Summary of ABB Drive Composer Vulnerability
This document outlines a critical vulnerability in ABB’s Drive Composer software, which could allow unauthorized access to the file system on the host machine, potentially leading to the execution of malicious code. The vulnerability is classified as a ‘Path Traversal’ issue.
1. EXECUTIVE SUMMARY
- CVSS v4 Score: 9.3
- Exploitation: Remotely exploitable with low attack complexity
- Vendor: ABB
- Equipment: Drive Composer
- Vulnerability: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
2. RISK EVALUATION
Exploitation of this vulnerability could grant attackers unauthorized access to the file system, enabling them to run malicious code and compromise the system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Drive Composer are affected:
- Drive Composer entry: Version 2.9.0.1 and prior
- Drive Composer pro: Version 2.9.0.1 and prior
3.2 VULNERABILITY OVERVIEW
The vulnerability allows unauthorized file system access, leading to potential system compromise. It is identified as CVE-2024-48510 with a CVSS v3 score of 9.8 and a CVSS v4 score of 9.3.
3.3 BACKGROUND
- Critical Infrastructure Sectors: Critical Manufacturing
- Deployment: Worldwide
- Company Headquarters: Switzerland
3.4 RESEARCHER
ABB reported this vulnerability to CISA.
4. MITIGATIONS
ABB has released Drive Composer Version 2.9.1 to address this vulnerability. Users are encouraged to update as soon as possible. Additional security practices are recommended, including network isolation and regular software updates.
5. UPDATE HISTORY
- February 6, 2025: Initial Publication
For more detailed information, please refer to the original article here.




