Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CISA Flags Hikvision Camera & Rockwell Logix Vulnerabilities as Actively Exploited
Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | CVE-2026-20230: Cisco Unified CM WebDialer SSRF Can Lead to Root-Level Compromise
CVE-2026-20230: Cisco Unified CM WebDialer SSRF Can Lead to Root-Level Compromise
Jun 05, 2026
SOCRadar® Cyber Intelligence Inc. | HTTP/2 Bomb: How Default Configurations Open a New DoS Vector
HTTP/2 Bomb: How Default Configurations Open a New DoS Vector
Jun 04, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
CVE-2025-48595: June 2026 Android Security Update Fixes Framework Zero-Day
Jun 03, 2026
SOCRadar® Cyber Intelligence Inc. | Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
Charter Data Breach: ShinyHunters Claims 42 Million Records Stolen on the Dark Web
May 29, 2026
SOCRadar® Cyber Intelligence Inc. | April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
April 2026: ShinyHunters Hits Medtronic and ADT as North Korean Hackers Drain DeFi Protocols
May 29, 2026
Free Dark Web Report
Is your Domain/Email Exposed?
Mar 06, 2026
6 Mins Read
Moon

CISA Flags Hikvision Camera & Rockwell Logix Vulnerabilities as Actively Exploited

Two long-standing vulnerabilities affecting Hikvision cameras and Rockwell Automation Logix environments are now urgent patch and mitigation priorities after being added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog.

The first, CVE-2017-7921, affects Hikvision IP cameras via an improper authentication weakness that enables sensitive access and privilege escalation behavior. The second, CVE-2021-22681, impacts Rockwell Automation’s Logix ecosystem and can enable unauthorized “trusted” engineering workstation impersonation once an attacker can extract or discover the verification key.

The timing is notable as geopolitical tensions involving the United States, Israel, and Iran continue to raise concerns about cyber activity targeting surveillance infrastructure and internet-connected cameras, which are often scanned and exploited during regional cyber operations.

This post explains what each issue is, what is exposed, how exploitation looks in practice, and what defenders should do now.

What Is CVE-2017-7921 in Hikvision Devices?

CVE-2017-7921 (CVSS 10) is an improper authentication vulnerability in certain Hikvision IP camera firmware. In practical terms, it enables an attacker to interact with the device in a way that bypasses expected authorization checks and can lead to privilege escalation and sensitive data access.

Details of CVE-2017-7921 (SOCRadar Vulnerability Intelligence)

Details of CVE-2017-7921 (SOCRadar Vulnerability Intelligence)

For defenders, the key point is impact over theory: offensive tooling has been described as using this weakness to disclose device configuration details, credentials, and snapshots, which can quickly turn a “camera bug” into a foothold for broader network discovery and follow-on access.

Which Hikvision Models & Firmware Lines Are Affected?

The affected scope includes multiple Hikvision camera series and firmware ranges (for example, several DS-2CD and DS-2DF families). Hikvision’s advisory also lists fixed firmware builds, generally centered around V5.4.5 “Build 170xxx and later” depending on model line, with some lines referencing V5.4.9 Build 170123+ and similar build thresholds.

Because this CVE is frequently discussed in the context of exposed IoT fleets, prioritize any Hikvision devices that are:

  • Internet-facing
  • Exposed via management services you do not strictly need
  • Running older firmware with unclear patch status

What Is CVE-2021-22681 in Rockwell Logix Environments?

CVE-2021-22681 (CVSS 9.8) affects Rockwell Automation’s Studio 5000 Logix Designer / RSLogix 5000 communications trust model with Logix controllers. The engineering software and controllers rely on a key used to verify communications. If an attacker can discover or extract that key, they may be able to bypass the verification mechanism and connect to controllers as if they were an authorized workstation. Rockwell’s own threat model includes an important constraint: the attacker must have network access to the controller. In OT terms, that typically means the difference between an internet-wide issue and a segmentation and zone-boundary issue, but it can still be high impact if the ICS network is reachable.

Details of CVE-2021-22681 (SOCRadar Vulnerability Intelligence)

Details of CVE-2021-22681 (SOCRadar Vulnerability Intelligence)

Which Rockwell Software & Controller Families Are Affected?

