CVE-2021-22805
📋 TL;DR
This vulnerability in Schneider Electric's Interactive Graphical SCADA System Data Collector allows unauthenticated attackers to delete arbitrary files on the system where the vulnerable software runs. It affects IGSS Data Collector versions 15.0.0.21243 and earlier. The attack occurs through specially crafted network messages that the software processes without proper authentication or validation.
💻 Affected Systems
- Interactive Graphical SCADA System Data Collector (dc.exe)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, leading to SCADA system disruption, data loss, or potential safety incidents in industrial environments.
Likely Case
Data loss and service disruption through deletion of configuration files, logs, or application files, potentially causing SCADA system downtime.
If Mitigated
Limited impact if network segmentation and proper access controls prevent unauthorized access to the vulnerable service.
🎯 Exploit Status
Exploitation requires network access to the vulnerable service but no authentication. The vulnerability is in network message handling.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V15.0.0.21244 or later
Vendor Advisory: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-285-03
Restart Required: Yes
Instructions:
1. Download the updated version from Schneider Electric's website. 2. Stop the IGSS Data Collector service. 3. Install the update. 4. Restart the service.
🔧 Temporary Workarounds
Network Segmentation
windowsRestrict network access to the Data Collector service to only trusted systems
Use Windows Firewall: netsh advfirewall firewall add rule name="Block IGSS DC" dir=in action=block protocol=TCP localport=[PORT] remoteip=any
Configure network ACLs to restrict access to the Data Collector port
Service Account Hardening
windowsRun the Data Collector service with minimal privileges to limit file deletion impact
sc config "IGSS Data Collector" obj= "NT AUTHORITY\LocalService"
sc stop "IGSS Data Collector"
sc start "IGSS Data Collector"
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the Data Collector from untrusted networks
- Deploy host-based intrusion detection and monitor for file deletion attempts
🔍 How to Verify
Check if Vulnerable:
Check the version of dc.exe in the IGSS installation directory. If version is 15.0.0.21243 or earlier, the system is vulnerable.Check Version:
Right-click dc.exe → Properties → Details tab → File versionVerify Fix Applied:
Verify dc.exe version is 15.0.0.21244 or later after applying the patch.📡 Detection & Monitoring
Log Indicators:
- Unexpected file deletion events in Windows Event Logs
- IGSS Data Collector service errors or crashes
- Network connections to Data Collector port from unauthorized sources
Network Indicators:
- Unusual network traffic to the Data Collector port (default TCP 12401)
- Multiple file deletion requests via network packets
SIEM Query:
source="windows" AND (event_id=4663 OR event_id=4656) AND process_name="dc.exe" AND object_type="File" AND access_mask="0x10000"