---
title: "ABB PCM600 Vulnerability Exposes Critical Systems to Arbitrary Code Execution"
short_title: "ABB PCM600 path traversal flaw allows code execution"
description: "ABB PCM600 versions 1.5 to 2.13 affected by a medium-severity path traversal vulnerability (CVE-2018-1002208). Learn mitigation steps and patch recommendations."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [abb, pcm600, cve-2018-1002208, path-traversal, ics-security]
score: 0.65
cve_ids: [CVE-2018-1002208]
---
## TL;DR
A path traversal vulnerability in ABB PCM600 (versions 1.5 to 2.13) could allow attackers to execute arbitrary code by sending specially crafted messages to affected systems. While the flaw has a medium severity (CVSS 4.4), it poses risks to critical manufacturing infrastructure. ABB has released PCM600 version 2.14 to patch the issue, alongside mitigation guidance for systems unable to upgrade immediately.
Main Content
### Introduction
Industrial control systems (ICS) remain a prime target for cyber threats due to their role in critical infrastructure. ABB, a global leader in electrification and automation, has disclosed a path traversal vulnerability in its PCM600 software, a tool used for protection and control of intelligent electronic devices (IEDs). If exploited, this flaw (tracked as CVE-2018-1002208) could enable attackers to execute arbitrary code on vulnerable systems, potentially disrupting operations in critical manufacturing sectors.
Below, we break down the vulnerability, its impact, and actionable steps for mitigation.
### Key Points
- Vulnerability: Path traversal flaw in SharpZip.dll (CVE-2018-1002208) allows arbitrary code execution.
- Affected Versions: ABB PCM600 1.5 to 2.13.
- Severity: Medium (CVSS 4.4) due to high attack complexity and local access requirements.
- Patch Available: ABB has released PCM600 version 2.14 to address the issue.
- Workaround: System-level defenses and network isolation are recommended for systems unable to upgrade.
- Deployment: Vulnerable systems are used worldwide, particularly in critical manufacturing.
### Technical Details
#### Vulnerability Overview
The vulnerability stems from an improper limitation of a pathname to a restricted directory (CWE-22) in the SharpZip.dll library included with ABB PCM600. An attacker could exploit this flaw by crafting malicious messages targeting a system node, leading to arbitrary code execution. The attack requires local access, high privileges, and user interaction, contributing to its medium severity rating.
#### CVSS Metrics
| Metric | Value |
|----------------------|-------------------------------------------------------------------------------------------|
| CVSS Version | 3.1 |
| Base Score | 4.4 (Medium) |
| Vector String | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N |
| Attack Vector | Local |
| Attack Complexity| High |
| Privileges Required | Low |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity | High |
| Availability | None |
### Impact Assessment
#### Affected Systems
- ABB PCM600 versions 1.5 to 2.13.
- RE_630 protection relays are incompatible with the patched version (2.14), requiring alternative mitigation strategies.
#### Potential Risks
- Arbitrary Code Execution: Successful exploitation could allow attackers to take control of affected systems, leading to operational disruptions or data manipulation.
- Critical Infrastructure Threat: As PCM600 is deployed in critical manufacturing, exploitation could have cascading effects on industrial processes.
- Limited Remote Exploitation: The vulnerability is not exploitable remotely, reducing its immediate risk but not eliminating the need for patching.
### Mitigation Steps
ABB has provided multiple remediation and mitigation strategies to address the vulnerability:
#### 1. Apply the Patch
- Upgrade to PCM600 version 2.14, which resolves the path traversal flaw.
- Note: RE_630 protection relays are not compatible with version 2.14. Users of these relays must implement system-level defenses instead.
#### 2. System-Level Defenses
- Network Isolation: Ensure control system networks are not accessible from the internet and are separated from business networks using firewalls.
- Remote Access: Use secure methods like Virtual Private Networks (VPNs) for remote access. Ensure VPNs are updated to the latest version.
- Least Privilege Principle: Restrict user permissions to minimize the risk of exploitation.
#### 3. Additional Recommendations
- Monitor for Malicious Activity: Implement intrusion detection systems (IDS) to identify suspicious behavior.
- User Training: Educate staff on social engineering attacks, such as phishing, to prevent initial access.
- Regular Updates: Keep all software and firmware up to date to protect against known vulnerabilities.
For detailed guidance, refer to ABB’s official advisories:
- ABB PSIRT Security Advisory (PDF)
- ABB PSIRT Security Advisory (CSAF)
### Affected Systems
| Vendor | Product | Affected Versions | Status |
|------------|-------------------|-----------------------|------------------|
| ABB | PCM600 | 1.5 to 2.13 | Known Affected |
## Conclusion
While the CVE-2018-1002208 vulnerability in ABB PCM600 is rated as medium severity, its potential impact on critical manufacturing infrastructure warrants immediate action. Organizations using affected versions should upgrade to PCM600 2.14 or implement system-level defenses to mitigate risks. As industrial systems increasingly become targets for cyber threats, proactive security measures—such as network isolation, regular patching, and user training—are essential to safeguarding operations.
No known public exploitation of this vulnerability has been reported, but organizations should remain vigilant and follow CISA’s recommended practices for ICS security.
## References
[^1]: ABB. "ABB PSIRT Security Advisory 2NGA002813". Retrieved 2024-10-02.
[^2]: CISA. "ICS Advisory (ICSA-26-120-02)". Retrieved 2024-10-02.
[^3]: MITRE. "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')". Retrieved 2024-10-02.