CVE-2022-0902

moderate-risk
Published 2022-07-21

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in flow computer and remote controller products of ABB ( RMC-100 (Standard), RMC-100-LITE, XIO, XFCG5 , XRCG5 , uFLOG5 , UDC) allows an attacker who successfully exploited this vulnerability could insert and run arbitrary code in an affected system node.

Do I need to act?

~
2.3% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10 High
NETWORK / HIGH complexity

Affected Products (7)

Rmc-100 Firmware
Rmc-100-Lite Firmware
Xio Firmware
Xfcg5 Firmware
Xrcg5 Firmware
Uflog5 Firmware
Udc Firmware

Affected Vendors

Abb

References (2)

Mitigation https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0927&Language...
Mitigation https://search.abb.com/library/Download.aspx?DocumentID=9AKK108467A0927&Language...
43
/ 100
moderate-risk
Severity 24/34 · High
Exploitability 5/34 · Minimal
Exposure 14/34 · Moderate