The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added two critical vulnerabilities, one impacting Hikvision products and another affecting Rockwell Automation systems, to its Known Exploited Vulnerabilities (KEV) catalog. This addition signifies that CISA has found evidence of active exploitation in the wild, posing immediate risks to organizations utilizing these technologies. The inclusion mandates federal agencies to patch these flaws by a specific deadline.
These newly identified security flaws, both carrying a high CVSS score of 9.8, represent significant threats to network security. CVE-2017-7921 affects multiple Hikvision products, enabling privilege escalation and unauthorized access to sensitive data. Meanwhile, CVE-2021-22681 targets Rockwell Automation’s Studio 5000 Logix Designer, RSLogix 5000, and Logix Controllers, allowing unauthorized users with network access to bypass authentication and tamper with configurations or application code. The active exploitation of these vulnerabilities underscores the ongoing challenges in securing industrial control systems and networked devices.
CISA Flags Exploited Hikvision and Rockwell Automation Vulnerabilities
CISA’s decision to include CVE-2017-7921 in the KEV catalog follows concerns raised by the SANS Internet Storm Center. The SANS ISC had previously reported detecting exploit attempts against Hikvision cameras susceptible to this specific flaw, indicating a persistent interest from malicious actors. The disclosure of active exploitation for this particular vulnerability highlights the importance of vigilant monitoring and prompt response to emerging threats in the cybersecurity landscape.
The second vulnerability, CVE-2021-22681, impacts critical industrial automation equipment. While CISA cites evidence of active exploitation, there have been no widespread public reports detailing specific attacks leveraging this flaw. Nevertheless, its inclusion in the KEV catalog signifies that it has moved beyond theoretical risk to become a demonstrated threat vector, requiring immediate attention from affected organizations.
Implications for Federal Agencies and Beyond
In response to the identified exploitation, CISA has issued Binding Operational Directive (BOD) 22-01. This directive mandates that all Federal Civilian Executive Branch (FCEB) agencies must update their affected Hikvision and Rockwell Automation products to the latest supported software versions by March 26, 2026. This deadline provides a clear timeline for remediation efforts within the federal sector, aiming to mitigate the risks posed by these exploited vulnerabilities.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA stated in its advisory. The agency emphasized that while BOD 22-01 is specific to FCEB agencies, all organizations are strongly encouraged to prioritize the remediation of vulnerabilities listed in the KEV catalog. This proactive approach is presented as a crucial component of a robust vulnerability management practice to reduce overall exposure to cyberattacks.
Future Actions and Recommendations
The inclusion of these vulnerabilities in the KEV catalog serves as a stark reminder that even older flaws can remain actively exploited. Organizations utilizing Hikvision and Rockwell Automation products should assess their environments for the presence of systems affected by CVE-2017-7921 and CVE-2021-22681. Prompt patching or implementing compensating controls is essential to prevent potential compromise.
The mandated deadline for federal agencies to address these issues by March 26, 2026, sets a precedent for other organizations. It is anticipated that cybersecurity professionals will closely monitor the progress of these remediation efforts and the potential for further exploitation as the deadline approaches. Continued vigilance and proactive security measures remain paramount in defending against evolving cyber threats.