Text LogoText Logo
back to the list
Date
09/09/2025
Impact
Medium
CVE IDs
CVE-2021-45106

Hardcoded Credentials in Siemens Toolbox II

Siemens Toolbox II, used to configure and maintain Siemens industrial communication processors and automation devices (e.g., PLCs), is affected by a hardcoded credentials vulnerability. Embedded credentials cannot be changed, allowing an attacker with access to the engineering environment to gain unauthorized access, modify configurations, and compromise connected systems. We publish a detailed technical description, as previously in 2022 only a CVE was available, to provide clarity and ensure operators understand the risks.

Vendor description

“Our purpose: We create technology to transform the everyday, for everyone. By combining the real and the digital worlds, we can help accelerate both digitalization and sustainability – so our customers around the world can become more competitive, resilient and sustainable.”

Source: https://www.siemens.com/global/en/company/about.html

Vulnerable versions

Siemens Toolbox II version <=7.10

Vulnerability overview

1)Hardcoded Credentials (CVE-2021-45106)

Toolbox II uses a local Oracle database to store settings. Changes to the database tables can only be made by authorized database users. The Toolbox II application stores the passwords of the users it employs in the program’s binary files. This allows attackers to read them. The database login details
are not generated during installation, but are preconfigured. This means that the passwords are the same for all Toolbox II versions.

The vulnerability was published in 2022 as Siemens Security Advisory 669737 available at https://cert-portal.siemens.com/productcert/html/ssa-669737.html. The vulnerability was identified back in 2022 from Thomas Riedmaier (Siemens Energy), Matan Dobrushin and Eran Jacob (OTORIO [now Armis]).

We are now publishing a detailed technical description of this vulnerability, as previously only a CVE entry was available; after independently rediscovering and analyzing the issue, we aim to provide clarity and ensure operators are fully informed about the technical details and associated risks.

Proof of Concept

1) Hardcoded Credentials (CVE-2021-45106)

To obtain the password, the Toolbox II application calls the TbiiGetDbInfo() function from the TbiiDbInfo.dll library. It decodes the password and returns it to the calling function.

A total of 4 passwords were found that are returned by the function (redacted):
* ‘Sik<redacted>’ for an unknown user.
* ‘Kam<redacted>’ for an unknown user.
* ‘Hug<redacted>’ for the user ‘sattbii’.
* ‘Rob<redacted>’ for the user ‘tbii_admin’.

Using sqlplus, it is possible to connect as ‘tbii_admin’ and use an SQL query to obtain the usernames and passwords of all Toolbox II users.

Solution

See: https://cert-portal.siemens.com/productcert/html/ssa-669737.html

Workaround

Do not allow low privileged users to log into the Windows machine to circumvent this issue.

Recommendation

CyberDanube recommends to use SICAM Device Manager instead of Toolbox II. This is in line with the official Siemens recommendation. See ‘Product Lifecycle (PLM)’ in: https://mall.industry.siemens.com/mall/en/oeii/Catalog/Product/6MF70712US70

Contact Timeline

  • 2025-12-12: Contacting Siemens PSIRT. Siemens ProductCERT confirms issues.
  • 2026-01-13: Siemens ProductCERT informs us about Siemens Security Advisory 669737.
  • 2026-01-16: Siemens ProductCERT asks for clarification.
  • 2026-01-21: Clarification is provided.
  • 2026-01-26: Siemens ProductCERT is provided with draft of the advisory.
  • 2026-01-28: Siemens ProductCERT asks for modifications regarding vulnerability description.
  • 2026-02-23: Coordinated release of security advisory.

Author(s)

David Blagojevic Portrait

David Blagojevic

David Blagojevic is a Security Researcher at CyberDanube. He is currently engaged in offensive security engagements, doing pentests & research activities within the fields of firmware emulation & analysis, where he is contributing to the development and advancement of the MEDUSA Firmware Emulation Framework. He is currently a part-time masters student of computer science at TU Wien (Vienna University of Technology).

Thomas Weber Portrait

Thomas Weber

Thomas Weber is co-founder and security researcher at CyberDanube in the field of embedded systems, (I)IoT and OT. He has uncovered numerous zero-day vulnerabilities and has published a large number of security advisories in the past. As part of his scientific work, he developed an emulation system for firmware – today the SaaS tool > MEDUSA < has emerged out of this. In the past he spoke at cyber security conferences such as HITB, BlackHat, IT-SECX, HEK.SI and OHM(international). Nowadays, he brings his competence and experience into security products.