ICS/OT Rockwell Vulnerability Allowing Remote ICS Hacking Exploited in Attacks The vulnerability was disclosed and mitigated in 2021 but its in-the-wild exploitation has only now come to light. By Eduard Kovacs | March 6, 2026 (7:32 AM ET) Flipboard Reddit Whatsapp Whatsapp Email An old vulnerability affecting industrial control system (ICS) products from Rockwell Automation has been exploited in attacks, according to the vendor and the cybersecurity agency CISA. CISA added the flaw, tracked as CVE-2021-22681 , to its Known Exploited Vulnerabilities (KEV) catalog on Thursday, instructing federal agencies to address it by March 26. The security hole affects the Studio 5000 Logix Designer software and several Logix programmable logic controllers (PLCs), including CompactLogix, ControlLogix, DriveLogix, FlexLogix, GuardLogix, and SoftLogix devices. CVE-2021-22681 was disclosed in February 2021, when the vendor announced mitigations and credited Soonchunhyang University in South Korea, Kaspersky, and Claroty for reporting it. Claroty said at the time that it had reported the issue to Rockwell in 2019. The vulnerability, related to an insufficiently protected cryptographic key, could allow a remote, unauthenticated attacker to bypass verification and connect to a targeted controller by mimicking an engineering workstation. In a real-world industrial environment, the vulnerability could allow remote attackers to manipulate PLC logic and disrupt manufacturing processes, or even cause physical damage to equipment. Advertisement. Scroll to continue reading. Rockwell updated its initial advisory on Thursday to mention in-the-wild exploitation of CVE-2021-22681, but the company has not shared any information about the attacks. SecurityWeek has reached out to Rockwell for comment and will update this article if the company responds. A Shodan search currently shows nearly 6,000 internet-exposed Rockwell devices, but it’s unclear how many may be affected by CVE-2021-22681. It’s worth noting that Rockwell issued a security notice in 2024, urging customers to ensure their ICS devices are not connected to the internet. One of the vulnerabilities highlighted in that alert was CVE-2021-22681, which indicates that the vendor did not rule out malicious exploitation. In 2023, Rockwell and CISA warned that an unnamed APT had developed an exploit for a different Rockwell controller vulnerability (CVE-2023-3595), which could be exploited to cause disruption or destruction, but there had been no evidence of actual attacks. Currently, CVE-2021-22681 is the only Rockwell product vulnerability in CISA’s KEV catalog. Related : 3 Threat Groups Started Targeting ICS/OT in 2025: Dragos Related : Honeywell, Researcher Clash Over Impact of Building Controller Vulnerability Related : Critical Flaws Exposed Gardyn Smart Gardens to Remote Hacking Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Tycoon 2FA Phishing Platform Dismantled in Global Takedown New LexisNexis Data Breach Confirmed After Hackers Leak Files Zurich Acquires Beazley in $11 Billion Deal to Lead Cyberinsurance LastPass Warns of New Phishing Campaign VMware Aria Operations Vulnerability Exploited in the Wild Honeywell, Researcher Clash Over Impact of Building Controller Vulnerability Iran Cyber Front: Hacktivist Activity Rises, but State-Sponsored Attacks Stay Low Madison Square Garden Data Breach Confirmed Months After Hacker Attack Latest News James ‘Aaron’ Bishop Tapped to Serve as New Pentagon CISO Iranian APT Hacked US Airport, Bank, Software Company Data Security Firm Evervault Raises $25 Million in Series B Funding Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises Russian Ransomware Operator Pleads Guilty in US Cisco Warns of More Catalyst SD-WAN Flaws Exploited in the Wild Reclaim Security Raises $20 Million to Accelerate Remediation LeakBase Cybercrime Forum Shut Down, Suspects Arrested Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move Sonalee Parekh has joined SentinelOne as Chief Financial Officer. Chris Butera has been named Acting Executive Assistant Director for Cybersecurity at CISA. Software and firmware supply chain security company Binarly has appointed Gwenyth Castro as its new CEO. More People On The Move Expert Insights Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email