CVE-2021-34601
📋 TL;DR
Bender/ebee Charge Controllers have hardcoded SSH credentials that allow administrative access to the web-UI. This affects CC612 controllers version 5.20.1 and below, enabling attackers to gain full control of the device.
💻 Affected Systems
- Bender CC612 Charge Controller
- ebee Charge Controllers
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of charge controller allowing attackers to manipulate charging operations, steal sensitive data, or use as pivot point into connected networks.
Likely Case
Unauthorized administrative access leading to configuration changes, data exfiltration, or disruption of charging services.
If Mitigated
Limited impact if devices are isolated from untrusted networks and access controls are properly implemented.
🎯 Exploit Status
Exploitation requires only knowledge of the hardcoded credentials and network access to the device.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 5.20.2 or later
Vendor Advisory: https://cert.vde.com/en/advisories/VDE-2021-047
Restart Required: Yes
Instructions:
1. Download firmware update from Bender vendor portal. 2. Upload firmware to charge controller via web interface. 3. Apply update and restart device. 4. Verify new firmware version is installed.
🔧 Temporary Workarounds
Network Segmentation
allIsolate charge controllers from untrusted networks using firewalls or VLANs
SSH Access Restriction
linuxConfigure firewall rules to restrict SSH access to authorized IP addresses only
iptables -A INPUT -p tcp --dport 22 -s [TRUSTED_IP] -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate controllers from untrusted networks
- Monitor SSH authentication attempts and implement intrusion detection for credential use
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface or SSH using hardcoded credentials if accessibleCheck Version:
ssh admin@[controller_ip] 'cat /etc/version' (if SSH accessible)Verify Fix Applied:
Verify firmware version is 5.20.2 or later and test that hardcoded credentials no longer work📡 Detection & Monitoring
Log Indicators:
- SSH authentication attempts using default credentials
- Unexpected configuration changes in web-UI logs
Network Indicators:
- SSH connections to charge controllers from unexpected sources
- Unusual outbound traffic from controllers
SIEM Query:
source="controller_logs" AND (event="ssh_auth" AND user="admin") OR (event="config_change" AND user!="authorized_user")