CVE-2021-22681

What are Rockwell Automation Logix Controllers?

Rockwell Automation (Allen-Bradley) Logix programmable controllers (CompactLogix, ControlLogix, GuardLogix, SoftLogix, Studio 5000) are among the most widely deployed programmable logic controllers (PLCs) in North American industrial environments. These controllers manage physical processes in manufacturing, energy, utilities, water treatment, and transportation — executing ladder logic programs that directly control motors, valves, sensors, and safety systems. Studio 5000 Logix Designer is the engineering workstation software used to program and communicate with Logix controllers. Unauthorized access to Logix controllers can disrupt or sabotage industrial processes, cause equipment damage, or create safety hazards.

Overview

CVE-2021-22681 is an insufficiently protected credentials vulnerability (CWE-522) affecting Rockwell Automation Studio 5000 Logix Designer and multiple Logix controller products. The vulnerability involves a cryptographic key embedded in the Studio 5000 software that is used to authenticate communications between the engineering workstation and Logix controllers. If an attacker recovers this key, they can connect unauthorized applications directly to Logix controllers over EtherNet/IP — bypassing the authentication that normally requires use of the legitimate Studio 5000 software. CISA added this to KEV in March 2026 — five years after the initial ICS advisory — following confirmed exploitation in critical infrastructure environments.

Affected Versions

Technical Details

Studio 5000 Logix Designer uses a proprietary EtherNet/IP-based protocol to communicate with Logix controllers. Part of the authentication mechanism involves a shared cryptographic key that both Studio 5000 and the controller use to verify legitimate communication:

• Root cause: Insufficiently protected credentials (CWE-522) — the cryptographic key used for controller authentication is embedded in Studio 5000 software in a recoverable form. An attacker with access to the Studio 5000 software binary can extract this key
• Exploitation: With the extracted key, an attacker can use custom software (not Studio 5000) to connect to Logix controllers over EtherNet/IP, read and modify control program logic, change controller configuration, and send commands to controlled processes
• Network access required: The attacker must have network access to the controller's EtherNet/IP port — typically reachable only on the OT network
• Attack implications: The ability to connect to Logix controllers with arbitrary software enables reading process data, modifying control programs, causing unsafe equipment states, or disabling safety systems (GuardLogix)
• Five-year KEV gap: The 2021-to-2026 timeline between initial advisory and KEV addition suggests confirmed exploitation against operational technology environments, possibly in industrial espionage or pre-positioning for disruption

Discovery

Discovered and reported to Rockwell Automation through responsible disclosure. CISA published ICS Advisory ICSA-21-056-03 in February 2021. The five-year gap before KEV addition reflects the typical timeline for confirmed OT exploitation evidence reaching public attribution.

Exploitation Context

Rockwell Logix controllers are deployed in US critical infrastructure including power generation, water treatment, oil and gas processing, and manufacturing. Nation-state actors with pre-positioning goals in US critical infrastructure (Russian APTs like Sandworm/Volt Typhoon analogues, Iranian groups) have demonstrated interest in industrial control systems. Unauthorized controller access does not necessarily manifest as immediate disruption — attackers may silently collect process data, learn operational parameters, and establish persistent access for future use in sabotage scenarios.

Remediation

1. Apply Rockwell Automation firmware updates for affected controller families per the vendor advisory
2. Implement Defense in Depth for OT networks: segment OT networks from IT networks using firewalls and data diodes — no direct connectivity between corporate IT and Logix controller networks
3. Restrict EtherNet/IP access to Logix controllers to authorized engineering workstations only — use network ACLs to block unauthorized EtherNet/IP (TCP/UDP port 44818) connections
4. Deploy Rockwell FactoryTalk AssetCentre or equivalent OT security monitoring to detect unauthorized controller connections
5. Audit controller audit logs for unexpected connection events or program modification events
6. Follow CISA's ICS security guidance at ICSA-21-056-03 and Rockwell's security advisory for specific mitigation steps