CISA on March 13 added two vulnerabilities affecting Hikvision products and Rockwell Automation Logix controllers to its Known Exploited Vulnerabilities catalog, citing evidence of active exploitation in the wild. The agency said the additions were made under Binding Operational Directive 22-01, which requires Federal Civilian Executive Branch agencies to remediate listed flaws by a set deadline.
According to CISA’s March 13 alert, the newly added flaws are CVE-2017-7921, an improper authentication vulnerability affecting multiple Hikvision products, and CVE-2021-22681, an authentication bypass vulnerability in Rockwell Automation Logix controllers. CISA’s alert says federal agencies must remediate both issues by April 3, 2026.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” — CISA alert, March 13, 2026
The Hikvision entry in the KEV catalog describes CVE-2017-7921 as an improper authentication flaw that could allow attackers to gain unauthorized access to vulnerable devices. The Rockwell entry describes CVE-2021-22681 as a flaw in which Studio 5000 Logix Designer software may allow a key to be discovered that is used to verify communication with Logix controllers, potentially allowing an unauthorized application to connect with those controllers if exploited.
KEV additions span surveillance gear and industrial controllers
The March 13 update adds another pair of long-lived but still dangerous vulnerabilities to the KEV catalog, covering both edge surveillance infrastructure and industrial control environments. In the Rockwell case, the affected technology sits in operational technology environments where unauthorized access to controller communications could have broader downstream impact than a typical enterprise software flaw.
CISA’s bulletin does not provide victim counts, indicators of compromise, or detailed attack-chain information for either vulnerability. The agency instead directs defenders to vendor guidance and the KEV catalog entries for remediation and mitigation details.
The additions extend the recent cadence of KEV updates already covered by Cyberwarzone, including CISA’s March 5 batch update adding five actively exploited vulnerabilities and the n8n remote code execution flaw that CISA added to the KEV catalog after active exploitation.
