{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2021-4477/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2021-4477"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2021-4477","firewall-bypass","network"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eHirschmann HiLCOS OpenBAT and BAT450 products are vulnerable to a firewall bypass (CVE-2021-4477) in IPv6 IPsec deployments. The vulnerability allows attackers to circumvent configured firewall rules by establishing IPv6 IPsec connections (IKEv1 or IKEv2) while simultaneously maintaining an IPv6 Internet connection. This bypass can allow unauthorized access to internal network resources. The vulnerability was published in April 2026. Exploitation of this vulnerability can lead to significant security breaches, allowing attackers to move laterally within a network and potentially compromise sensitive data. Defenders should prioritize patching and implementing detection measures to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Hirschmann HiLCOS OpenBAT or BAT450 device with IPv6 and IPsec enabled.\u003c/li\u003e\n\u003cli\u003eAttacker establishes an IPv6 IPsec VPN connection (IKEv1 or IKEv2) to the target device.\u003c/li\u003e\n\u003cli\u003eSimultaneously, the attacker maintains an active IPv6 Internet connection.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts network packets designed to bypass the configured firewall rules.\u003c/li\u003e\n\u003cli\u003eThe target device incorrectly routes traffic from the VPN connection, bypassing the firewall.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to internal network resources.\u003c/li\u003e\n\u003cli\u003eThe attacker moves laterally within the network, exploiting additional vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or performs other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2021-4477 allows attackers to bypass firewall restrictions, potentially compromising the entire network. This can lead to unauthorized access to sensitive data, lateral movement within the network, and deployment of malware. The severity of the impact depends on the network configuration and the sensitivity of the data being protected by the affected devices. Due to the nature of industrial control systems (ICS), successful exploitation could have significant operational and safety consequences.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patches provided by Belden for Hirschmann HiLCOS OpenBAT and BAT450 products to address CVE-2021-4477, as referenced in the Belden Security Bulletin.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for anomalous IPv6 IPsec connections originating from or directed towards Hirschmann devices to detect potential exploitation attempts, using network connection logs.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule \u003ccode\u003eDetect_Hirschmann_IPsec_Bypass\u003c/code\u003e to identify suspicious network activity indicative of the firewall bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eReview and harden firewall configurations on affected devices, ensuring that IPv6 traffic is properly inspected and filtered, based on product documentation.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T23:17:01Z","date_published":"2026-04-03T23:17:01Z","id":"/briefs/2026-04-hirschmann-firewall-bypass/","summary":"CVE-2021-4477 describes a firewall bypass vulnerability in Hirschmann HiLCOS OpenBAT and BAT450 products that can be exploited by establishing IPv6 IPsec connections (IKEv1 or IKEv2) while using an IPv6 Internet connection, allowing attackers to bypass configured firewall rules.","title":"Hirschmann HiLCOS OpenBAT/BAT450 IPv6 IPsec Firewall Bypass (CVE-2021-4477)","url":"https://feed.craftedsignal.io/briefs/2026-04-hirschmann-firewall-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2021-4477","version":"https://jsonfeed.org/version/1.1"}