Federal Agencies Warn of Iranian Hackers Targeting Rockwell PLCs After Mandatory Patch Deadline Lapsed

Iran-affiliated hackers are targeting internet-exposed Rockwell Automation programmable logic controllers (PLCs) across U.S. energy, water, and government networks, exploiting a vulnerability that federal agencies ordered patched by March 26, according to a joint advisory issued Tuesday.

🚨 Iranian-affiliated cyber actors are targeting internet-connected OT devices, including Rockwell Automation/Allen-Bradley PLCs, across #CriticalInfrastructure sectors. Review our joint #Cybersecurity Advisory for IOCs & mitigations. 👉 https://t.co/DO9mqoXpLF pic.twitter.com/r9NJDSfaRr

— CISA Cyber (@CISACyber) April 7, 2026

The Cybersecurity and Infrastructure Security Agency (CISA), FBI, NSA, Environmental Protection Agency (EPA), Department of Energy (DOE), and U.S. Cyber Command’s Cyber National Mission Force (CNMF) jointly assessed that “Iranian-affiliated advanced persistent threat (APT) actors,” sophisticated hacker groups linked to state military or intelligence services, are targeting Rockwell’s Studio 5000 Logix Designer software and Allen-Bradley PLCs “to cause disruptive effects within the United States.”

CISA added CVE-2021-22681, an authentication bypass flaw in Studio 5000 involving hardcoded keys, to its Known Exploited Vulnerabilities (KEV) catalog on March 5. This established a mandatory federal remediation deadline of March 26, yet exploitation persists.

Acting CISA Director Nick Andersen noted as recently as mid-March that the agency had “not seen a rise in threat actor activity” linked to Iran.

Hackers manipulated human-machine interface (HMI) and supervisory control and data acquisition (SCADA) display data, extracted device project files, and caused operational disruption and financial losses in some cases, the advisory states.

CISA joint advisory today: Iranian APT actors actively compromising internet-exposed PLCs in US water, energy, and government sectors.

No exploit needed. They used Rockwell’s own engineering software. Control logic extracted. SCADA displays falsified.

Full analysis:… pic.twitter.com/FHW10ck8Mj

— Picus Security (@PicusSecurity) April 7, 2026

Kimberly Mielcarek, vice president of the North American Electric Reliability Corporation (NERC), said the organization dispatched an “all-points bulletin” to energy sector members.

“Our Watch Operations team is actively monitoring the grid, while we continue to coordinate closely with the Department of Energy, the Electricity Subsector Coordinating Council, and our federal and provincial partners,” Mielcarek said.

Ed Moreland, Rockwell Automation’s vice president of government affairs and corporate communications, said the company “takes seriously the security of its products and solutions and has been closely coordinating with government agencies.”

The advisory is the first public domestic infrastructure warning since U.S. and Israeli forces struck Iran on February 28.

The campaign mirrors a 2023 operation by CyberAv3ngers, affiliated with Iran’s Islamic Revolutionary Guard Corps (IRGC), that compromised Israeli-made Unitronics control panels at Pennsylvania water facilities. The pattern is consistent with Iranian targeting of infrastructure linked to Israeli-affiliated technology.