Six U.S. federal agencies published joint advisory AA26-097A on April 7, 2026: the FBI, CISA, NSA, EPA, Department of Energy, and U.S. Cyber Command. The advisory confirms that Iranian-affiliated cyber actors are actively exploiting Programmable Logic Controllers across U.S. critical infrastructure — with confirmed operational disruption and financial losses in government, water and wastewater, and energy sectors.
The exploit at the center of the campaign is CVE-2021-22681 — a Rockwell Automation Logix controller authentication bypass. Disclosed in 2021. No zero-day required. Five years of availability, and still producing confirmed losses in 2026.
Allen-Bradley controllers from Rockwell Automation are among the most widely deployed PLCs in U.S. manufacturing, energy, water, and transportation infrastructure. This campaign does not target an obscure protocol or a niche device class — it targets one of the most common industrial controllers in American industry. The three sectors named in AA26-097A represent a fraction of the environments where CVE-2021-22681 creates exposure.
Dragos data puts active OT network monitoring below 10% across the industrial sector. That figure means the majority of operators affected by this campaign have no visibility into whether they have been compromised — or for how long.
Compromise-to-detection timelines have worsened from 17 to 40.4 mean days between 2024 and 2025.
The AA26-097A campaign exploits exactly that condition: a known vulnerability, in widely deployed devices, in networks that cannot see what is moving through them.
CVE-2021-22681 carries a published CVSS score. Allen-Bradley PLCs are documented, inventoried assets. The sectors named in the advisory have established operational dependencies with well-understood loss pathways — production downtime, loss of supervisory control, recovery costs.
The financial losses confirmed in AA26-097A were not the result of an unforeseeable event. They were the result of known exposure that was not expressed in financial terms, not prioritized accordingly, and not acted on.
AA26-097A names the threat, the vulnerability, and the sectors. It does not tell you what the expected annual loss looks like for your specific facilities. It does not tell you whether your current insurance coverage responds to this scenario — or at what limit.
Learn why OT cyber losses fall through the gap between cyber and property policies.
Those are the questions OT Cyber Risk Quantification answers.
AA26-097A was published on April 7 — the same day as the ceasefire announcement — and received limited attention as a result. It was also issued while CISA's Joint Cyber Defense Collaborative operated with significantly reduced contractor capacity. The pre-positioned access this campaign represents, and the broader geopolitical conditions that produced it, are documented here: Five Structural Shifts That Should Change How Industrial Companies Think About Cyber Risk.