Two Critical Security Flaws Added to CISA’s KEV List
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two serious security vulnerabilities affecting Hikvision surveillance devices and Rockwell Automation industrial software to its Known Exploited Vulnerabilities (KEV) catalog.
The decision comes after evidence showed that attackers are actively exploiting at least one of the flaws in real-world environments. Security officials say these vulnerabilities could allow unauthorized users to access sensitive systems or manipulate industrial operations.
Vulnerability in Hikvision Cameras Raises Security Concerns
One of the vulnerabilities, tracked as CVE-2017-7921, affects several Hikvision surveillance products and carries a CVSS severity score of 9.8, indicating a critical risk.
The flaw stems from an authentication weakness that may allow attackers to bypass normal security controls. If exploited, a malicious user could gain elevated privileges on the device and potentially access sensitive information stored within the system.
Security researchers previously observed attempts to exploit this vulnerability in internet-connected Hikvision cameras, suggesting that the flaw is actively being used by threat actors.
Industrial Control Systems Also Impacted
The second vulnerability, identified as CVE-2021-22681, affects multiple Rockwell Automation products including:
- Studio 5000 Logix Designer
- RSLogix 5000 software
- Logix Controllers
This vulnerability also carries a CVSS score of 9.8, placing it in the critical severity category.
The flaw involves improperly protected credentials that could allow an attacker with network access to bypass authentication mechanisms. Once access is obtained, an attacker may be able to modify controller configurations or alter application code running on the system.
Because these systems are often used in industrial environments, the risk could extend to critical infrastructure operations.
Federal Agencies Given Deadline to Patch Systems
Following the addition of these vulnerabilities to the KEV catalog, Federal Civilian Executive Branch (FCEB) agencies have been instructed to update affected systems to secure versions by March 26, 2026.
This requirement falls under Binding Operational Directive (BOD) 22-01, a federal cybersecurity directive that mandates agencies to address vulnerabilities known to be actively exploited.
CISA Urges Organizations to Patch Immediately
While the directive specifically applies to federal agencies, CISA strongly recommends that private organizations and infrastructure operators also prioritize patching these vulnerabilities.
The agency warns that flaws listed in the KEV catalog are commonly used by cybercriminals and nation-state attackers because they provide reliable entry points into targeted networks.
Organizations are encouraged to strengthen their vulnerability management programs by regularly monitoring the KEV catalog and applying security updates as soon as they become available.
Keeping systems patched and reducing exposure to known vulnerabilities remains one of the most effective ways to prevent cyber attacks.