Login Sign Up

CVE-2021-30064

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers to gain SSH access to Schneider Electric ConneXium Tofino Firewall and Belden Tofino Xenon Security Appliance devices using hardcoded default credentials when the devices are in uncommissioned state. This affects specific models of industrial firewall/security appliances before they have been properly configured for production use.

💻 Affected Systems

Products:
  • Schneider Electric ConneXium Tofino Firewall TCSEFEA23F3F22
  • Schneider Electric ConneXium Tofino Firewall TCSEFEA23F3F20
  • Schneider Electric ConneXium Tofino Firewall TCSEFEA23F3F21
  • Belden Tofino Xenon Security Appliance
Versions: TCSEFEA23F3F22 before 03.23, all TCSEFEA23F3F20/21 versions
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when devices are in uncommissioned state (not yet configured for production use).

📦 What is this software?

Eagle 20 Tofino 943 987 501 Tx\/tx Firmware by Belden

View all CVEs affecting Eagle 20 Tofino 943 987 501 Tx\/tx Firmware →

Eagle 20 Tofino 943 987 502 Tx\/mm Firmware by Belden

View all CVEs affecting Eagle 20 Tofino 943 987 502 Tx\/mm Firmware →

Eagle 20 Tofino 943 987 504 Mm\/tx Firmware by Belden

View all CVEs affecting Eagle 20 Tofino 943 987 504 Mm\/tx Firmware →

Eagle 20 Tofino 943 987 505 Mm\/mm Firmware by Belden

View all CVEs affecting Eagle 20 Tofino 943 987 505 Mm\/mm Firmware →

Tcsefea23f3f20 Firmware by Schneider Electric

View all CVEs affecting Tcsefea23f3f20 Firmware →

Tcsefea23f3f21 Firmware by Schneider Electric

View all CVEs affecting Tcsefea23f3f21 Firmware →

Tcsefea23f3f22 Firmware by Schneider Electric

View all CVEs affecting Tcsefea23f3f22 Firmware →

Tofino Argon Fa Tsa 100 Tx\/tx Firmware by Belden

View all CVEs affecting Tofino Argon Fa Tsa 100 Tx\/tx Firmware →

Tofino Argon Fa Tsa 220 Mm\/mm Firmware by Belden

View all CVEs affecting Tofino Argon Fa Tsa 220 Mm\/mm Firmware →

Tofino Argon Fa Tsa 220 Mm\/tx Firmware by Belden

View all CVEs affecting Tofino Argon Fa Tsa 220 Mm\/tx Firmware →

Tofino Argon Fa Tsa 220 Tx\/mm Firmware by Belden

View all CVEs affecting Tofino Argon Fa Tsa 220 Tx\/mm Firmware →

Tofino Argon Fa Tsa 220 Tx\/tx Firmware by Belden

View all CVEs affecting Tofino Argon Fa Tsa 220 Tx\/tx Firmware →

Tofino Xenon Security Appliance Firmware by Belden

View all CVEs affecting Tofino Xenon Security Appliance Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the security appliance, allowing attackers to reconfigure firewall rules, disable security controls, pivot to protected industrial networks, and potentially cause physical damage to industrial processes.

🟠

Likely Case

Unauthorized access to the appliance configuration, enabling attackers to modify security policies, exfiltrate network configuration data, or establish persistent access to industrial control networks.

🟢

If Mitigated

Limited impact if devices are properly commissioned and default credentials are changed during initial setup, though uncommissioned devices remain vulnerable.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires only SSH client and knowledge of default credentials. No special tools or advanced skills needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 03.23 for TCSEFEA23F3F22

Vendor Advisory: https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2022-011-05

Restart Required: Yes

Instructions:

1. Download firmware update from Schneider Electric/Belden support portal. 2. Backup current configuration. 3. Apply firmware update via management interface. 4. Verify successful update and restore configuration if needed.

🔧 Temporary Workarounds

Commission all devices immediately

all

Properly commission all Tofino devices to remove uncommissioned state vulnerability

Change default SSH credentials

all

Change SSH credentials immediately after device installation

🧯 If You Can't Patch

  • Ensure all devices are properly commissioned and default credentials are changed
  • Restrict network access to management interfaces using network segmentation and firewall rules

🔍 How to Verify

Check if Vulnerable:

Check device commissioning status in management interface and attempt SSH login with default credentials (if safe to test in isolated environment)

Check Version:

Check version via device management interface or SSH connection (after authentication)

Verify Fix Applied:

Verify firmware version is 03.23 or later for TCSEFEA23F3F22, and confirm SSH login with default credentials fails

📡 Detection & Monitoring

Log Indicators:

  • Failed SSH login attempts followed by successful login
  • SSH connections from unexpected sources
  • Configuration changes from unknown users

Network Indicators:

  • SSH traffic to Tofino appliance management interfaces from unauthorized sources
  • Unusual configuration changes or traffic patterns

SIEM Query:

source="tofino*" AND (event="ssh_login" OR event="authentication") AND result="success" AND user="default*"

📊 Metadata

CVE ID: CVE-2021-30064
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-798
Published: April 3, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-30064, you might also want to check these:

CVE-2025-20188 10.0

This critical vulnerability in Cisco IOS XE Wireless LAN Controllers allows unauthenticated remote a...

Same vulnerability type (CWE-798)
CVE-2026-22769 10.0

Dell RecoverPoint for Virtual Machines versions before 6.0.3.1 HF1 contain hardcoded credentials tha...

Same vulnerability type (CWE-798)
CVE-2021-0248 10.0

This vulnerability involves hard-coded credentials in Juniper Junos OS on NFX Series devices, allowi...

Same vulnerability type (CWE-798)