CVE-2021-22681

CVE-2021-22681 is a critical-severity vulnerability in Rockwellautomation Factorytalk Services Platform with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-03-05). The underlying weakness is classified as CWE-522.

Key facts

Description

Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800. Rockwell Automation Studio 5000 Logix Designer Versions 21 and later and RSLogix 5000: Versions 16 through 20 are vulnerable because an unauthenticated attacker could bypass this verification mechanism and authenticate with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800.

Frequently asked questions

What is CVE-2021-22681?
Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800. Rockwell Automation Studio 5000 Logix Designer Versions 21 and later and RSLogix 5000: Versions 16 through 20 are vulnerable because an unauthenticated attacker could bypass this verification mechanism and authenticate with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800.
How severe is CVE-2021-22681?
CVE-2021-22681 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2021-22681 being actively exploited?
Yes. CVE-2021-22681 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-03-05, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2021-22681?
CVE-2021-22681 primarily affects Rockwellautomation Factorytalk Services Platform. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-22681?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2021-22681 have an EU (EUVD) identifier?
Yes. CVE-2021-22681 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-9817. It is also flagged as exploited in the EUVD (since 2026-03-05).
When was CVE-2021-22681 published?
CVE-2021-22681 was published on 2021-03-03 and last updated on 2026-06-17.

References

Affected products (3)

More vulnerabilities in Rockwellautomation Factorytalk Services Platform

All CVEs affecting Rockwellautomation Factorytalk Services Platform →

Other CWE-522 (Insufficiently Protected Credentials) vulnerabilities

Browse all CWE-522 (Insufficiently Protected Credentials) vulnerabilities →