You'd think by now, people making surveillance cameras and industrial robots would know a thing or two about security. Apparently, that's just wishful thinking. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has tossed two more critical flaws—one in Hikvision gear, the other in Rockwell Automation industrial controllers—into its Known Exploited Vulnerabilities (KEV) catalog. Both score a juicy 9.8 out of 10 on the CVSS scale. That's the kind of number that should make the hair on the back of your neck stand up. Sadly, these are not zero-days—it turns out we've known about them for years. If you run gear from either company, don’t pat yourself on the back just yet.
Hikvision: Notorious for Security Mishaps Since Forever
Let’s start with Hikvision. This is a company whose security cameras are everywhere. In stores, schools, city streets—maybe even pointing at your front porch. CVE-2017-7921 is a classic blunder: improper authentication. In other words, attackers don’t need to be sophisticated cyber wizards. Even someone with a mild grudge and a bit of google-fu can bypass protections, escalate their privileges, and—here’s the fun part—snag sensitive information without ever needing an invite.
This particular weakness has been floating around since 2017. But here we are, nearly a decade later, and it’s only just made it onto the KEV list. Why? Because, according to CISA, attacks in the wild have picked up—in other words, organizations have done a predictably poor job of patching, and someone finally decided to make some money off the oversight. If you own one of these cameras, you might as well hang a sign that says, "Come on in, the water’s fine!"
Rockwell Automation: Factories, Meet the Internet (and Hackers)
Now, let's talk industrial automation. Rockwell Automation's software is everywhere in factories and critical infrastructure. We're talking about the brains behind water plants, food factories, and a whole lot of other places you'd rather not see on the evening news after a ransomware attack. CVE-2021-22681 affects a menagerie of products: Studio 5000 Logix Designer, RSLogix 5000, and all manner of Logix controllers.
This isn't some obscure programming trick. The flaw? Insufficiently protected credentials. In plain English: if someone knows where to look and can connect to your network, they can waltz past authentication controls and—poof—tinker with device configurations or application code. Maybe they’ll shut down the line. Maybe they’ll tweak production just enough to ruin your shipments. Or maybe, like any self-respecting cybercriminal, they’ll just extort you for Bitcoin.
This vulnerability was disclosed in 2021, and here we are in 2026, seeing it featured in CISA’s KEV catalog because—shocker—bad actors still find it useful. Why is that? Simple: there's plenty of unpatched, exposed automation gear out there.
CISA’s Mandate: Patch ASAP, Or Else (Kind Of)
So, what does CISA do when the security industry collectively trips over its shoelaces? It issues another order. This time, Binding Operational Directive (BOD) 22-01 shakes the stick at Federal Civilian Executive Branch agencies, telling them to update their systems by March 26, 2026. You tick that box, the audit gods smile down, and you keep the bureaucrats off your back for another day.
But if you’re not a government agency? CISA merely strongly advises you to patch with the same urgency. Not exactly a war cry. The reality? Many organizations—small businesses, cities, schools—will see the alert, yawn, and let it slide another quarter. Nothing like compliance theater to keep us all entertained while threat actors get creative.
Why the Praise for Patching Rings Hollow
If history teaches one thing, it’s that patching—especially in operational environments—is easier said than done. Security pros love to champion "robust vulnerability management," but those of you in the trenches know the drill. The team responsible for keeping the plant running doesn’t want to touch that controller unless it’s literally on fire. Your camera vendor’s "critical security update" usually means bricking three out of 10 devices and spending eight hours on hold with someone reading the same script they’ve been using since 2015.
But the alternative isn’t pretty. When exploits like these go unpatched, attackers can use them as stepping stones. Today it’s a grainy camera feed; tomorrow it’s manipulating assembly-line logic. Remember, these vulnerabilities weren’t added to the KEV catalog because they're fresh or fancy—they're there because attackers are using them to make real money now.
What You Should Actually Do (Even If You Don’t Want To)
- If you’ve got Hikvision or Rockwell Automation products, inventory what’s exposed. Don’t assume someone else did it last year.
- Update—really update. Hunt down the specific product documentation. Don’t just reboot and pray.
- If you absolutely cannot patch, make these devices as invisible as possible. Pull them off the public Internet, segment your network, throw some monitoring in front of them. And yes, you’ll need to explain to your boss why it matters—again.
- Regularly check for official advisories, because disclosure timelines are clearly more fantasy fiction than real-time alerting.
Why We Keep Ending Up Here: A Broken Culture
Long-term, these recurring "rediscoveries" in the KEV catalog are less about arcane cyber attacks and more about organizational apathy. Hardware manufacturers often spend more on marketing than on patching their flagship products. Integrators bolt on thousands of these devices—then stop answering the phone after year one. Security "best practices" are printed on glossy one-pagers that wind up in the bottom of the server room snack drawer.
You see the pattern: the industry lurches from crisis to crisis, vendors issue half-baked guidance, and the same critical flaws keep getting exploited for years. CISA can escalate the urgency all it wants, but if organizations keep sleepwalking past obvious threats, we’ll keep rereading advisories about old problems that nobody bothered to fix until it was too late.
The next big breach story? Odds are it’ll involve a camera someone forgot about, or a controller updated by some guy who left two jobs ago. Don't say you weren't warned.
