Cyber Posture

CVE-2021-4477

CriticalPublic PoC

Published: 03 April 2026

Published
03 April 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0000 0.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-4477 is a critical-severity Improper Access Control (CWE-284) vulnerability in Belden (inferred from references). Its CVSS base score is 9.1 (Critical).

Operationally, ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-7 Boundary Protection good match
prevent

Monitors and controls communications at system boundaries, directly mitigating firewall bypass by ensuring IPv6 IPsec VPN traffic is subjected to configured rules.

AC-4 Information Flow Enforcement good match
prevent

Enforces approved authorizations for information flows within systems, preventing VPN traffic from circumventing firewall policy enforcement.

AC-17 Remote Access partial match
prevent

Authorizes, monitors, and controls remote access methods like IPv6 IPsec VPN connections to ensure compliance with access control policies.

NVD Description

Hirschmann HiLCOS OpenBAT and BAT450 products contain a firewall bypass vulnerability in IPv6 IPsec deployments that allows traffic from VPN connections to bypass configured firewall rules. Attackers can exploit this vulnerability by establishing IPv6 IPsec connections (IKEv1 or IKEv2) while…

more

simultaneously using an IPv6 Internet connection to circumvent firewall policy enforcement.

Deeper analysisAI

CVE-2021-4477 is a firewall bypass vulnerability affecting Hirschmann HiLCOS OpenBAT and BAT450 products in IPv6 IPsec deployments. It allows traffic from VPN connections to bypass configured firewall rules, stemming from improper access control as classified under CWE-284. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts.

Remote attackers with network access can exploit this vulnerability without privileges or user interaction by establishing IPv6 IPsec connections using IKEv1 or IKEv2 protocols, while simultaneously leveraging an IPv6 Internet connection. This circumvents firewall policy enforcement, enabling unauthorized access to protected resources and potentially allowing data exfiltration or manipulation.

Mitigation details are outlined in the Belden Security Bulletin at https://assets.belden.com/m/5fd1a50fa50cb252/original/Belden-Security-Bulletin-BSECV-1v0-2019-09.pdf and the Vulncheck advisory at https://www.vulncheck.com/advisories/hirschmann-hilcos-openbat-bat450-ipv6-ipsec-firewall-bypass. Security practitioners should consult these references for patch availability, configuration changes, or workarounds specific to the affected products.

Details

CWE(s)
CWE-284

Affected Products

Belden
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-25950Shared CWE-284
CVE-2026-5786Shared CWE-284
CVE-2026-32768Shared CWE-284
CVE-2026-33109Shared CWE-284
CVE-2025-24968Shared CWE-284
CVE-2025-54914Shared CWE-284
CVE-2025-1941Shared CWE-284
CVE-2025-1259Shared CWE-284
CVE-2025-66956Shared CWE-284
CVE-2026-32254Shared CWE-284

References