Cyber Resilience

CVE-2021-4477

CriticalPublic PoC

Published: 03 April 2026

Published
03 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 23.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2021-4477 is a critical-severity Improper Access Control (CWE-284) vulnerability in Belden (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique External Remote Services (T1133); ranked at the 23.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2021-4477 is a firewall bypass vulnerability affecting Hirschmann HiLCOS OpenBAT and BAT450 products in IPv6 IPsec deployments. It allows traffic from VPN connections to bypass configured firewall rules, stemming from improper access control as classified under CWE-284. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts.

Remote attackers with network access can exploit this vulnerability without privileges or user interaction by establishing IPv6 IPsec connections using IKEv1 or IKEv2 protocols, while simultaneously leveraging an IPv6 Internet connection. This circumvents firewall policy enforcement, enabling unauthorized access to protected resources and potentially allowing data exfiltration or manipulation.

Mitigation details are outlined in the Belden Security Bulletin at https://assets.belden.com/m/5fd1a50fa50cb252/original/Belden-Security-Bulletin-BSECV-1v0-2019-09.pdf and the Vulncheck advisory at https://www.vulncheck.com/advisories/hirschmann-hilcos-openbat-bat450-ipv6-ipsec-firewall-bypass. Security practitioners should consult these references for patch availability, configuration changes, or workarounds specific to the affected products.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Hirschmann HiLCOS OpenBAT and BAT450 products contain a firewall bypass vulnerability in IPv6 IPsec deployments that allows traffic from VPN connections to bypass configured firewall rules. Attackers can exploit this vulnerability by establishing IPv6 IPsec connections (IKEv1 or IKEv2) while…

more

simultaneously using an IPv6 Internet connection to circumvent firewall policy enforcement.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1133 External Remote Services Persistence
Adversaries may leverage external-facing remote services to initially access and/or persist within a network.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Firewall bypass in public-facing IPv6 IPsec VPN device directly enables external remote services access (T1133) and exploitation of network-exposed applications (T1190) without authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-7198Shared CWE-284
CVE-2026-46818Shared CWE-284
CVE-2025-70363Shared CWE-284
CVE-2026-34310Shared CWE-284
CVE-2026-46839Shared CWE-284
CVE-2026-34287Shared CWE-284
CVE-2026-44277Shared CWE-284
CVE-2025-66509Shared CWE-284
CVE-2025-50900Shared CWE-284
CVE-2025-7016Shared CWE-284

Affected Assets

Belden
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Monitors and controls communications at system boundaries, directly mitigating firewall bypass by ensuring IPv6 IPsec VPN traffic is subjected to configured rules.

prevent

Enforces approved authorizations for information flows within systems, preventing VPN traffic from circumventing firewall policy enforcement.

AC-17 Remote Access partial match
prevent

Authorizes, monitors, and controls remote access methods like IPv6 IPsec VPN connections to ensure compliance with access control policies.

References