CISA adds critical Hikvision and Rockwell Automation flaws to KEV catalog after active exploitation
4 min. read 
Published on
The U.S. Cybersecurity and Infrastructure Security Agency has added two critical vulnerabilities affecting Hikvision and Rockwell Automation products to its Known Exploited Vulnerabilities catalog, confirming that attackers have already used them in the wild. Both bugs carry a CVSS score of 9.8, and CISA has ordered Federal Civilian Executive Branch agencies to remediate them by March 26, 2026.
The two newly listed flaws are CVE-2017-7921 in multiple Hikvision products and CVE-2021-22681 in Rockwell Automation Logix-related products. CISA says these vulnerabilities pose significant risk to federal networks, while urging all organizations, not just federal agencies, to prioritize fixes for KEV-listed issues as part of normal vulnerability management.
What CISA added to the KEV catalog
CVE-2017-7921 affects multiple Hikvision products and stems from an improper authentication issue. CISA’s catalog entry says the flaw can let an attacker gain access to sensitive information, while Hikvision’s own advisory says successful exploitation can give unauthorized elevated privileges that allow an attacker to acquire or tamper with device information.
CVE-2021-22681 affects Rockwell Automation Studio 5000 Logix Designer, RSLogix 5000, and Logix Controllers. Rockwell says the issue could let an unauthorized application connect with Logix controllers if the attacker already has network access to the controller, effectively bypassing the verification mechanism used in controller communications.
Why the Hikvision flaw stands out
The Hikvision bug is old, but it remains dangerous because large numbers of internet-exposed cameras still run outdated firmware. Hikvision published its advisory in March 2017 and listed fixed firmware builds for affected camera lines, yet CISA’s KEV action shows the vulnerability still matters in 2026 because attackers continue to target unpatched devices.
That risk became clearer last year when SANS Internet Storm Center reported seeing exploit attempts against older Hikvision cameras tied to CVE-2017-7921. SANS noted that the traffic appeared to target legacy devices and linked the observed activity to the long-known camera vulnerability.
Why the Rockwell Automation listing matters
The Rockwell entry is especially important for industrial environments. Unlike a consumer device flaw, this bug affects products used in operational technology and industrial control settings, where controller trust and code integrity matter far more than ordinary software login security. Rockwell’s advisory says the vulnerability is not corrected and instead points customers to workarounds and mitigations.
Rockwell updated its advisory on March 5, 2026 to mark the flaw as a Known Exploited Vulnerability. That timing lines up with CISA’s KEV addition and signals that defenders in industrial environments should review exposure immediately, even if public reporting has not yet described a specific attack chain involving this CVE.
At a glance
| Vulnerability | Vendor | Severity | What it can do | Current status |
|---|---|---|---|---|
| CVE-2017-7921 | Hikvision | 9.8 | Improper authentication that can lead to privilege escalation and access to sensitive device information | Added to CISA KEV, active exploitation confirmed |
| CVE-2021-22681 | Rockwell Automation | 9.8 | Authentication bypass that can let an unauthorized application connect to Logix controllers if it has network access | Added to CISA KEV, active exploitation confirmed |
What organizations should do now
Teams that use Hikvision gear should identify exposed cameras, compare firmware versions against Hikvision’s fixed builds, and isolate or retire unsupported devices. Internet-facing cameras deserve immediate attention because attackers often scan for them at scale.
Organizations running Rockwell Automation Logix environments should review network access to controllers, apply vendor-recommended mitigations, and verify whether engineering workstations or control networks expose the affected trust mechanism. In OT environments, reducing unnecessary controller access can matter just as much as patching.
Federal agencies face a firm deadline. Under Binding Operational Directive 22-01, CISA requires FCEB agencies to address these KEV entries by March 26, 2026. CISA also says KEV vulnerabilities remain among the most frequent attack vectors used by malicious actors.
Key takeaways
- CISA added two critical flaws, CVE-2017-7921 and CVE-2021-22681, to the KEV catalog on March 5, 2026.
- Both vulnerabilities carry a CVSS score of 9.8.
- The Hikvision issue affects older camera firmware and has already appeared in observed exploit activity.
- The Rockwell issue affects Logix ecosystem products and can let an unauthorized application connect to controllers if network access exists.
- FCEB agencies must remediate both by March 26, 2026.
FAQ
CISA’s Known Exploited Vulnerabilities catalog tracks security flaws that attackers have already exploited in real-world attacks. Agencies must prioritize these entries because CISA treats them as active risk, not theoretical exposure.
Yes. Even though Hikvision disclosed the issue in 2017, CISA added it to KEV in March 2026, and SANS previously reported exploit attempts against vulnerable Hikvision cameras. That usually points to lingering exposure from old or unpatched devices.
Rockwell’s public advisory marks the flaw as not corrected and points customers to mitigations and workarounds instead. Organizations should check the latest advisory details and reduce controller exposure where possible.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages