CVE-2021-22823
📋 TL;DR
CVE-2021-22823 is an authentication bypass vulnerability in Schneider Electric's Interactive Graphical SCADA System Data Collector (dc.exe) that allows unauthenticated attackers to delete arbitrary files on affected systems. This affects IGSS Data Collector versions 15.0.0.21320 and earlier. Industrial control system operators using vulnerable SCADA installations are at risk.
💻 Affected Systems
- Interactive Graphical SCADA System Data Collector (dc.exe)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through deletion of critical system files, leading to SCADA system failure and potential physical process disruption in industrial environments.
Likely Case
Data loss, service disruption, or system instability through targeted file deletion attacks against the SCADA environment.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized access to the Data Collector service.
🎯 Exploit Status
The vulnerability requires network access to the Data Collector service but no authentication. Attack complexity is low due to missing authentication checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to version newer than V15.0.0.21320
Vendor Advisory: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2021-348-01
Restart Required: Yes
Instructions:
1. Download the updated IGSS Data Collector from Schneider Electric. 2. Stop the Data Collector service. 3. Install the update. 4. Restart the service. 5. Verify the version is newer than V15.0.0.21320.
🔧 Temporary Workarounds
Network Segmentation
windowsRestrict network access to the Data Collector service to only trusted systems
Windows Firewall: New-NetFirewallRule -DisplayName "Block IGSS DC" -Direction Inbound -Protocol TCP -LocalPort 12401 -Action Block
Service Account Hardening
windowsRun the Data Collector service with minimal privileges to limit file deletion impact
sc.exe config "IGSS Data Collector" obj= "NT AUTHORITY\LocalService" password= ""
🧯 If You Can't Patch
- Implement strict network access controls to isolate the Data Collector from untrusted networks
- Deploy host-based intrusion detection to monitor for file deletion attempts and unauthorized access
🔍 How to Verify
Check if Vulnerable:
Check the version of dc.exe in the IGSS installation directory. If version is 15.0.0.21320 or earlier, the system is vulnerable.Check Version:
Right-click dc.exe → Properties → Details → File versionVerify Fix Applied:
Verify the dc.exe version is newer than 15.0.0.21320 and test that file deletion via network messages is no longer possible without authentication.📡 Detection & Monitoring
Log Indicators:
- Unexpected file deletion events in Windows Event Logs
- Failed authentication attempts to Data Collector service
- Unusual network connections to port 12401
Network Indicators:
- Unusual traffic patterns to Data Collector port (default 12401)
- Network messages to dc.exe from unauthorized sources
SIEM Query:
source="windows" AND (event_id=4663 OR event_id=4656) AND process_name="dc.exe" AND object_type="File" AND access_mask="DELETE"