CVE-2021-22681:
Authentication Bypass Vulnerability in Rockwell Automation Studio 5000 Logix Designer and RSLogix 5000
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.8Critical- Published Date:Mar 3, 2021
- CISA KEV Date:Mar 5, 2026
- Industries Affected:20
1828 DaysThreat Predictions
- EPSS Score:12.9
- EPSS Percentile:94%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Authentication Bypass Vulnerability in Rockwell Automation Studio 5000 Logix Designer and RSLogix 5000
Overview
This vulnerability affects the authentication mechanism between Rockwell Automation's programming software and their industrial controllers. The affected software includes Studio 5000 Logix Designer (v21+) and RSLogix 5000 (v16-20), which are used to program and configure various Logix controllers. The vulnerability allows an attacker to bypass the key-based verification system that should ensure only authorized software can communicate with the controllers. This could enable unauthorized configuration changes, firmware uploads, or other potentially dangerous operations on critical industrial control systems. Given the widespread use of these products in manufacturing, utilities, and other industrial sectors, this vulnerability poses significant risks to operational technology environments.
Remediation
- 1. Update to the latest version of Studio 5000 Logix Designer or RSLogix 5000 that contains the security fix.
- 2. If immediate patching is not possible, implement network segmentation to isolate control system networks from business networks and the internet.
- 3. Use access control lists and firewall rules to restrict network access to authorized endpoints only.
- 4. Monitor network traffic for suspicious communications attempting to connect to Logix controllers.
- 5. Implement the principle of least privilege for all control system accounts and access.
- 6. Consider implementing a defense-in-depth security strategy as recommended by Rockwell Automation.
- 7. For detailed mitigation guidance, refer to the CISA advisory (ICSA-21-056-03).
References
- 1. CISA ICS Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-21-056-03
- 2. CWE-522: Insufficiently Protected Credentials
- 3. Rockwell Automation Product Security Advisory (refer to CISA advisory for details)
- 4. Affected Products:
- - Studio 5000 Logix Designer Versions 21 and later
- - RSLogix 5000 Versions 16 through 20
- - CompactLogix controllers (1768, 1769, 5370, 5380, 5480)
- - ControlLogix controllers (5550, 5560, 5570, 5580)
- - DriveLogix controllers (5560, 5730, 1794-L34)
- - Compact GuardLogix controllers (5370, 5380)
- - GuardLogix controllers (5570, 5580)
- - SoftLogix controllers (5800)
Armis Early Warning
Armis Early Warning provides proactive threat intelligence and early detection capabilities.Click here to learn more.
- Armis Alert Date:*No Data*
- CISA KEV Date:Mar 5, 2026
- Days Early:1828 Days
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
