CISA Adds Hikvision and Rockwell CVSS 9.8 Flaws to KEV Catalog

CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on March 5, including two critical-severity flaws in Hikvision cameras and Rockwell Automation industrial controllers. Both carry CVSS scores of 9.8.

Federal agencies must remediate by March 26, 2026, under Binding Operational Directive 22-01. But the real concern extends far beyond government networks—these vulnerabilities affect surveillance systems and programmable logic controllers deployed across manufacturing, utilities, and critical infrastructure worldwide.

The Hikvision Vulnerability

CVE-2017-7921 is an improper authentication vulnerability affecting multiple Hikvision products. Successful exploitation allows attackers to escalate privileges and access sensitive information, including video feeds and device configurations.

The SANS Internet Storm Center first documented active exploitation attempts against Hikvision cameras susceptible to this flaw back in October 2025. That makes this KEV addition a formalization of what security teams should have been monitoring for months.

Hikvision cameras are everywhere. The company holds significant market share in surveillance systems globally, with installations spanning:

• Corporate offices and retail environments
• Critical infrastructure facilities
• Government buildings (despite bans in some jurisdictions)
• Residential security systems

An attacker compromising these devices gains more than video access. Cameras often sit on internal network segments, providing pivot points for lateral movement. They can also serve as persistent backdoors—firmware updates are infrequent, and security monitoring typically ignores IoT devices.

The Rockwell Automation Vulnerability

CVE-2021-22681 affects Rockwell Automation's Studio 5000 Logix Designer, RSLogix 5000, and Logix Controllers. The insufficiently protected credentials vulnerability allows unauthorized users with network access to bypass verification mechanisms and authenticate with controllers.

Once authenticated, attackers can alter controller configurations and application code—effectively reprogramming the industrial processes these devices manage.

Unlike the Hikvision flaw, there's no public report of active CVE-2021-22681 exploitation. CISA's KEV addition may reflect non-public intelligence or assessment of imminent risk to critical infrastructure.

The vulnerability's severity stems from what PLCs control: manufacturing assembly lines, water treatment processes, power distribution systems. Code manipulation could cause physical damage, production disruptions, or safety incidents. This is the same class of risk we've seen in ICS/SCADA vulnerabilities affecting operational technology environments.

Other Vulnerabilities Added

CISA also added three Apple vulnerabilities to the KEV catalog:

• CVE-2021-30952: Integer overflow in multiple Apple products
• CVE-2023-41974: Use-after-free in iOS and iPadOS
• CVE-2023-43000: Use-after-free in multiple Apple products

These flaws affect Safari, macOS, iOS, and iPadOS, potentially enabling memory corruption through malicious web content.

Why This Matters

The Hikvision and Rockwell additions highlight the persistent challenge of legacy vulnerabilities. CVE-2017-7921 is nearly nine years old. CVE-2021-22681 is five years old. Both remain unpatched in significant deployments.

For IoT and OT devices, patching faces structural obstacles:

• Visibility gaps: Organizations often lack complete inventories of deployed cameras and controllers
• Operational constraints: Taking PLCs offline for updates requires production scheduling
• Vendor support: Older devices may lack patches entirely
• Fragmented ownership: Facilities management, not IT security, typically owns these systems

The ASML semiconductor data breach earlier this year demonstrated how overlooked industrial systems become attack vectors. These KEV additions reinforce that ICS and IoT security requires the same rigor as traditional IT infrastructure.

Recommended Actions

For Hikvision deployments:

1. Identify all Hikvision devices on your network using asset discovery tools
2. Check firmware versions against Hikvision's security advisories
3. Update to patched firmware immediately
4. Segment cameras onto isolated VLANs with restricted internet access
5. Review access logs for authentication anomalies

For Rockwell Automation PLCs:

1. Inventory all affected controllers (Studio 5000, RSLogix 5000, Logix Controllers)
2. Apply Rockwell security patches
3. Implement network segmentation between IT and OT environments
4. Enable monitoring for unauthorized controller modifications
5. Review and restrict network access to PLC management interfaces

Frequently Asked Questions

Why is CISA adding these old vulnerabilities now?

KEV additions reflect evidence of active exploitation. The Hikvision flaw has documented attacks; the Rockwell addition may indicate intelligence suggesting imminent exploitation campaigns targeting industrial environments.

Does the March 26 deadline apply to my organization?

BOD 22-01 mandates apply only to Federal Civilian Executive Branch agencies. However, CISA strongly recommends all organizations prioritize KEV catalog vulnerabilities, as exploitation is confirmed or highly likely.

What if I can't patch by the deadline?

Implement compensating controls: network segmentation, enhanced monitoring, and restricting access to affected devices. Document your mitigation plan and accelerate patching as soon as operationally feasible.