Hirschmann HiLCOS wireless devices are vulnerable to a critical firewall bypass that allows unauthorized network traffic to circumvent security policies in IPv6 IPsec environments.

When using IPv6 IPsec (IKEv1 or IKEv2) alongside an IPv6 internet connection, the device fails to apply firewall rules to VPN traffic, allowing it to bypass policy enforcement.

This flaw allows unauthorized traffic to enter protected network segments, potentially leading to data breaches or unauthorized access to internal resources. The CVSS score of 9.1 reflects the critical failure of a core security component (the firewall).

Immediate Action: Apply the latest HiLCOS firmware updates to all affected OpenBAT and BAT450 devices to restore proper firewall enforcement for IPv6 traffic.

Proactive Monitoring: Audit network traffic logs for unexpected IPv6 connections that should have been blocked by existing firewall policies.

Compensating Controls: If patching is delayed, consider disabling IPv6 or IPsec functionality if they are not critical to operations, or implement secondary firewalls behind the Hirschmann devices.

Public Exploit Available: false

A firewall that can be bypassed is a significant security failure. Organizations relying on HiLCOS devices for secure remote access via IPv6 must update their firmware immediately to ensure their security policies remain effective.