CVE-2021-22681 affects:

  • RSLogix 5000 v16–20
  • Studio 5000 Logix Designer v21+
  • FactoryTalk Security (as part of FactoryTalk Services Platform) when configured and deployed v2.10+

The affected controller families list is broad and includes CompactLogix and ControlLogix families among others. If your environment includes Logix controllers and relies on typical engineering workstation workflows, you should treat this as an ecosystem-level exposure question rather than a single “one box” patch cycle.

Is There Active Exploitation or Public PoC Code?

As of March 5, 2026, both vulnerabilities are KEV-listed, which indicates CISA has evidence of real-world exploitation. KEV inclusion is a strong prioritization signal for most vulnerability management programs, even when public technical details are limited.

For CVE-2017-7921, there is additional context from U.S. government reporting that describes HiatusRAT actors scanning for CVE-2017-7921 during a March 2024 campaign targeting web cameras and DVRs, including Hikvision devices.

Is There a Public PoC?

  • CVE-2017-7921: Yes. Public exploit references exist, including a Metasploit module described as supporting info disclosure actions (configuration, credentials, snapshots). Public GitHub PoCs also exist.
  • CVE-2021-22681: Historically, CISA ICS advisory language stated there were no known public exploits specifically targeting it at the time of publication. As of March 2026, it is KEV-listed (so it is being exploited), but a widely accepted “canonical” public PoC comparable to Metasploit coverage for CVE-2017-7921 is not clearly established.

What Should Defenders Do Now?

CVE-2017-7921 (Hikvision): 

  1. Upgrade firmware to Hikvision’s resolved versions for each affected model line (this is the primary fix).
  2. Reduce exposure by removing unnecessary internet reachability and disabling unneeded services.
  3. Segment and isolate IoT devices so a compromised camera cannot become a pivot point.
  4. Reset and rotate credentials where appropriate, especially if you cannot confirm prior exposure.

If you manage large camera fleets, treat this like a credential and configuration exposure problem, not only a “single-device CVE.”

CVE-2021-22681 (Rockwell Logix): 

Rockwell’s guidance indicates this issue cannot be mitigated with a patch, so you need compensating controls.

  1. Restrict network reachability to controllers, including blocking or tightly controlling access to TCP 44818 outside the ICS zone.
  2. Implement segmentation so engineering protocols cannot be reached from IT networks or untrusted zones.
  3. Deploy CIP Security where feasible, or use the 1783-CSP CIP Security Proxy for certain CompactLogix scenarios (per Rockwell guidance).
  4. Operational control hardening such as setting the controller mode switch to “Run” where it aligns with your operational requirements.

Finally, align timelines to the KEV-driven urgency: the KEV entry dates (March 5, 2026) and remediation due date (March 26, 2026) give a clear window for prioritization, exception handling, and compensating control validation.

How SOCRadar Helps Track Exploited Vulnerabilities

When vulnerabilities appear in the CISA KEV catalog, security teams often face a race against time to determine whether their organization is exposed and whether active exploitation is targeting their sector.

SOCRadar’s Cyber Threat Intelligence (CTI) and Attack Surface Management (ASM) modules help teams monitor exploitation activity tied to KEV-listed vulnerabilities. The platform aggregates threat intelligence from attacker infrastructure, underground sources, and vulnerability intelligence feeds to identify when specific CVEs begin appearing in active campaigns.

SOCRadar’s ASM module, Company Vulnerabilities

SOCRadar’s ASM module, Company Vulnerabilities

With SOCRadar’s insights, defenders can:

  • Correlate exploited vulnerabilities with exposed assets
  • Track emerging exploitation activity related to vulnerabilities like CVE-2017-7921 and CVE-2021-22681
  • Monitor threat actor discussions and tooling references linked to newly exploited CVEs
  • Prioritize patching and mitigation based on real-world attacker behavior rather than severity scores alone

By combining vulnerability intelligence with threat context, security teams can better understand which KEV-listed vulnerabilities pose the most immediate risk to their environment and respond faster.