CVE-2021-22681
CVE-2021-22681 is a critical-severity vulnerability in Rockwellautomation Factorytalk Services Platform with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2026-03-05). The underlying weakness is classified as CWE-522.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 25% (98th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2026-03-05)
- EU (EUVD) id: EUVD-2021-9817
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2026-03-05)
- Weakness: CWE-522
- Affected product: Rockwellautomation Factorytalk Services Platform
- Published:
- Last modified:
Description
Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800. Rockwell Automation Studio 5000 Logix Designer Versions 21 and later and RSLogix 5000: Versions 16 through 20 are vulnerable because an unauthenticated attacker could bypass this verification mechanism and authenticate with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800.
Frequently asked questions
- What is CVE-2021-22681?
- Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800. Rockwell Automation Studio 5000 Logix Designer Versions 21 and later and RSLogix 5000: Versions 16 through 20 are vulnerable because an unauthenticated attacker could bypass this verification mechanism and authenticate with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800.
- How severe is CVE-2021-22681?
- CVE-2021-22681 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2021-22681 being actively exploited?
- Yes. CVE-2021-22681 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2026-03-05, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2021-22681?
- CVE-2021-22681 primarily affects Rockwellautomation Factorytalk Services Platform. In total, 3 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-22681?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2021-22681 have an EU (EUVD) identifier?
- Yes. CVE-2021-22681 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2021-9817. It is also flagged as exploited in the EUVD (since 2026-03-05).
- When was CVE-2021-22681 published?
- CVE-2021-22681 was published on 2021-03-03 and last updated on 2026-06-17.
References
- https://us-cert.cisa.gov/ics/advisories/icsa-21-056-03
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22681
Affected products (3)
- cpe:2.3:a:rockwellautomation:factorytalk_services_platform:*:*:*:*:*:*:*:*
- cpe:2.3:a:rockwellautomation:rslogix_5000:*:*:*:*:*:*:*:*
- cpe:2.3:a:rockwellautomation:studio_5000_logix_designer:*:*:*:*:*:*:*:*
More vulnerabilities in Rockwellautomation Factorytalk Services Platform
- CVE-2020-14516 — Critical (CVSS 10.0): In Rockwell Automation FactoryTalk Services Platform Versions 6.10.00 and 6.11.00, there is an issue with the…
- CVE-2024-21917 — Critical (CVSS 9.8): A vulnerability exists in Rockwell Automation FactoryTalk® Service Platform that allows a malicious user to obtain the…
- CVE-2020-6967 — Critical (CVSS 9.8): In Rockwell Automation all versions of FactoryTalk Diagnostics software, a subsystem of the FactoryTalk Services…
- CVE-2024-21915 — Critical (CVSS 9.0): A privilege escalation vulnerability exists in Rockwell Automation FactoryTalk® Service Platform (FTSP). If exploited,…
- CVE-2020-12033 — High (CVSS 8.8): In Rockwell Automation FactoryTalk Services Platform, all versions, the redundancy host service (RdcyHost.exe) does not…
- CVE-2021-32960 — High (CVSS 8.5): Rockwell Automation FactoryTalk Services Platform v6.11 and earlier, if FactoryTalk Security is enabled and deployed…
All CVEs affecting Rockwellautomation Factorytalk Services Platform →
Other CWE-522 (Insufficiently Protected Credentials) vulnerabilities
- CVE-2026-7312 — Critical (CVSS 10.0): CWE‑522: Insufficiently Protected Credentials in web services in Progress Sitefinity version from 14.0.7700 to…
- CVE-2026-29128 — Critical (CVSS 10.0): IDC SFX2100 Satellite Receiver firmware ships with multiple daemon configuration files for routing components (e.g.,…
- CVE-2025-54863 — Critical (CVSS 10.0): Radiometrics VizAir is vulnerable to exposure of the system's REST API key through a publicly accessible configuration…
- CVE-2024-12799 — Critical (CVSS 10.0): Insufficiently Protected Credentials vulnerability in OpenText Identity Manager Advanced Edition on Windows, Linux, 64…
- CVE-2024-51545 — Critical (CVSS 10.0): Username Enumeration vulnerabilities allow access to application level username add, delete, modify and list…
- CVE-2023-1778 — Critical (CVSS 10.0): This vulnerability exists in GajShield Data Security Firewall firmware versions prior to v4.28 (except v4.21) due to…
Browse all CWE-522 (Insufficiently Protected Credentials) vulnerabilities →