1. EXECUTIVE SUMMARY
The ABB RMC-100, a critical component in industrial automation, has been identified with a significant vulnerability, classified under CVE-2022-24999. This vulnerability, rated with a CVSS v4 score of 8.7, allows for remote exploitation with low complexity, potentially leading to a denial of service. The issue arises from an improperly controlled modification of object prototype attributes, commonly referred to as ‘prototype pollution.’ This report delves into the implications of this vulnerability, the affected products, and the recommended mitigations to safeguard against potential exploitation.
2. RISK EVALUATION
The successful exploitation of the RMC-100 vulnerability could enable an attacker to send a specially crafted message to the web user interface (UI). This action could cause the node process to hang, necessitating a restart of the REST interface. While this may not lead to catastrophic failures, it can disrupt operations, particularly in environments where uptime is critical. The potential for remote exploitation raises alarms, especially in sectors reliant on continuous automation.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
ABB has confirmed that the following product versions are vulnerable when the REST interface is enabled:
- RMC-100: Versions 2105457-036 to 2105457-044
- RMC-100 LITE: Versions 2106229-010 to 2106229-016
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPERLY CONTROLLED MODIFICATION OF OBJECT PROTOTYPE ATTRIBUTES (‘PROTOTYPE POLLUTION’) CWE-1321
The vulnerability in question allows an attacker to exploit the web UI (REST interface) of the affected products. By sending a crafted message, the attacker can cause the node process to hang, requiring a restart of the REST interface. This vulnerability has been assigned CVE-2022-24999, with a CVSS v3 base score of 7.5 and a CVSS v4 score of 8.7, indicating a high level of risk.
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Switzerland
The RMC-100 is widely used in critical manufacturing sectors, making its security paramount. Given its global deployment, the implications of this vulnerability extend beyond individual organizations to potentially impact supply chains and operational integrity across industries.
3.4 RESEARCHER
The vulnerability was reported by ABB’s Product Security Incident Response Team (PSIRT) to the Cybersecurity and Infrastructure Security Agency (CISA), highlighting the proactive measures taken by ABB to address security concerns.
4. MITIGATIONS
ABB has outlined several recommendations for users to mitigate the risks associated with this vulnerability:
- Update RMC-100 Customer Package: Upgrade to version 2105452-048.
- Update RMC-100 LITE Customer Package: Upgrade to version 2106260-017.
Additionally, ABB recommends disabling the REST interface when not in use, as it is disabled by default, thus minimizing exposure to potential attacks. The RMC-100 is not designed for public network access, and attackers would need access to the user’s private control network to exploit this vulnerability. Proper network segmentation is advised to enhance security.
ABB also emphasizes the importance of adhering to cybersecurity best practices, including:
- Isolate networks: Keep special-purpose networks and remote devices behind firewalls, separate from general-purpose networks.
- Implement physical controls: Prevent unauthorized access to devices and networks.
- Limit network exposure: Ensure applications and endpoints are not accessible from the Internet unless necessary.
- Regular updates: Keep all software, operating systems, and firmware up to date.
- Secure remote access: Use VPNs for remote connections, recognizing their potential vulnerabilities.
CISA also encourages organizations to perform impact analysis and risk assessments before deploying defensive measures. They provide resources for control systems security recommended practices, which can be found on their website.
As of now, there have been no reported public exploitations specifically targeting this vulnerability, but organizations are urged to remain vigilant and report any suspicious activity to CISA for tracking and correlation against other incidents.
5. UPDATE HISTORY
- March 25, 2025: Initial Publication




