CVE-2021-42833 – AquaView versions 1.60, 7.x, and 8.x contain ha... (How to Fix)

Q: What is the severity of CVE-2021-42833?

CVE-2021-42833 has a CVSS score of 9.3 (CRITICAL). AquaView versions 1.60, 7.x, and 8.x contain hardcoded credentials that allow authenticated local attackers to manipulate users and system settings. This vulnerability affects water management systems using these specific software versions. Attackers with local access can exploit these credentials to gain unauthorized control.

📋 TL;DR

AquaView versions 1.60, 7.x, and 8.x contain hardcoded credentials that allow authenticated local attackers to manipulate users and system settings. This vulnerability affects water management systems using these specific software versions. Attackers with local access can exploit these credentials to gain unauthorized control.

💻 Affected Systems

Products:

AquaView

Versions: 1.60, 7.x, 8.x

Operating Systems: Not specified, likely Windows-based SCADA systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects water management/SCADA systems. Requires local authenticated access to exploit.

📦 What is this software?

Aquaview by Xylem

View all CVEs affecting Aquaview →

Aquaview by Xylem

View all CVEs affecting Aquaview →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to modify critical water management settings, create backdoor accounts, disrupt operations, or cause physical damage to infrastructure.

🟠

Likely Case

Unauthorized access leading to configuration changes, user account manipulation, and potential data exfiltration from affected systems.

🟢

If Mitigated

Limited impact with proper network segmentation, access controls, and monitoring preventing credential use even if discovered.

🌐 Internet-Facing: MEDIUM - While primarily an internal threat, internet-facing interfaces could allow exploitation if combined with other vulnerabilities.

🏢 Internal Only: HIGH - Local authenticated attackers can directly exploit hardcoded credentials without needing additional vulnerabilities.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated local access but is straightforward once credentials are discovered. No public exploit code available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 5.0 and later

Vendor Advisory: https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xpsa-aquaview-v5.0.pdf

Restart Required: Yes

Instructions:

1. Download AquaView version 5.0 or later from Xylem. 2. Backup current configuration. 3. Install the updated version following vendor instructions. 4. Restart the system. 5. Verify the update was successful.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate AquaView systems from general network access to limit attack surface

Access Control Hardening

all

Implement strict access controls and monitoring for local system access

🧯 If You Can't Patch

Implement strict network segmentation to isolate AquaView systems from untrusted networks
Enhance monitoring and logging for authentication attempts and configuration changes

🔍 How to Verify

Check if Vulnerable:

Check AquaView version in system settings or about dialog. Versions 1.60, 7.x, or 8.x are vulnerable.

Check Version:

Check AquaView application menu → Help → About or system configuration interface

Verify Fix Applied:

Verify AquaView version is 5.0 or later. Check vendor documentation for specific fix verification steps.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts
Configuration changes from unexpected users
Multiple failed login attempts followed by success

Network Indicators:

Unexpected connections to AquaView systems
Traffic patterns indicating configuration changes

SIEM Query:

source="aquaview" AND (event_type="authentication" OR event_type="configuration_change")

📊 Metadata

CVE ID: CVE-2021-42833

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-798

Published: February 7, 2022

Last Updated: November 21, 2024

🔗 References

https://www.cisa.gov/uscert/ics/advisories/icsa-21-350-01 Third Party Advisory,US Government Resource
https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xpsa-aquaview-v5.0.pdf Mitigation,Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-350-01 Third Party Advisory,US Government Resource
https://www.xylem.com/siteassets/about-xylem/cybersecurity/advisories/xpsa-aquaview-v5.0.pdf Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42833, you might also want to check these: