Hirschmann HiLCOS devices OpenBAT, WLC, BAT300, BAT54 prior to 8.80 and OpenBAT prior to 9.10 are shipped with identical default SSH and SSL keys that cannot be changed, allowing unauthenticated remote attackers to decrypt or intercept encrypted management communications. Attackers can perform man-in-the-middle attacks, impersonate devices, and expose sensitive information by leveraging the shared default cryptographic keys across multiple devices.
Security readout for executives and security teams
Plain-English summary
Certain Hirschmann HiLCOS devices reportedly shipped with the same built-in SSH and SSL keys. Because those keys cannot be changed, encrypted management traffic may be decrypted or impersonated by a remote unauthenticated attacker if they can position themselves in the communication path.
Executive priority
Treat this as high priority for industrial and network operations environments. The main business risk is loss of confidentiality and trust in encrypted device management, especially where these devices support critical connectivity or remote administration.
Technical view
The issue is CWE-321: hard-coded cryptographic keys. The bundle says OpenBAT, WLC, BAT300, and BAT54 before 8.80, plus OpenBAT before 9.10, use shared default SSH/SSL keys, enabling management-channel interception, device impersonation, and sensitive information exposure.
Likely exposure
Exposure is most likely in organizations operating Hirschmann HiLCOS-based wireless or industrial network equipment with SSH or SSL management enabled. Risk is highest where management interfaces or paths to them are reachable from untrusted networks or shared operational environments.
Exploitation context
The bundle marks KEV as false and provides no cited evidence of active exploitation. The described attack is network-based, unauthenticated, and depends on abusing shared device keys to intercept or impersonate encrypted management communications.
Researcher notes
Evidence is sufficient for the core weakness, but affected-version metadata is inconsistent: the prose says versions prior to 8.80 or 9.10, while the structured affected entry lists >= 9.10. Verify exact applicability against Belden guidance before final scoping.
Mitigation direction
Identify Hirschmann HiLCOS OpenBAT, WLC, BAT300, and BAT54 assets.
Check vendor advisory for corrected versions and supported upgrade paths.
Upgrade affected firmware where vendor guidance provides a fixed release.
Restrict management access to trusted administrative networks only.
Monitor for unexpected SSH or SSL certificate/key reuse across devices.
Disable unnecessary remote management services where operationally feasible.
Validation and detection
Inventory HiLCOS firmware versions and device models.
Compare versions against the vendor advisory, not only secondary metadata.
Confirm management interfaces are not internet-exposed.
Review network paths where interception could occur.
Check whether SSH/SSL management is enabled on affected devices.
Document compensating controls for devices awaiting upgrade.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-321: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-321 · source CWE mapping
Use of Hard-coded Cryptographic Key
Use of Hard-coded Cryptographic Key represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.