ABB Flow Computer and Remote Controllers Path Traversal Vulnerability in Totalflow TCP protocol can lead to root access
CVE-2022-0902

8.1HIGH

Key Information:

Vendor: Abb
Status: Rmc-100 (standard); Rmc-100-lite; Xio; Xfcg5
Vendor: CVE Published:; 14 July 2022

What is CVE-2022-0902?

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in flow computer and remote controller products of ABB ( RMC-100 (Standard), RMC-100-LITE, XIO, XFCG5 , XRCG5 , uFLOG5 , UDC) allows an attacker who successfully exploited this vulnerability could insert and run arbitrary code in an affected system node.

Affected Version(s)

RMC-100 (Standard) < 2105457-037

RMC-100-LITE < 2106229-011

UDC < 2106177-007

References

https://search.abb.com/library/Download.aspx?DocumentID=9...

x_refsource_MISC

EPSS Score

23% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 14, 2022
Vulnerability Reserved
Mar 9, 2022

Credit

ABB thanks Vera Mens at Claroty Research for helping to identify the vulnerabilities and protecting our customers.

Abb

What is CVE-2022-0902?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline

Credit