Cybersecurity

CVSS 9.8: The Fence Has Been Open Since 2017 and You're Just Now Telling Me

NeglectedSheep

2 min read
CVSS 9.8: The Fence Has Been Open Since 2017 and You're Just Now Telling Me

Oh good. CISA added two more ancient vulnerabilities to the Known Exploited Vulnerabilities catalog. Two. More. Ancient ones.

CVE-2017-7921. That's a Hikvision flaw. From 2017. As in, the year a significant portion of our current flock was still figuring out how to use a smartphone. The wolves have had NINE YEARS to waltz through that particular hole in the fence, and we're just now getting an official memo about it. Fantastic. Really on the pulse here.

The Rockwell Automation one, CVE-2021-22681, is practically brand new by comparison. Only four years old. Both scored a 9.8 on the CVSS scale, which for the uninitiated means "catastrophically, embarrassingly, almost impressively broken."

CISA is kindly asking federal agencies to apply the ointment by March 26, 2026. A deadline. For a 2017 vulnerability. I need to go lie down.

Here's what kills me. Hikvision cameras are everywhere. Server rooms, parking lots, the little hallway where Dave microwaves his fish. If your organization is running unpatched Hikvision gear, a wolf with a browser and a bad attitude can potentially bypass authentication entirely. No password needed. Just. Walk in. The electric fence is decorative at this point.

The Rockwell flaw is an industrial control system issue, which means the stakes are somehow even higher and the patch cycle is somehow even slower. The Shepherds in charge of OT environments will read this, nod gravely, schedule a meeting about it, and then do absolutely nothing until a regulator shows up.

I'm not even angry anymore. I'm just tired.

The lambs didn't click anything this time, which is honestly a refreshing change. This one is entirely on the people who decided "we'll patch it later" in 2017 and then apparently forgot that later eventually arrives.

Remediation

Look, I'll keep it simple because I'm running on cold coffee and resentment.

For the Hikvision hole in the fence: Update your firmware. Right now. Not after the meeting. Firmware. Hikvision's site. Go.

For the Rockwell issue: Check your industrial control systems, apply the vendor patch, and seriously consider whether that equipment should be anywhere near a network connection in the first place. Isolate it. Put it in its own little sheep tunnel if you have to.

For everyone: Run your asset inventory. Find the old stuff. Shear it. If you don't know what's running on your network, the wolves already do.

Check CISA's KEV catalog occasionally. It's free. It's updated. It's full of things your organization is probably running unpatched right now.

Baaack to my ticket queue, I guess.

Original Report: https://thehackernews.com/2026/03/hikvision-and-rockwell-automation-cvss.html