Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added two security flaws impacting Hikvision and Rockwell Automation products to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. The critical-severity vulnerabilities are listed below - CVE-2017-7921 (CVSS score: 9.8) - An improper authentication vulnerability affecting
Analysis Summary
# Vulnerability: Hikvision and Rockwell Automation Critical Flaws Added to CISA KEV
## CVE Details
### Impact 1: Hikvision
- **CVE ID:** CVE-2017-7921
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-287 (Improper Authentication)
### Impact 2: Rockwell Automation
- **CVE ID:** CVE-2021-22681
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-522 (Insufficiently Protected Credentials)
## Affected Systems
- **Products:**
- **Hikvision:** Multiple IP Camera and NVR products.
- **Rockwell Automation:** Studio 5000 Logix Designer, RSLogix 5000, and various Logix Controllers.
- **Versions:** Multiple legacy and current versions (Specifics vary by product line).
- **Configurations:** Devices exposed to the network or internet without updated firmware/software.
## Vulnerability Description
- **CVE-2017-7921 (Hikvision):** An improper authentication flaw in the device's web server. It allows a remote attacker to bypass authentication, escalate privileges to a malicious user level, and gain access to sensitive system information or administrative functions.
- **CVE-2021-22681 (Rockwell Automation):** The software utilizes insufficiently protected credentials. A remote, unauthorized user can exploit this to bypass verification mechanisms, authenticate with the controller, and alter configuration or application code.
## Exploitation
- **Status:** Exploited in the wild (Both added to CISA KEV Catalog in March 2026). SANS ISC reported active scanning/exploitation of Hikvision devices as recently as late 2025.
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Access to sensitive info/streams/credentials)
- **Integrity:** High (Modification of PLC code/device configuration)
- **Availability:** High (Potential for device takeover or operational disruption)
## Remediation
### Patches
- **Hikvision:** Users must update to the latest supported firmware versions provided by the vendor.
- **Rockwell Automation:** Update Studio 5000 Logix Designer and controller firmware to the latest patched versions. Federal agencies are mandated to remediate by **March 26, 2026**.
### Workarounds
- **Network Segmentation:** Isolate ICS/SCADA and IoT devices from the public internet.
- **Access Control:** Implement strict IP whitelisting for management interfaces.
- **Disconnection:** Rockwell has previously advised disconnecting critical controllers from the public internet entirely to mitigate remote exploitation risk.
## Detection
- **Indicators of Compromise:** Unusual administrative logins from unrecognized IP addresses; unauthorized changes to PLC logic or camera settings.
- **Detection methods and tools:** Monitoring network traffic for signature-based patterns related to known Hikvision/Rockwell exploits; utilizing CISA’s KEV catalog to audit asset management databases.
## References
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog
- **Vendor Advisory (Hikvision):** hxxps[://]www[.]hikvision[.]com/en/support/cybersecurity/announcements/
- **Vendor Advisory (Rockwell):** hxxps[://]rockwellautomation[.]custhelp[.]com/
- **Original Article:** hxxps[://]thehackernews[.]com/2026/03/hikvision-and-rockwell-automation-cvss[.]html