Hikvision and Rockwell Automation CVSS 9.8 Flaws Added to CISA KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) just added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog — and they're both CVSS 9.8 scorchers. We're talking about Hikvision's CVE-2017-7921 and Rockwell Automation's CVE-2021-22681. Federal agencies now have until March 26, 2026 to patch these or face the consequences.

The Hikvision flaw is an authentication bypass vulnerability in multiple IP camera models that could let attackers access live video feeds without credentials. This isn't new — it was first disclosed in 2017 — but it's still out there in the wild, and CISA's basically saying 'enough is enough, patch this already.'

Meanwhile, Rockwell Automation's vulnerability affects its FactoryTalk Linx software, which is used in industrial control systems. This one's a path traversal flaw that could let attackers read arbitrary files on the system. Given that Rockwell gear runs critical infrastructure worldwide, this isn't something to sleep on.

Both vulnerabilities have been actively exploited in the wild, which is why CISA's giving them the KEV treatment. The agency's binding operational directive requires federal civilian executive branch agencies to patch these by the deadline, but honestly, everyone in critical infrastructure should be paying attention.

The timing here is interesting — CISA's pushing hard on these older vulnerabilities that keep getting exploited. It's a clear message: if you're running outdated gear in critical systems, you're playing with fire. Both Hikvision and Rockwell have patches available, so there's really no excuse at this point.