CVE-2021-22681 – Rockwell Logix Controllers Authentication Bypass

What is CVE-2021-22681?

CVE-2021-22681 is an authentication bypass issue in Rockwell Automation Logix engineering workflows caused by an insufficiently protected verification credential. Rockwell states that Studio 5000 Logix Designer uses a key to verify communications with certain Logix controllers, but a remote, unauthenticated attacker may be able to bypass that verification and authenticate to the controller. If exploitation is successful, an unauthorized third-party tool could potentially make changes to controller configuration and/or application code. While the underlying issue is widely described as an architectural/protocol-level weakness, Rockwell’s public guidance focuses on compensating controls rather than a traditional “patch fixes it” model.

What is Affected By CVE-2021-22681?

CVE-2021-22681 affects specific Rockwell engineering software lines and multiple Logix controller families used in industrial environments. The affected scope includes RSLogix 5000 and Studio 5000 Logix Designer versions used to connect to impacted controllers, plus FactoryTalk Security when it is configured and deployed as part of the FactoryTalk Services Platform. In practice, exposure risk increases when engineering paths to controllers are reachable over routed or remote networks without strong segmentation and controls.

Affected products (as described by Rockwell/CISA) include:

• Software

  • RSLogix 5000: v16–v20

  • Studio 5000 Logix Designer: v21 and later

  • FactoryTalk Security (FactoryTalk Services Platform) when configured/deployed: v2.10 and later

• Controllers (Logix families)

  • CompactLogix: 1768, 1769, 5370, 5380, 5480

  • ControlLogix: 5550, 5560, 5570, 5580

  • DriveLogix / related: 5560, 5730, 1794-L34

  • Compact GuardLogix: 5370, 5380

  • GuardLogix: 5570, 5580

  • SoftLogix: 5800

Mitigation and Remediation For CVE-2021-22681

Rockwell’s guidance emphasizes mitigations and defense-in-depth because it states the vulnerability cannot be fully addressed with a patch. In its advisory, Rockwell explicitly indicates this issue is not mitigated via a patch and directs customers to apply risk mitigation measures and monitoring controls instead. Where feasible, follow Rockwell’s product-family guidance to harden engineering connections (including CIP Security and related tooling) and reduce the blast radius of any unauthorized access path. CISA also recommends standard ICS defensive practices such as strict segmentation, no direct Internet exposure, and secure remote access patterns.

Recommended actions and compensating controls include:

• Reduce reachability

  • Ensure controllers/engineering workstations are not accessible from the Internet

  • Place control networks behind firewalls and isolate them from business networks

  • When remote access is required, use VPNs and keep VPN infrastructure fully updated

• Harden engineering connections

  • Deploy CIP Security (including guidance for front-port vs. module-based approaches where applicable)

  • Consider 1756-EN4TR (ControlLogix EtherNet/IP module) to support CIP Security in architectures that need it

  • Install 1783-CSP CIP Security Proxy to provide a more secure path between the engineering workstation and the controller

  • Where applicable for specific families/versions, set the controller mode switch to “Run” and follow Rockwell’s version-specific guidance

• Detect and investigate unauthorized change

  • Monitor controller change logs for unexpected modifications

  • Use Controller Log features (where available) and Change Detection capabilities in Logix Designer (where supported)

  • If available in your environment, use FactoryTalk AssetCentre change detection/auditing to alert on unauthorized modifications

Impact of Successful Exploitation of CVE-2021-22681

Successful exploitation can enable unauthorized access to Logix controllers and potentially allow changes to control logic or configuration. Rockwell’s advisory notes that an attacker who bypasses the verification mechanism may authenticate and then use unauthorized tooling to modify controller configuration and/or application code, which can directly affect industrial processes. If FactoryTalk Security is being relied upon for access control within RSLogix 5000/Studio 5000, Rockwell warns this issue may allow an attacker to bypass those protections after an initial authorization path is achieved. Rockwell also flags the issue as a Known Exploited Vulnerability (KEV) in its advisory updates, which should raise prioritization for organizations with exposed engineering paths.

Common real-world impact scenarios include:

• Unauthorized controller access (authentication bypass) leading to:

  • Changes to logic, setpoints, or configuration

  • Disruption of operations (unexpected stops/starts, process instability)

  • Compromise of integrity of safety/quality-related automation outcomes (environment-dependent)

• Loss of trust in engineering controls

  • Potential circumvention of controls typically enforced through engineering software + security platform configuration

• Increased incident response burden

  • Need for deeper forensics and change auditing to re-establish known-good controller states

Proof of Concept for CVE-2021-22681

Public write-ups describe the vulnerable condition, but defenders should treat “PoC” activity as exposure validation—not exploitation. Rockwell and CISA documentation focus on how an unauthenticated actor could bypass the verification mechanism; however, safe validation can be done by checking whether EtherNet/IP (TCP/UDP 44818) is reachable and whether devices identify as affected Logix families. The examples below are intended for authorized, defensive testing to help identify exposed assets and confirm that segmentation and compensating controls are in place. For asset identification, Nmap’s enip-info script and Python’s pycomm3 identity query are commonly used building blocks.

Example 1 (defensive): identify EtherNet/IP devices exposed on TCP 44818

Example 2 (defensive): query device identity with pycomm3 (no exploit, no write actions)

If these checks succeed across networks where they should not, treat that as a signal to tighten segmentation, apply Rockwell’s CIP Security / proxy guidance, and enable change monitoring so unauthorized modifications are detectable.