CVE-2021-22661
📋 TL;DR
This vulnerability allows unauthorized password changes on ICX35-HWC industrial control modules without requiring the current password. Attackers with network access to the web interface can change administrative passwords, potentially gaining full control. Affects ICX35-HWC-A and ICX35-HWC-E modules running firmware versions 1.9.62 and earlier.
💻 Affected Systems
- ICX35-HWC-A
- ICX35-HWC-E
📦 What is this software?
Icx35 Hwc A Firmware by Prosoft Technology
Icx35 Hwc E Firmware by Prosoft Technology
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of industrial control system allowing attackers to modify configurations, disrupt operations, or use the device as an entry point to other systems.
Likely Case
Unauthorized administrative access leading to configuration changes, operational disruption, or credential theft.
If Mitigated
Limited impact if device is isolated behind firewalls with strict network access controls and monitored for unauthorized changes.
🎯 Exploit Status
Exploitation requires network access to the web interface but no authentication; simple HTTP request to password change endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.9.63 or later
Vendor Advisory: https://us-cert.cisa.gov/ics/advisories/icsa-21-056-04
Restart Required: Yes
Instructions:
1. Download firmware version 1.9.63 or later from vendor. 2. Log into device web interface. 3. Navigate to firmware update section. 4. Upload new firmware file. 5. Apply update and restart device.
🔧 Temporary Workarounds
Network segmentation
allIsolate affected devices behind firewalls to restrict access to authorized networks only.
Disable web interface
allIf web interface is not required, disable it via configuration settings.
🧯 If You Can't Patch
- Implement strict network access controls to limit connections to trusted IP addresses only.
- Monitor device logs for unauthorized password change attempts and implement alerting.
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface or CLI; if version is 1.9.62 or earlier, device is vulnerable.Check Version:
Check via web interface System Information page or vendor-specific CLI command.Verify Fix Applied:
After patching, verify firmware version shows 1.9.63 or later and test password change requires current password.📡 Detection & Monitoring
Log Indicators:
- Unauthorized password change events in device logs
- Multiple failed login attempts followed by password change
Network Indicators:
- HTTP POST requests to password change endpoint without authentication
- Unusual source IP addresses accessing administrative interfaces
SIEM Query:
source="icx35" AND (event_type="password_change" OR url_path="/password_change")