Industrial organizations have been warned this week that a critical authentication bypass vulnerability can allow hackers to remotely compromise programmable logic controllers (PLCs) made by industrial automation giant Rockwell Automation.
The vulnerability, tracked as CVE-2021-22681 with a CVSS score of 10, was independently reported to Rockwell by researchers at the Soonchunhyang University in South Korea, Kaspersky, and industrial cybersecurity firm Claroty.
Advisories for this flaw were published this week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Rockwell (account required). Claroty has also released a blog post with a high-level description of its findings.
The vulnerability impacts Studio 5000 Logix Designer (formerly RSLogix 5000), the popular design and configuration software for PLCs, as well as over a dozen CompactLogix, ControlLogix, DriveLogix, Compact GuardLogix, GuardLogix, and SoftLogix controllers.
The problem is related to the Logix Designer software using a private cryptographic key to verify communications with controllers. This key is not sufficiently protected, allowing a remote, unauthenticated attacker to bypass the verification mechanism and connect to the controller by mimicking an engineering workstation.
Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series
Once they have connected to the PLC, an attacker on the targeted organization’s network — or malware — can upload malicious code to the controller, download information from the device, or install new firmware. Claroty pointed out that exploitation of the vulnerability could directly impact a manufacturing process.
Claroty said it reported the issue to Rockwell back in 2019. It’s unclear when the others informed the vendor about the vulnerability.
Rockwell has advised customers to implement mitigations to reduce the risk of exploitation, including putting controllers into “Run mode,” deploying CIP Security to prevent unauthorized connections, and updating the controller firmware. It has also shared information for detecting potentially malicious changes and making general security improvements.
Related: Hackers Can Target Rockwell Industrial Software With Malicious EDS Files
Related: Flaws in Rockwell Automation Product Expose Engineering Workstations to Attacks
Related: DoS Vulnerabilities Found in Rockwell’s FactoryTalk Linx and RSLinx Classic Products

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
- Verizon 2023 DBIR: Human Error Involved in Many Breaches, Ransomware Cost Surges
- Google Patches Third Chrome Zero-Day of 2023
- Ransomware Group Used MOVEit Exploit to Steal Data From Dozens of Organizations
- Cybersecurity M&A Roundup: 36 Deals Announced in May 2023
- In Other News: Government Use of Spyware, New Industrial Security Tools, Japan Router Hack
Latest News
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
- US, Israel Provide Guidance on Securing Remote Access Software
- OWASP’s 2023 API Security Top 10 Refines View of API Risks
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
