ABB RMC-100

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: ABB
• Equipment: RMC-100
• Vulnerability: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to send a specially crafted message to the web UI, causing a temporary denial of service until the interface can be restarted.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

ABB reports that the following products are affected when the REST interface is enabled:

• RMC-100: Versions 2105457-036 to 2105457-044
• RMC-100 LITE: Versions 2106229-010 to 2106229-016

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPERLY CONTROLLED MODIFICATION OF OBJECT PROTOTYPE ATTRIBUTES ('PROTOTYPE POLLUTION') CWE-1321

A vulnerability exists in the web UI (REST interface) included in the product versions listed above. An attacker could exploit the vulnerability by sending a specially crafted message to the web UI node, causing a node process hang, requiring restart of the REST interface (disable/enable).

CVE-2022-24999 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2022-24999. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

ABB PSIRT reported this vulnerability to CISA.

4. MITIGATIONS

ABB recommends that users apply the following updates at earliest convenience.

• Update RMC-100 Customer Package to 2105452-048.
• Update RMC-100 LITE Customer Package to 2106260-017.

ABB recommends disabling the REST interface when not in use to configure the MQTT functionality. By default, the REST interface is disabled so no risk is present.
The RMC-100 is not intended for access over public networks such as the internet. An attacker would need to have access to the user's private control network to exploit this vulnerability. Proper network segmentation is recommended.

For more information, please see ABB's cybersecurity advisory.

For any installation of software-related ABB products, ABB strongly recommends the following (non-exhaustive) list of cyber security practices:

• Isolate special-purpose networks (e.g., for automation systems) and remote devices behind firewalls and separate them from any general-purpose network (e.g., office or home networks).
• Install physical controls so no unauthorized personnel can access your devices, components, peripheral equipment, and networks.
• Never connect programming software or computers containing programming software to any network other than the network for the devices that it is intended for.
• Scan all data imported into your environment before use to detect potential malware infections.
• Minimize network exposure for all applications and endpoints to ensure that they are not accessible from the Internet unless they are designed for such exposure and the intended use requires such.
• Ensure all nodes are always up to date in terms of installed software, operating system, and firmware patches as well as anti-virus and firewall.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• March 25, 2025: Initial Publication

• ABB