OTPulse
FeedAboutContact

TURCK BL20 and BL67 Programmable Gateway Hard-Coded User Accounts

Low RiskICS-CERT ICSA-13-136-01Feb 17, 2013
Summary

TURCK BL20 and BL67 Programmable Gateways contain hard-coded user accounts in all firmware versions. These accounts cannot be changed or disabled. An attacker who gains network access to the administrative interface can log in without valid credentials and potentially reconfigure the gateway to intercept, redirect, or modify data passing through it. This affects all versions of both product lines, and no vendor patch is available.

What this means
What could happen
An attacker with network access to a BL20 or BL67 gateway could log in using hard-coded credentials, potentially reconfiguring the device to alter data flow, block communications between field devices and control systems, or inject malicious commands into automation processes.
Who's at risk
Water utilities, electric utilities, and other critical infrastructure operators using TURCK BL20 or BL67 programmable gateways for industrial automation, SCADA systems, or field device communication should be concerned. These gateways are commonly deployed to translate protocols and relay data between legacy field instruments and modern control systems.
How it could be exploited
An attacker discovers that the BL20 or BL67 gateway contains hard-coded user accounts. They connect to the device's administrative interface (typically over TCP on the local network or exposed to a wider network) and authenticate using the hard-coded credentials. Once logged in, they can reconfigure the gateway's communication parameters, routing rules, or data transformations.
Prerequisites
  • Network access to the BL20 or BL67 administrative interface (TCP port, exact port varies by configuration)
  • No additional credentials needed beyond the hard-coded accounts built into the firmware
No patch availableHard-coded credentials eliminate authentication as a barrierRemotely exploitable if the gateway is network-reachable
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
BL20 Programmable Gateway: vers:all/*All versionsNo fix (EOL)
BL67 Programmable Gateway: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGRestrict network access to the BL20 and BL67 gateways using firewall rules or network segmentation. Only allow administrative access from trusted engineering workstations on isolated networks.
HARDENINGDisable or restrict remote administrative access to the gateways if not required for daily operations. Configure local-access-only management whenever possible.
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: BL20 Programmable Gateway: vers:all/*, BL67 Programmable Gateway: vers:all/*. Apply the following compensating controls:
HARDENINGMonitor network traffic to and from BL20 and BL67 devices for unauthorized login attempts or suspicious configuration changes.
HARDENINGDocument the hard-coded credentials and implement access controls to ensure only authorized personnel can manage these devices.
View full CISA ICS-CERT advisory
โ†‘โ†“ Navigate ยท Esc Close
API: /api/v1/advisories/a0d3ec20-6d78-4251-8a8e-cc8c67c0d44d