Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2021-38487

Summary
Assigner-icscert
Assigner Org ID-7d14cffa-0d7d-4270-9dc0-52cabd5a23a6
Published At-05 May, 2022 | 15:18
Updated At-23 Jun, 2025 | 12:13
Rejected At-
Credits

Potential Network Amplification and Information Exposure in RTI Connext Professional and Connext Micro

RTI Connext Professional versions 4.1 to 6.1.0, and Connext Micro versions 2.4 and later are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic. This may result in a denial-of-service condition and information exposure.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:icscert
Assigner Org ID:7d14cffa-0d7d-4270-9dc0-52cabd5a23a6
Published At:05 May, 2022 | 15:18
Updated At:23 Jun, 2025 | 12:13
Rejected At:
▼CVE Numbering Authority (CNA)
Potential Network Amplification and Information Exposure in RTI Connext Professional and Connext Micro

RTI Connext Professional versions 4.1 to 6.1.0, and Connext Micro versions 2.4 and later are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic. This may result in a denial-of-service condition and information exposure.

Affected Products
Vendor
RTI
Product
Connext Professional
Default Status
unaffected
Versions
Affected
  • From 4.1 before 6.1.0 (custom)
Vendor
RTI
Product
Connext Micro
Default Status
unaffected
Versions
Affected
  • From 4.0.0 before 4.0.* (custom)
  • From 3.0.0 before 3.0.* (custom)
  • From 2.4.0 before 2.4.* (custom)
Problem Types
TypeCWE IDDescription
CWECWE-406CWE-406 Insufficient Control of Network Message Volume (Network Amplification)
CWECWE-923CWE-923: Improper Restriction of Communication Channel to Intended Endpoints
Type: CWE
CWE ID: CWE-406
Description: CWE-406 Insufficient Control of Network Message Volume (Network Amplification)
Type: CWE
CWE ID: CWE-923
Description: CWE-923: Improper Restriction of Communication Channel to Intended Endpoints
Metrics
VersionBase scoreBase severityVector
4.08.8HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
3.18.2HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Version: 4.0
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N
Version: 3.1
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-224CAPEC-224: Fingerprinting
CAPEC-490CAPEC-490: Amplification
CAPEC ID: CAPEC-224
Description: CAPEC-224: Fingerprinting
CAPEC ID: CAPEC-490
Description: CAPEC-490: Amplification
Solutions

RTI recommends users apply the available patches for these issues. A patch is available on the RTI customer portal or by contacting RTI Support. Also, contact RTI Support for mitigations, including how to use RTI DDS Secure to mitigate against the network amplification issue.

Configurations
Workarounds
Exploits
Credits
Federico Maggi (Trend Micro Research), Ta-Lun Yen, and Chizuru Toyama (TXOne Networks, Trend Micro) reported these vulnerabilities to CISA. In addition, Patrick Kuo, Mars Cheng (TXOne Networks, Trend Micro), Víctor Mayoral-Vilches (Alias Robotics), and Erik Boasson (ADLINK Technology) also contributed to this research.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.rti.com/vulnerabilities/#cve-2021-38487
N/A
https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02
N/A
https://support.rti.com/s/login/?ec=302&startURL=%2Fs%2F
N/A
Hyperlink: https://www.rti.com/vulnerabilities/#cve-2021-38487
Resource: N/A
Hyperlink: https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02
Resource: N/A
Hyperlink: https://support.rti.com/s/login/?ec=302&startURL=%2Fs%2F
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02
x_refsource_CONFIRM
x_transferred
https://support.rti.com/s/login/?ec=302&startURL=%2Fs%2F
x_refsource_CONFIRM
x_transferred
Hyperlink: https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02
Resource:
x_refsource_CONFIRM
x_transferred
Hyperlink: https://support.rti.com/s/login/?ec=302&startURL=%2Fs%2F
Resource:
x_refsource_CONFIRM
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:3f572a00-62e2-4423-959a-7ea25eff1638
Published At:05 May, 2022 | 17:15
Updated At:23 Jun, 2025 | 12:15

