CVE-2022-0902
Published: 21 July 2022
Summary
CVE-2022-0902 is a high-severity Path Traversal (CWE-22) vulnerability in Abb Rmc-100 Firmware. Its CVSS base score is 8.1 (High).
Operationally, ranked in the top 15.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2022-0902 is a path traversal and command injection vulnerability affecting multiple ABB flow computer and remote controller products, specifically the RMC-100 (Standard), RMC-100-LITE, XIO, XFCG5, XRCG5, uFLOG5, and UDC. The issues are tracked under CWE-22 and CWE-77 and arise from improper pathname restrictions to directories combined with inadequate neutralization of command elements, enabling an attacker to insert and execute arbitrary code on an affected node.
An unauthenticated attacker with network access can exploit the flaw, although the attack requires high complexity. Successful exploitation grants the ability to run arbitrary code, resulting in high impact to confidentiality, integrity, and availability on the targeted industrial device.
ABB has released an advisory (document 9AKK108467A0927) that describes the affected products and provides mitigation guidance; practitioners should obtain the advisory directly from ABB's library for patch or configuration details.
The associated EPSS score rose from low values to a peak of 0.0680 on 2025-12-11 before receding to the current 0.0225, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-15934
Vulnerability details
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in flow computer and remote controller products of ABB ( RMC-100 (Standard), RMC-100-LITE, XIO, XFCG5 , XRCG5…
more
, uFLOG5 , UDC) allows an attacker who successfully exploited this vulnerability could insert and run arbitrary code in an affected system node.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.