CVE-2021-22644 – This vulnerability involves Ovarro TBox TWinSof... (How to Fix)

Q: What is the severity of CVE-2021-22644?

CVE-2021-22644 has a CVSS score of 7.5 (HIGH). This vulnerability involves Ovarro TBox TWinSoft software using a hardcoded user account 'TWinSoft' with a static, predictable key. Attackers can exploit this to gain unauthorized access to affected systems. This affects organizations using Ovarro TBox devices with TWinSoft software.

📋 TL;DR

This vulnerability involves Ovarro TBox TWinSoft software using a hardcoded user account 'TWinSoft' with a static, predictable key. Attackers can exploit this to gain unauthorized access to affected systems. This affects organizations using Ovarro TBox devices with TWinSoft software.

💻 Affected Systems

Products:

Ovarro TBox TWinSoft

Versions: All versions prior to TWinSoft version 2.19.1

Operating Systems: Windows-based systems running TWinSoft

Default Config Vulnerable: ⚠️ Yes

Notes: Affects TBox devices using TWinSoft software for configuration and management.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems, allowing attackers to manipulate critical infrastructure operations, cause physical damage, or disrupt essential services.

🟠

Likely Case

Unauthorized access to TBox devices enabling configuration changes, data theft, or disruption of industrial processes.

🟢

If Mitigated

Limited impact if systems are isolated from untrusted networks and access controls are properly implemented.

🌐 Internet-Facing: HIGH - If exposed to internet, attackers can easily exploit the hardcoded credentials.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only knowledge of the hardcoded credentials, making it trivial for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: TWinSoft version 2.19.1

Vendor Advisory: https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04

Restart Required: Yes

Instructions:

1. Download TWinSoft version 2.19.1 from Ovarro. 2. Install the update on all affected systems. 3. Restart the TWinSoft service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate TBox devices and TWinSoft systems from untrusted networks and the internet.

Access Control Restrictions

all

Implement strict firewall rules to limit access to TWinSoft services only from authorized management stations.

🧯 If You Can't Patch

Implement network segmentation to isolate affected systems from untrusted networks
Monitor for authentication attempts using the 'TWinSoft' account and implement alerting

🔍 How to Verify

Check if Vulnerable:

Check TWinSoft version - if below 2.19.1, the system is vulnerable. Also check for existence of 'TWinSoft' user account.

Check Version:

Check TWinSoft application properties or about dialog for version information

Verify Fix Applied:

Verify TWinSoft version is 2.19.1 or higher and confirm the hardcoded credentials no longer work.

📡 Detection & Monitoring

Log Indicators:

Authentication attempts using 'TWinSoft' user account
Failed login attempts followed by successful 'TWinSoft' login

Network Indicators:

Unexpected connections to TWinSoft management ports
Traffic patterns indicating configuration changes

SIEM Query:

source="TWinSoft" AND (user="TWinSoft" OR event_type="authentication")

📊 Metadata

CVE ID: CVE-2021-22644

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-798

Published: July 28, 2022

Last Updated: April 17, 2025

🔗 References

https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04 Third Party Advisory,US Government Resource
https://www.cisa.gov/uscert/ics/advisories/icsa-21-054-04 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22644, you might also want to check these: