CISA Adds Critical Hikvision and Rockwell Automation Flaws to KEV Catalog — Attacks Are Active
CISA confirmed active exploitation of CVE-2017-7921 (Hikvision cameras) and CVE-2021-22681 (Rockwell Automation controllers), both CVSS 9.8. Federal agencies must patch by March 26, 2026. Legacy vulnerabilities remain potent weapons in attacker arsenals.
If your network has security cameras or industrial controllers, drop what you're doing and read this. CISA just added two critical vulnerabilities to its Known Exploited Vulnerabilities catalog, confirming that attackers are actively going after Hikvision cameras and Rockwell Automation industrial controllers in the wild. Both carry a CVSS score of 9.8 out of 10, which is about as bad as it gets.
The first flaw, CVE-2017-7921, affects a wide range of Hikvision products and has been sitting in the open for nearly a decade. It's an improper authentication vulnerability, which is security-speak for "an attacker can waltz past your login screens, escalate privileges, and help themselves to whatever sensitive data the system has access to." SANS Internet Storm Center actually spotted exploit attempts targeting this vulnerability back in late October 2025, so the fact that it's now officially on the KEV list confirms what defenders suspected for months. Someone out there is weaponizing this at scale.
The second vulnerability, CVE-2021-22681, targets Rockwell Automation's Studio 5000 Logix Designer, RSLogix 5000, and various Logix Controllers. This one is an insufficiently protected credentials issue, meaning an attacker with network access can bypass authentication entirely, connect to the controller as if they owned it, and then alter its configuration or application code. If you're running industrial processes, this isn't just an IT problem anymore. It's an operational technology nightmare.
What makes this pairing particularly concerning is the breadth of environments affected. Hikvision cameras are everywhere, from small business storefronts to enterprise data centers and even government facilities. Rockwell Automation gear runs manufacturing floors, critical infrastructure, and industrial processes across nearly every sector. Neither of these vendors are obscure names with a few deployments. They're ubiquitous, which means the attack surface is enormous.
CISA has given Federal Civilian Executive Branch agencies until March 26, 2026 to patch or mitigate these issues under Binding Operational Directive 22-01. That's a tight three-week window, and while the mandate only applies to federal agencies, everyone else should treat it as their own deadline. Attackers aren't waiting for compliance schedules.
For Hikvision cameras, the remediation path is firmware updates. Check your device models against Hikvision's advisory and get current. If you have cameras that are no longer receiving firmware updates, it's time to replace them entirely. Vulnerable cameras exposed to the internet are trivial to scan for and exploit, and leaving them online is essentially handing over a beachhead into your network.
For Rockwell Automation systems, the situation is more complex because industrial control systems aren't trivial to patch during production. Rockwell has published guidance on mitigating the vulnerability, which includes network segmentation, restricting controller access, and monitoring for anomalous connections. If you haven't already isolated your OT networks from general IT traffic, this is your wake-up call.
The broader takeaway here is that legacy vulnerabilities don't go away just because they're old. CVE-2017-7921 has been around since 2017 and attackers are still finding value in it today. If your vulnerability management program only prioritizes brand-new CVEs, you're missing the forest for the trees. Sometimes the oldest flaws are the most reliable tools in an attacker's arsenal.
Patch your cameras. Segment your controllers. Assume someone is already probing your network for these exact weaknesses, because they probably are.