Login Sign Up

CVE-2021-40366

7.4 HIGH

📋 TL;DR

This vulnerability affects Climatix POL909 building automation controllers. It allows unauthenticated attackers to intercept unencrypted web traffic, potentially stealing administrator credentials or manipulating data. All devices running affected software versions are vulnerable.

💻 Affected Systems

Products:
  • Climatix POL909 (AWB module)
  • Climatix POL909 (AWM module)
Versions: AWB: All versions < V11.42, AWM: All versions < V11.34
Operating Systems: Embedded controller OS
Default Config Vulnerable: ⚠️ Yes
Notes: All affected devices transmit web traffic without TLS by default.

📦 What is this software?

Climatix Pol909 Firmware by Siemens

View all CVEs affecting Climatix Pol909 Firmware →

Climatix Pol909 Firmware by Siemens

View all CVEs affecting Climatix Pol909 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrator access, modify building control parameters, disrupt HVAC operations, or cause physical damage to equipment.

🟠

Likely Case

Credential theft leading to unauthorized access to building management systems and potential manipulation of environmental controls.

🟢

If Mitigated

Limited data exposure if network segmentation prevents man-in-the-middle positioning, but encryption gap remains.

🌐 Internet-Facing: HIGH - Direct internet exposure makes interception trivial for attackers.
🏢 Internal Only: MEDIUM - Requires attacker to be on same network segment, but building networks often have weak segmentation.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

No special tools needed - standard network sniffing tools can intercept unencrypted HTTP traffic.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: AWB: V11.42 or later, AWM: V11.34 or later

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-703715.pdf

Restart Required: Yes

Instructions:

1. Download firmware update from Siemens portal. 2. Backup configuration. 3. Apply firmware update via maintenance interface. 4. Reboot device. 5. Verify TLS is enabled in web interface.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Climatix controllers on separate VLAN with strict access controls.

Reverse Proxy with TLS

all

Place TLS-terminating reverse proxy in front of vulnerable devices.

🧯 If You Can't Patch

  • Segment network to prevent man-in-the-middle positioning
  • Implement strict firewall rules limiting access to controller web interfaces

🔍 How to Verify

Check if Vulnerable:

Check web interface URL - if it uses HTTP instead of HTTPS, device is vulnerable.

Check Version:

Check version in web interface under System Information or Maintenance menu.

Verify Fix Applied:

Verify web interface uses HTTPS and TLS certificate is valid.

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed login attempts from unusual IPs
  • Configuration changes from unexpected sources

Network Indicators:

  • Unencrypted HTTP traffic to controller ports
  • ARP spoofing or unusual network redirection

SIEM Query:

source_ip IN (controller_ips) AND protocol = HTTP AND NOT destination_port IN (80,443)

📊 Metadata

CVE ID: CVE-2021-40366
CVSS v3 Score: 7.4 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-311
Published: November 9, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-40366, you might also want to check these:

CVE-2023-6339 10.0

CVE-2023-6339 is a critical vulnerability in Google Nest WiFi Pro routers that allows remote attacke...

Same vulnerability type (CWE-311)
CVE-2025-69969 9.6

This critical vulnerability in Pebble Prism Ultra v2.9.2 allows attackers within Bluetooth range to ...

Same vulnerability type (CWE-311)
CVE-2021-27779 9.1

CVE-2021-27779 is a critical information disclosure vulnerability in HCL VersionVault Express that e...

Same vulnerability type (CWE-311)