Hikvision and Rockwell Automation CVSS 9.8 Flaws Added

What Happened

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two critical vulnerabilities, each with a CVSS score of 9.8, to its Known Exploited Vulnerabilities (KEV) catalog. These flaws affect products from Hikvision and Rockwell Automation. The catalog entry mandates that all U.S. federal civilian agencies must patch these vulnerabilities by a specified deadline, underscoring active exploitation. One of the vulnerabilities confirmed is CVE-2017-7921, a long-standing issue in Hikvision products. The addition signals that threat actors are currently leveraging these flaws in attacks against unpatched systems.

Why It Matters

The inclusion in the KEV catalog is a high-confidence signal of in-the-wild exploitation, transforming these vulnerabilities from theoretical risks to active threats. For Hikvision, a major global supplier of video surveillance and IoT equipment, exploitation could lead to unauthorized camera access, network breaches, and compromised physical security systems. For Rockwell Automation, a leading industrial control system (ICS) provider, exploitation threatens operational technology (OT) environments, potentially enabling disruption of critical manufacturing, energy, and infrastructure processes. This action by CISA provides a critical, authoritative benchmark for all organizations, not just federal agencies, to prioritize patching.

Technical Details

The specified flaw, CVE-2017-7921, is an authentication bypass vulnerability in certain Hikvision IP cameras, network video recorders, and web servers. It allows an unauthenticated attacker to bypass login mechanisms and directly access a configuration file containing user credentials and other sensitive system information. The attack vector is network-based, requiring no user interaction, and has a low attack complexity. For Rockwell Automation, while the specific CVE was not detailed in the provided intelligence, a CVSS 9.8 score typically indicates a remotely exploitable flaw that compromises system integrity, availability, or confidentiality with high ease of exploitation.

Immediate Risk

The immediate risk is severe. Organizations using affected Hikvision or Rockwell Automation products have a high likelihood of being targeted. For Hikvision, this could facilitate initial access into corporate networks or enable espionage. For Rockwell Automation, the risk escalates to potential operational shutdown, safety system manipulation, and ransomware deployment in industrial settings. The urgency is critical; defensive actions should be treated as emergency change control procedures. Any delay significantly increases the probability of a successful, impactful breach.

Security Insight

This event highlights the persistent threat of older, unpatched vulnerabilities within critical infrastructure and enterprise IoT ecosystems. CVE-2017-7921, published in 2017, demonstrates that attackers continuously scan for and weaponize known weaknesses, especially in widely deployed, internet-connected devices. Security teams must extend vulnerability management beyond traditional IT to encompass OT and IoT asset inventories. Immediate action should include: identifying all instances of affected products, isolating them from the internet if immediate patching is not possible, applying vendor-provided firmware updates, and monitoring network traffic for anomalous access attempts to management interfaces.