5000 Logix Designer versions 21 and later, along with RSLogix 5000 versions 16 through 20, contain an authentication bypass vulnerability in the mechanism that uses a key to verify communication between the engineering software and affected Logix controllers, including CompactLogix 1768/1769/5370/5380/5480, ControlLogix 5550/5560/5570/5580, DriveLogix 5560/5730/1794-L34, Compact GuardLogix 5370/5380, GuardLogix 5570/5580, and SoftLogix 5800. The flaw is tracked as CWE-522 and carries a CVSS 3.1 score of 9.8.
An unauthenticated remote attacker can exploit the weakness over the network to bypass the verification process and successfully authenticate to the listed controllers, resulting in full compromise of confidentiality, integrity, and availability without requiring user interaction or credentials.
CISA has published advisory ICSA-21-056-03 detailing the issue, and the vulnerability appears in the CISA Known Exploited Vulnerabilities Catalog, indicating confirmed real-world exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-9817
Vulnerability details
Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580;…
more
DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800. Rockwell Automation Studio 5000 Logix Designer Versions 21 and later and RSLogix 5000: Versions 16 through 20 are vulnerable because an unauthenticated attacker could bypass this verification mechanism and authenticate with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800.
- CWE(s)
- KEV Date Added
- 05 March 2026
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication before granting access to Logix controllers, blocking the unauthenticated bypass of the key verification mechanism.
Requires identification and authentication of users or processes connecting to the controllers, directly mitigating the authentication bypass flaw.
Mandates device-to-device identification and authentication between engineering software and affected Logix controllers, addressing the bypassed verification step.