All Bachmann M1 System Processor Modules
MonitorCVSS 7.2ICS-CERT ICSA-21-026-02Jan 26, 2021
Attack path
Attack VectorNetwork
Auth RequiredHigh
ComplexityLow
User InteractionNone needed
Summary
Bachmann M1 System Processor Modules (MX207, MX213, MX220, MC206, MC212, MC220, MH230) with MSYS v1.06.14 and later contain a vulnerability that allows an unauthenticated remote attacker to gain access to password hashes of the controller if Security Level 4 is not enabled. If Security Level 4 is properly configured, an authenticated remote attacker could still extract user credentials. The vulnerability affects the default security configuration and authentication mechanisms of these industrial controllers.
What this means
What could happen
An attacker with network access could steal password hashes or user credentials from your M1 controllers, potentially gaining access to modify process settings, setpoints, or stop production. This is especially critical if controllers are configured with the default insecure settings instead of Security Level 4.
Who's at risk
Water utilities and municipal electric operators using Bachmann M1 hardware controllers (MX207, MX213, MX220, MC206, MC212, MC220, MH230) for process control, supervisory functions, or automation should assess their deployment. This is especially critical for sites where these controllers manage pumping, distribution, generation, or safety-critical processes and are accessible from maintenance networks or remote management systems.
How it could be exploited
An unauthenticated attacker on the network sends requests to the M1 controller to extract password hashes stored on the device. If the controller is running with Security Level 4 enabled, the attacker would first need valid credentials to authenticate, then could extract additional user credentials. The attacker could then use these credentials to gain control of the controller and modify industrial process operations.
Prerequisites
- Network access to the M1 controller (for unauthenticated hash extraction)
- M1 controller running MSYS v1.06.14 or later without Security Level 4 enabled (for unauthenticated exploitation)
- Valid controller credentials (required if Security Level 4 is properly configured)
Remotely exploitable over the networkNo authentication required for unauthenticated exploitation (hash extraction)Low complexity attackDefault credentials and insecure settings enable exploitationNo patch available for some deploymentsAffects legacy systems (no fix for MSYS v1.06.14 and later)
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (1)
ProductAffected VersionsFix Status
M1 Hardware Controllers MX207 MX213 MX220 MC206 MC212 MC220 MH230: Operating Systems and Middleware≥ MSYS v1.06.14No fix yet
Remediation & Mitigation
0/7
Do now
0/4HARDENINGEnable Security Level 4 on all M1 controllers to enforce TLS-protected communication and disable insecure services (Telnet, FTP, Console access)
HARDENINGChange the default username and password in the Bachmann login handler for all field-deployed controllers
HARDENINGRestrict network access to M1 controllers—only allow traffic from authorized engineering workstations, HMI systems, and management networks; block direct Internet access
WORKAROUNDDisable all insecure protocols (Telnet, FTP) on M1 controllers and use only TLS-encrypted management channels
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate to Bachmann Version 4.49-P1 (item number 00036634-90) or Version 3.95R-P8 via your OEM, reseller, or Bachmann technical support
Long-term hardening
0/2HARDENINGConfigure M1 controllers to use an external authentication handler (LDAP, Radius, or Active Directory) instead of the default Bachmann authentication
HARDENINGRestrict physical access to M1 controllers to authorized maintenance personnel only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4f4d4b4a-e0dd-484f-ac50-35ec8009d556Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.