OTPulse
FeedAboutContact

Advantech BB-ESWGP506-2SFP-T

Act Now9.8ICS-CERT ICSA-21-054-02Feb 23, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The BB-ESWGP506-2SFP-T industrial Ethernet switch contains a hardcoded credentials vulnerability (CWE-798) that allows unauthenticated remote attackers to gain administrative access and execute arbitrary code. The vulnerability affects all firmware versions up to and including 1.01.09. Advantech has designated this product as end-of-life and will not release patches. The vendor recommends replacement with current models such as the EKI-7708-4FPI. No known public exploits currently exist.

What this means
What could happen
An attacker with network access to the switch could execute arbitrary code or steal sensitive configuration data, potentially disrupting manufacturing operations or exfiltrating process credentials.
Who's at risk
Manufacturing facilities using Advantech BB-ESWGP506-2SFP-T industrial Ethernet switches for plant floor network connectivity. These switches are critical data links in automation systems and may interconnect PLCs, HMIs, and safety devices.
How it could be exploited
An attacker with network connectivity to the switch (default open ports or unprotected management interface) can exploit hardcoded credentials or the underlying vulnerability to gain administrative control and run arbitrary commands on the device.
Prerequisites
  • Network access to the BB-ESWGP506-2SFP-T (typically via Ethernet)
  • Device running firmware version 1.01.09 or earlier
  • Access to unprotected management port (HTTP/HTTPS or Telnet)
remotely exploitableno authentication requiredlow complexityno patch availablehardcoded credentials (CWE-798)
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (1)
ProductAffected VersionsFix Status
BB-ESWGP506-2SFP-T industrial ethernet switches:≤ 1.01.09No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDIsolate the switch from direct Internet access using a firewall; restrict management access (ports 80, 443, 23) to authorized engineering networks only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXReplace the BB-ESWGP506-2SFP-T with a current-generation Advantech switch such as EKI-7708-4FPI or equivalent supported model
Mitigations - no patch available
0/2
BB-ESWGP506-2SFP-T industrial ethernet switches: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment the industrial network from the business network to limit lateral movement if the switch is compromised
HARDENINGIf remote access to the switch is required, use a VPN with strong authentication and encrypt all management traffic
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/93341e4c-24a2-470b-b526-a84a71d132ee
Advantech BB-ESWGP506-2SFP-T | CVSS 9.8 - OTPulse