Rockwell updated its initialadvisoryon Thursday to mention in-the-wild exploitation of CVE-2021-22681, but the company has not shared any information about the attacks.SecurityWeekhas reached out to Rockwell for comment and will update this article if the company responds.AShodan searchcurrently shows nearly 6,000 internet-exposed Rockwell devices, but it’s unclear how many may be affected by CVE-2021-22681.It’s worth noting that Rockwell issued asecurity noticein 2024, urging customers to ensure their ICS devices are not connected to the internet. One of the vulnerabilities highlighted in that alert was CVE-2021-22681, which indicates that the vendor did not rule out malicious exploitation.In 2023, Rockwell and CISAwarnedthat an unnamed APT had developed an exploit for a different Rockwell controller vulnerability (CVE-2023-3595), which could be exploited to cause disruption or destruction, but there had been no evidence of actual attacks.Currently, CVE-2021-22681 is the only Rockwell product vulnerability in CISA’s KEV catalog.Related:3 Threat Groups Started Targeting ICS/OT in 2025: DragosRelated:Honeywell, Researcher Clash Over Impact of Building Controller VulnerabilityRelated:Critical Flaws Exposed Gardyn Smart Gardens to Remote Hacking
SecurityWeekhas reached out to Rockwell for comment and will update this article if the company responds.AShodan searchcurrently shows nearly 6,000 internet-exposed Rockwell devices, but it’s unclear how many may be affected by CVE-2021-22681.It’s worth noting that Rockwell issued asecurity noticein 2024, urging customers to ensure their ICS devices are not connected to the internet. One of the vulnerabilities highlighted in that alert was CVE-2021-22681, which indicates that the vendor did not rule out malicious exploitation.In 2023, Rockwell and CISAwarnedthat an unnamed APT had developed an exploit for a different Rockwell controller vulnerability (CVE-2023-3595), which could be exploited to cause disruption or destruction, but there had been no evidence of actual attacks.Currently, CVE-2021-22681 is the only Rockwell product vulnerability in CISA’s KEV catalog.Related:3 Threat Groups Started Targeting ICS/OT in 2025: DragosRelated:Honeywell, Researcher Clash Over Impact of Building Controller VulnerabilityRelated:Critical Flaws Exposed Gardyn Smart Gardens to Remote Hacking
AShodan searchcurrently shows nearly 6,000 internet-exposed Rockwell devices, but it’s unclear how many may be affected by CVE-2021-22681.It’s worth noting that Rockwell issued asecurity noticein 2024, urging customers to ensure their ICS devices are not connected to the internet. One of the vulnerabilities highlighted in that alert was CVE-2021-22681, which indicates that the vendor did not rule out malicious exploitation.In 2023, Rockwell and CISAwarnedthat an unnamed APT had developed an exploit for a different Rockwell controller vulnerability (CVE-2023-3595), which could be exploited to cause disruption or destruction, but there had been no evidence of actual attacks.Currently, CVE-2021-22681 is the only Rockwell product vulnerability in CISA’s KEV catalog.Related:3 Threat Groups Started Targeting ICS/OT in 2025: DragosRelated:Honeywell, Researcher Clash Over Impact of Building Controller VulnerabilityRelated:Critical Flaws Exposed Gardyn Smart Gardens to Remote Hacking
It’s worth noting that Rockwell issued asecurity noticein 2024, urging customers to ensure their ICS devices are not connected to the internet. One of the vulnerabilities highlighted in that alert was CVE-2021-22681, which indicates that the vendor did not rule out malicious exploitation.In 2023, Rockwell and CISAwarnedthat an unnamed APT had developed an exploit for a different Rockwell controller vulnerability (CVE-2023-3595), which could be exploited to cause disruption or destruction, but there had been no evidence of actual attacks.Currently, CVE-2021-22681 is the only Rockwell product vulnerability in CISA’s KEV catalog.Related:3 Threat Groups Started Targeting ICS/OT in 2025: DragosRelated:Honeywell, Researcher Clash Over Impact of Building Controller VulnerabilityRelated:Critical Flaws Exposed Gardyn Smart Gardens to Remote Hacking
In 2023, Rockwell and CISAwarnedthat an unnamed APT had developed an exploit for a different Rockwell controller vulnerability (CVE-2023-3595), which could be exploited to cause disruption or destruction, but there had been no evidence of actual attacks.Currently, CVE-2021-22681 is the only Rockwell product vulnerability in CISA’s KEV catalog.Related:3 Threat Groups Started Targeting ICS/OT in 2025: DragosRelated:Honeywell, Researcher Clash Over Impact of Building Controller VulnerabilityRelated:Critical Flaws Exposed Gardyn Smart Gardens to Remote Hacking
Currently, CVE-2021-22681 is the only Rockwell product vulnerability in CISA’s KEV catalog.Related:3 Threat Groups Started Targeting ICS/OT in 2025: DragosRelated:Honeywell, Researcher Clash Over Impact of Building Controller VulnerabilityRelated:Critical Flaws Exposed Gardyn Smart Gardens to Remote Hacking
Related:3 Threat Groups Started Targeting ICS/OT in 2025: DragosRelated:Honeywell, Researcher Clash Over Impact of Building Controller VulnerabilityRelated:Critical Flaws Exposed Gardyn Smart Gardens to Remote Hacking
Related:Honeywell, Researcher Clash Over Impact of Building Controller VulnerabilityRelated:Critical Flaws Exposed Gardyn Smart Gardens to Remote Hacking
Related:Critical Flaws Exposed Gardyn Smart Gardens to Remote Hacking
Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
Source: SecurityWeek
