CVE-2022-0902

Name of the Vulnerable Software and Affected Versions ABB RMC-100 (Standard), RMC-100-LITE, XIO, XFCG5, XRCG5, uFLOG5, UDC

Description The issue is related to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') and Improper Neutralization of Special Elements used in a Command ('Command Injection'). This allows an attacker to insert and run arbitrary code in an affected system node. The vulnerability affects flow computer and remote controller products of ABB, which are widely used by large oil and gas companies worldwide. These devices play a crucial role in calculating volumes and limits of oil and gas, and their compromise could impact financial calculations and customer service. An attacker could exploit this vulnerability to gain root access to the ABB flow computer, read and write files, and execute code remotely.

Recommendations For ABB RMC-100 (Standard), RMC-100-LITE, XIO, XFCG5, XRCG5, uFLOG5, UDC, update to the latest version that includes the fix for this issue, as provided by ABB with the release of the microPO update. As a temporary workaround, consider implementing proper network segmentation to mitigate the risk of exploitation.