What happened

CISA added CVE-2021-22681 (Rockwell “Multiple Products” Insufficiently Protected Credentials) to the Known Exploited Vulnerabilities catalog on 2026-03-05, signaling confirmed in-the-wild exploitation CISA KEV. CISA’s entry sets a remediation due date of 2026-03-26 and directs owners to apply vendor mitigations, follow BOD 22-01 for cloud services, or discontinue affected products if no mitigations exist CISA KEV.

The flaw centers on credentials protection in Rockwell’s ecosystem: Studio 5000 Logix Designer may allow discovery of a key used to verify that Logix controllers are communicating with Rockwell Automation design software, enabling unauthorized applications to connect if exploited CISA ICS advisory. Exploitation requires network access to the controller, making segmentation and access control pivotal in OT environments CISA ICS advisory.

NVD classifies the issue under CWE-522 (Insufficiently Protected Credentials), aligning with the key-discovery vector described by CISA NVD. The MITRE CVE record confirms vendor, product scope (“Multiple Products”), and vulnerability context for cross-reference and SBOM linkage MITRE.

Why it matters

Logix controllers sit at the core of industrial control workflows; if an attacker can masquerade as trusted engineering software, they can establish connections to controllers that should only accept verified tooling, eroding the primary trust boundary in many OT networks CISA ICS advisory. CISA’s KEV inclusion elevates this from theoretical to observed exploitation, updating risk from “possible” to “active” in production environments CISA KEV.

Because attackers only need network reach to the controller, flat networks, shared VLANs, or improperly firewalled remote access increase blast radius and speed of exploitation in mixed IT/OT plants CISA ICS advisory. The CWE-522 designation underscores that the root cause is credential handling rather than a protocol logic bug, implying that compensating controls around identity, segmentation, and change management are effective even before full vendor remediation NVD.

For asset owners, this shifts priority to: verify mitigations are applied, ensure controller networks are not directly reachable from IT segments, and monitor for anomalous engineering-tool connections to Logix assets CISA KEV.

Technical detail

Per CISA, Studio 5000 Logix Designer may permit discovery of a key that verifies communications between design software and Logix controllers, creating an authentication bypass path if the key is obtained CISA ICS advisory. Practically, the key acts like a credential presented by the client; once known, a non-Rockwell application can present it to initiate controller communications that should be reserved for trusted tools CISA ICS advisory.

NVD maps the weakness to CWE-522 (Insufficiently Protected Credentials), indicating the exposure stems from how the credential (key) is stored/handled rather than a transport confidentiality failure, which is consistent with the described discovery vector NVD. The MITRE record tracks this vulnerability across Rockwell “Multiple Products,” enabling integrators to align SBOMs and vulnerability scans with upstream identifiers for accurate inventory impact analysis MITRE.

CISA states an attacker must have network access to the controller to leverage the issue, so exploitation typically follows lateral movement or direct exposure of OT networks/services to untrusted segments CISA ICS advisory. As a result, the most reliable early-warning signals are unexpected controller-session attempts that emulate engineering software behaviors during verification handshakes, especially outside maintenance windows or from non-engineering hosts CISA ICS advisory.

Defense

Immediate: follow CISA’s KEV directive—apply vendor mitigations, adhere to BOD 22-01 for cloud services, or discontinue affected products where fixes are unavailable by the stated due date CISA KEV. Network-control priority: restrict reachability to Logix controllers to only authorized engineering workstations, enforce strict firewall rules, and remove direct internet exposure of OT assets CISA ICS advisory.

Detection and hardening moves:

• Monitor for new or unscheduled connections that present as engineering software initiating controller communications, especially from atypical hosts or subnets CISA ICS advisory.
• Baseline normal change windows and toolchains; alert on off-hours or tool-identity anomalies in controller sessions to catch credential/key misuse attempts early CISA ICS advisory.
• Validate asset inventory against CVE-2021-22681 across “Multiple Products,” using CVE and NVD data to drive targeted remediation and compensation controls MITRE.

Where patching or configuration fixes lag, compensate with aggressive segmentation, one-way data diodes where feasible, and jump hosts that enforce MFA and session recording for engineering access paths, reducing the chance that a discovered key is sufficient for controller access in practice NVD.

Lyrie Verdict

This is an authentication-bypass-by-key-discovery issue against the verification step between Rockwell design software and Logix controllers, and it is being exploited now per CISA KEV CISA KEV. Lyrie hunts for unauthorized “engineering-tool” session initiation and verification patterns to Logix-class controllers and auto-quarantines flows from non-trusted hosts at machine speed, closing the window between lateral movement and controller access attempts CISA ICS advisory. By continuously modeling normal controller-communication handshakes and enforcing least-privilege pathways, Lyrie detects and blocks rogue automation—human or AI-driven—before an attacker can leverage a discovered key to establish a controller session NVD.