Skip to main content
Cybersecurity

ABB Drive Composer

ABB Drive Composer

Summary of ABB Drive Composer Vulnerability

This document outlines a critical vulnerability in ABB’s Drive Composer software, which could allow unauthorized access to the file system on the host machine, potentially leading to the execution of malicious code. The vulnerability is classified as a ‘Path Traversal’ issue.

1. EXECUTIVE SUMMARY

  • CVSS v4 Score: 9.3
  • Exploitation: Remotely exploitable with low attack complexity
  • Vendor: ABB
  • Equipment: Drive Composer
  • Vulnerability: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

2. RISK EVALUATION

Exploitation of this vulnerability could grant attackers unauthorized access to the file system, enabling them to run malicious code and compromise the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Drive Composer are affected:

  • Drive Composer entry: Version 2.9.0.1 and prior
  • Drive Composer pro: Version 2.9.0.1 and prior

3.2 VULNERABILITY OVERVIEW

The vulnerability allows unauthorized file system access, leading to potential system compromise. It is identified as CVE-2024-48510 with a CVSS v3 score of 9.8 and a CVSS v4 score of 9.3.

3.3 BACKGROUND

  • Critical Infrastructure Sectors: Critical Manufacturing
  • Deployment: Worldwide
  • Company Headquarters: Switzerland

3.4 RESEARCHER

ABB reported this vulnerability to CISA.

4. MITIGATIONS

ABB has released Drive Composer Version 2.9.1 to address this vulnerability. Users are encouraged to update as soon as possible. Additional security practices are recommended, including network isolation and regular software updates.

5. UPDATE HISTORY

  • February 6, 2025: Initial Publication

For more detailed information, please refer to the original article here.