A Rockwell Automation vulnerability in the Studio 5000 Logix Designer software and several Logix PLCs has been exploited in attacks, according to the vendor and according to CISA. The flaw, tracked as CVE-2021-22681, was disclosed in February 2021 and mitigated at that time, but in-the-wild exploitation only came to light recently; CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on Thursday, instructing federal agencies to remediate by 26 March.
The vulnerability relates to an insufficiently protected cryptographic key and could allow a remote, unauthenticated attacker to bypass verification and connect to a targeted controller by mimicking an engineering workstation, potentially enabling manipulation of PLC logic and disruption of manufacturing or even physical damage. A Shodan search shows nearly 6,000 internet-exposed Rockwell devices, though it is unclear how many are affected. Rockwell updated its initial advisory to note the in-the-wild exploitation but has not shared details of attacks.