Data center: Ashburn, VA

Telegram Chat : MBHH_x86

Email Us:

Mobile Hacker For Hire, hire a hacker, hiring a hacker, hacker with proof

Full Disclosure: CyberDanube Security Research 20221124-0

Table of Contents

From: Thomas Weber < () cyberdanube com>
Date: Thu, 24 Nov 2022 14:02:53 +0100

CyberDanube Security Research 20221124-0
               title| Authenticated Command Injection
             product| Hirschmann (Belden) BAT-C2
  vulnerable version|
       fixed version|
          CVE number| CVE-2022-40282
              impact| High
               found| 2022-08-01
                  by| T. Weber (Office Vienna)
                    | CyberDanube Security Research
                    | Vienna | St. Pölten

Vendor description
"The Technology and Market Leader in Industrial Networking. Hirschmann™
develops innovative solutions, which are geared towards its customers’
requirements in terms of performance, efficiency and investment


Vulnerable versions
Hirschmann BAT-C2 /

Vulnerability overview
1) Authenticated Command Injection
The web server of the device is prone to an authenticated command injection.

It allows an attacker to gain full access to the underlying operating
system of
the device with all implications. If such a device is acting as key
device in
an industrial network, or controls various critical equipment via serial
more extensive damage in the corresponding network can be done by an

Proof of Concept
1) Authenticated Command Injection
The command "ping" was injected to the system by using the
following POST request:

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101

Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 75

Authorization: Digest username="admin", realm="config",
nonce="4b63bb796252d310", uri="/", algorithm=MD5,
response="dbcf03216bd8fbaa15f4b9d9d0fc1d43", qop=auth, nc=0000000a,

Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close



The vulnerability was manually verified on an emulated device by using the
MEDUSA scalable firmware runtime (

Upgrade to firmware version or above.

A security bulletin for this vulnerability has been published by the vendor:



CyberDanube recommends customers from Hirschmann to upgrade the firmware
to the
latest version available. Furthermore, a full security review by

is recommended.

Contact Timeline

2022-08-03: Contacting Hirschmann via BEL-SM-PSIRT () belden com; Belden

            suspects a duplicate. Asked contact for more information.
2022-08-18: Belden representative sent more information for clarification.
            Highlighted differences between PoCs.
2022-08-22: Belden contact confirmed the vulnerability to be no duplicate.
2022-08-30: Asked for an update.

2022-08-31: Vendor stated, that he will release another security
bulletin for

            this vulnerability.
2022-09-27: Asked for an update.

2022-09-28: Vendor is currently testing the new firmware version and has
            been assigned with an CVE number. Draft of security
bulletin was

            also sent by the security contact.
2022-10-12: Asked for an update.

2022-10-13: Belden contact stated, that there is no publication date for
now as

            another patch must be integrated.
2022-10-28: Security contact informed us, that the patch will be released
            within the next two weeks.
2022-11-22: Asked for a status update; Security contact stated, that the
            release was delayed due internal reasons.
2022-11-23: Vendor sent the final version of the security bulletins. The
            release of the new firmware version will be 2022-11-28.
2022-11-24: Vendor informed CyberDanube that the release of the bulletin and
            the firmware was done on 2022-11-23 by the marketing team.
            Coordinated release of security advisory.

Mail: research at cyberdanube dot com

EOF T. Weber / @2022


Description: S/MIME Cryptographic Signature

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Current thread:

  • CyberDanube Security Research 20221124-0 | Authenticated Command Injection Hirschmann BAT-C2 Thomas Weber (Nov 29)

Leave a Reply

Your email address will not be published. Required fields are marked *

error: Content is protected !!