Sixnet BT Series Hard-coded Credentials Vulnerability

Act Now9.8ICS-CERT ICSA-16-147-02Feb 27, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Sixnet BT-5xxx and BT-6xxx series M2M cellular routers contain hard-coded credentials that cannot be changed or disabled. An unauthenticated attacker on the network can use these credentials to gain full administrative access to the device, allowing modification of network settings, routing configuration, or traffic inspection. No firmware patch is available from Sixnet for this vulnerability; the product line is not being updated.

What this means

What could happen

An attacker with network access to a Sixnet BT Series router could use hard-coded credentials to gain administrative access and modify network configuration, routing rules, or intercept communications from connected PLCs and devices.

Who's at risk

Water and electric utilities using Sixnet BT-5xxx or BT-6xxx cellular routers for remote field site communications, SCADA data aggregation, or RTU connectivity. Any site relying on these devices for reliable M2M communication between substations, pumping stations, or treatment facilities.

How it could be exploited

An attacker probes a Sixnet BT Series router on the network, identifies it by banner or response, and logs in using publicly known hard-coded administrative credentials. Once authenticated, the attacker can reconfigure the device to redirect traffic, intercept data, or inject malicious commands toward connected control systems.

Prerequisites

Network access to the Sixnet BT Series router management interface (port/protocol unknown from advisory)
No valid user credentials required - uses hard-coded credentials built into the device firmware

Remotely exploitableNo authentication required (hard-coded credentials)Low complexity to exploitNo patch available - end-of-life product

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (1)

ProductAffected VersionsFix Status

Sixnet BT-5xxx and BT-6xxx series M2M cellular routers: <3.8.21<3.8.21No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to Sixnet BT Series router management interface using firewall rules - allow only from trusted engineering workstations or control center networks

HARDENINGDisable remote management features on the Sixnet BT Series router if not required for operations

Mitigations - no patch available

0/2

Sixnet BT-5xxx and BT-6xxx series M2M cellular routers: <3.8.21 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate the router on a protected management VLAN separate from production PLC and field device networks

HARDENINGMonitor for unauthorized access attempts to the router management interface and log all configuration changes

CVEs (1)

CVE-2016-4521

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c0ec7823-bb0a-4dc4-a1b4-b8b4caf40272