RTI Connext Professional versions 4.1 to 6.1.0, and Connext Micro versions 2.4 and later are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic. This may result in a denial-of-service condition and information exposure.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.8HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.18.2HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Primary3.19.1CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Primary2.06.4MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:P
Type: Secondary
Version: 4.0
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Type: Primary
Version: 3.1
Base score: 9.1
Base severity: CRITICAL
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Type: Primary
Version: 2.0
Base score: 6.4
Base severity: MEDIUM
Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:P
CPE Matches
rti
rti
>>connext_dds_micro>>Versions from 2.4(inclusive)
cpe:2.3:a:rti:connext_dds_micro:*:*:*:*:*:*:*:*
rti
rti
>>connext_professional>>Versions from 4.2(inclusive) to 6.1.0(exclusive)
cpe:2.3:a:rti:connext_professional:*:*:*:*:*:*:*:*
rti
rti
>>connext_secure>>Versions from 4.2(inclusive) to 6.1.0(exclusive)
cpe:2.3:a:rti:connext_secure:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-406Secondary3f572a00-62e2-4423-959a-7ea25eff1638
CWE-923Secondary3f572a00-62e2-4423-959a-7ea25eff1638
CWE ID: CWE-406
Type: Secondary
Source: 3f572a00-62e2-4423-959a-7ea25eff1638
CWE ID: CWE-923
Type: Secondary
Source: 3f572a00-62e2-4423-959a-7ea25eff1638
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://support.rti.com/s/login/?ec=302&startURL=%2Fs%2F3f572a00-62e2-4423-959a-7ea25eff1638
Permissions Required
Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-023f572a00-62e2-4423-959a-7ea25eff1638
Third Party Advisory
US Government Resource
https://www.rti.com/vulnerabilities/#cve-2021-384873f572a00-62e2-4423-959a-7ea25eff1638
N/A
https://support.rti.com/s/login/?ec=302&startURL=%2Fs%2Faf854a3a-2127-422b-91ae-364da2661108
Permissions Required
Vendor Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
US Government Resource
Hyperlink: https://support.rti.com/s/login/?ec=302&startURL=%2Fs%2F
Source: 3f572a00-62e2-4423-959a-7ea25eff1638
Resource:
Permissions Required
Vendor Advisory
Hyperlink: https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02
Source: 3f572a00-62e2-4423-959a-7ea25eff1638
Resource:
Third Party Advisory
US Government Resource
Hyperlink: https://www.rti.com/vulnerabilities/#cve-2021-38487
Source: 3f572a00-62e2-4423-959a-7ea25eff1638
Resource: N/A
Hyperlink: https://support.rti.com/s/login/?ec=302&startURL=%2Fs%2F
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Permissions Required
Vendor Advisory
Hyperlink: https://www.cisa.gov/uscert/ics/advisories/icsa-21-315-02
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Third Party Advisory
US Government Resource

Change History

0
Information is not available yet

Similar CVEs

4Records found
CVE-2021-43547
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-0.09% / 26.91%
||
7 Day CHG~0.00%
Published-05 May, 2022 | 15:19
Updated-16 Apr, 2025 | 16:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
TwinOaks Computing CoreDX DDS Secure Network Amplification

TwinOaks Computing CoreDX DDS versions prior to 5.9.1 are susceptible to exploitation when an attacker sends a specially crafted packet to flood target devices with unwanted traffic. This may result in a denial-of-service condition and information exposure.

Action-Not Available
Vendor-twinoakscomputingTwinOaks Computing
Product-coredx_ddsCoreDX DDS
CWE ID-CWE-406
Insufficient Control of Network Message Volume (Network Amplification)
CVE-2023-28078
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-9.1||CRITICAL
EPSS-0.37% / 58.04%
||
7 Day CHG~0.00%
Published-15 Feb, 2024 | 12:35
Updated-23 Jan, 2025 | 17:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell OS10 Networking Switches running 10.5.2.x and above contain a vulnerability with zeroMQ when VLT is configured. A remote unauthenticated attacker could potentially exploit this vulnerability leading to information disclosure and a possible Denial of Service when a huge number of requests are sent to the switch. This is a high severity vulnerability as it allows an attacker to view sensitive data. Dell recommends customers to upgrade at the earliest opportunity.

Action-Not Available
Vendor-Dell Inc.
Product-smartfabric_os10Dell SmartFabric OS10smartfabric_os10
CWE ID-CWE-923
Improper Restriction of Communication Channel to Intended Endpoints
CVE-2021-38425
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-7.5||HIGH
EPSS-0.05% / 16.81%
||
7 Day CHG~0.00%
Published-05 May, 2022 | 15:24
Updated-16 Apr, 2025 | 16:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
eProsima Fast DDS Network Amplification

eProsima Fast DDS versions prior to 2.4.0 (#2269) are susceptible to exploitation when an attacker sends a specially crafted packet to flood a target device with unwanted traffic, which may result in a denial-of-service condition and information exposure.

Action-Not Available
Vendor-eprosimaeProsima
Product-fast_ddsFast DDS
CWE ID-CWE-406
Insufficient Control of Network Message Volume (Network Amplification)
CVE-2021-38429
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
ShareView Details
Matching Score-4
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) Industrial Control Systems (ICS)
CVSS Score-6.6||MEDIUM
EPSS-0.06% / 17.58%
||
7 Day CHG~0.00%
Published-05 May, 2022 | 15:26
Updated-16 Apr, 2025 | 16:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
OCI OpenDDS Secure Network Amplification

OCI OpenDDS versions prior to 3.18.1 are vulnerable when an attacker sends a specially crafted packet to flood target devices with unwanted traffic, which may result in a denial-of-service condition and information exposure.

Action-Not Available
Vendor-objectcomputingOCI
Product-openddsOpenDDS
CWE ID-CWE-406
Insufficient Control of Network Message Volume (Network Amplification)
Details not found