CISA — the US government's cybersecurity agency — has added two critical vulnerabilities to its Known Exploited Vulnerabilities catalog, a list reserved for security flaws with confirmed real-world exploitation. The two flaws score a perfect 9.8 out of 10 on the severity scale and affect products found in millions of facilities worldwide: Hikvision IP cameras and Rockwell Automation industrial control systems. What makes this particularly alarming is that one of these vulnerabilities, the Hikvision flaw, has been known since 2017 — nearly a decade old — and systems are still being exploited because organizations never patched them. If you use Hikvision cameras or Rockwell industrial equipment, this requires your immediate attention.
Affected products
- ·Hikvision IP cameras and DVRs (CVE-2017-7921)
- ·Rockwell Automation Studio 5000 Logix Designer
- ·Rockwell Automation RSLogix 5000
- ·Rockwell Automation Logix Controllers (CVE-2021-22681)
How to Fix
Step-by-step remediation
For Hikvision users — log into your camera management console and check current firmware versions against the latest available on Hikvision's support portal. Any camera running outdated firmware should be updated immediately. More importantly, check whether any Hikvision devices are directly accessible from the internet — use Shodan or your firewall logs to verify. Cameras should never be directly internet-facing. Place them behind a VPN or firewall requiring authentication before any access is granted. For Rockwell Automation users — consult the ICS-CERT advisory for your specific product versions and apply available patches. Restrict who and what can communicate with your Logix controllers using firewalls, allowlists, and jump hosts. Monitor for any unauthorized programming or configuration changes on controllers. For all organizations — treat the March 26, 2026 CISA deadline as your target even if you are not a federal agency. The KEV catalog is the clearest possible signal that attackers are actively looking for these vulnerabilities.
What happened
Two separate vulnerabilities are involved here. CVE-2017-7921 is an improper authentication flaw in Hikvision cameras and DVRs. Improper authentication means an attacker can bypass the login process entirely — accessing camera feeds, configuration settings, stored credentials, and in some cases escalating to full device control without knowing any password. This vulnerability has had a public Metasploit exploit module available for years, meaning automated tools can find and attack vulnerable cameras with minimal effort. CVE-2021-22681 affects Rockwell Automation's Logix ecosystem — industrial engineering software and programmable logic controllers used in manufacturing plants, utilities, and critical infrastructure. The flaw involves insufficiently protected credentials that allow an attacker to impersonate a trusted engineering workstation, potentially enabling unauthorized access to modify controller logic and configuration — exactly the kind of access that could cause physical damage in industrial environments.
Real-World Impact
CISA's decision to add vulnerabilities to the KEV catalog is significant — it means they have evidence of active exploitation happening right now, not theoretical risk. For the Hikvision flaw specifically, government reporting has linked HiatusRAT — a sophisticated threat actor — to active scanning campaigns targeting CVE-2017-7921 on internet-exposed cameras and DVRs. The geopolitical timing is also notable: with ongoing tensions in multiple regions, surveillance infrastructure like cameras is a known target for nation-state actors looking for persistent access or intelligence gathering. For the Rockwell flaw, exploitation in industrial environments carries severe consequences beyond data theft — attackers with access to programmable logic controllers can potentially disrupt physical operations, shut down production lines, or cause equipment damage.
Technical Details
🛡️ Prevention Tips
Never expose industrial control systems or security cameras directly to the internet. Conduct regular audits of your network to identify any OT or IoT devices with external-facing access. Subscribe to CISA's KEV catalog updates — free email alerts are available at cisa.gov. Maintain an accurate inventory of all connected devices including cameras and industrial equipment so you know immediately when a CVE affects something in your environment. Apply firmware and software updates to cameras and industrial systems on the same priority schedule as servers and workstations — these devices are just as exploitable and far less frequently patched.
FAQs
I have Hikvision cameras at my home or small business — am I at risk?
Yes, if your cameras are accessible over the internet without a VPN. The most important step is ensuring your cameras are not directly internet-facing. Check your router settings and ensure camera access requires VPN authentication.
CVE-2017-7921 is from 2017 — why is it still being exploited in 2026?
Because millions of Hikvision devices were never patched. Camera firmware updates are frequently ignored because people don't think of cameras as computers that need patching. Attackers know this and specifically target old, unpatched devices.
Does this affect Hikvision cameras sold under other brand names?
Yes — Hikvision manufactures cameras sold under many white-label brands. If you're unsure whether your cameras are Hikvision-based, check the device management interface or contact your supplier.
Read Next
apt · transparent tribe
Transparent Tribe Uses AI to Mass-Produce Malware in Campaign Targeting India
microsoft · patch tuesday
Microsoft April 2026 Patch Tuesday: SharePoint Zero-Day CVE-2026-32201 Actively Exploited + CVSS 9.8 Windows IKE RCE Among 169 Fixes
cohere ai · terrarium
CVE-2026-5752: Cohere AI Terrarium Sandbox Flaw Allows Root Code Execution and Container Escape — No Patch Coming
openai · supply chain attack
OpenAI Revokes macOS App Certificate After North Korea's Axios Supply Chain Attack — Update ChatGPT Before May 8
weekly roundup · cybersecurity