Connect with us

Hi, what are you looking for?



Unprotected Private Key Allows Remote Hacking of Rockwell Controllers

Industrial organizations have been warned this week that a critical authentication bypass vulnerability can allow hackers to remotely compromise programmable logic controllers (PLCs) made by industrial automation giant Rockwell Automation.

Industrial organizations have been warned this week that a critical authentication bypass vulnerability can allow hackers to remotely compromise programmable logic controllers (PLCs) made by industrial automation giant Rockwell Automation.

The vulnerability, tracked as CVE-2021-22681 with a CVSS score of 10, was independently reported to Rockwell by researchers at the Soonchunhyang University in South Korea, Kaspersky, and industrial cybersecurity firm Claroty.

Advisories for this flaw were published this week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Rockwell (account required). Claroty has also released a blog post with a high-level description of its findings.

The vulnerability impacts Studio 5000 Logix Designer (formerly RSLogix 5000), the popular design and configuration software for PLCs, as well as over a dozen CompactLogix, ControlLogix, DriveLogix, Compact GuardLogix, GuardLogix, and SoftLogix controllers.

The problem is related to the Logix Designer software using a private cryptographic key to verify communications with controllers. This key is not sufficiently protected, allowing a remote, unauthenticated attacker to bypass the verification mechanism and connect to the controller by mimicking an engineering workstation.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Once they have connected to the PLC, an attacker on the targeted organization’s network — or malware — can upload malicious code to the controller, download information from the device, or install new firmware. Claroty pointed out that exploitation of the vulnerability could directly impact a manufacturing process.

Advertisement. Scroll to continue reading.

Claroty said it reported the issue to Rockwell back in 2019. It’s unclear when the others informed the vendor about the vulnerability.

Rockwell has advised customers to implement mitigations to reduce the risk of exploitation, including putting controllers into “Run mode,” deploying CIP Security to prevent unauthorized connections, and updating the controller firmware. It has also shared information for detecting potentially malicious changes and making general security improvements.

Related: Hackers Can Target Rockwell Industrial Software With Malicious EDS Files

Related: Flaws in Rockwell Automation Product Expose Engineering Workstations to Attacks

Related: DoS Vulnerabilities Found in Rockwell’s FactoryTalk Linx and RSLinx Classic Products

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.