Cyber Resilience

CVE-2022-0902

HighRCE

Published: 21 July 2022

Published
21 July 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0225 85.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-0902 is a high-severity Path Traversal (CWE-22) vulnerability in Abb Rmc-100 Firmware. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 15.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2022-0902 is a path traversal and command injection vulnerability affecting multiple ABB flow computer and remote controller products, specifically the RMC-100 (Standard), RMC-100-LITE, XIO, XFCG5, XRCG5, uFLOG5, and UDC. The issues are tracked under CWE-22 and CWE-77 and arise from improper pathname restrictions to directories combined with inadequate neutralization of command elements, enabling an attacker to insert and execute arbitrary code on an affected node.

An unauthenticated attacker with network access can exploit the flaw, although the attack requires high complexity. Successful exploitation grants the ability to run arbitrary code, resulting in high impact to confidentiality, integrity, and availability on the targeted industrial device.

ABB has released an advisory (document 9AKK108467A0927) that describes the affected products and provides mitigation guidance; practitioners should obtain the advisory directly from ABB's library for patch or configuration details.

The associated EPSS score rose from low values to a peak of 0.0680 on 2025-12-11 before receding to the current 0.0225, indicating a period of increased exploitation interest after disclosure.

EU & UK References

Vulnerability details

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in flow computer and remote controller products of ABB ( RMC-100 (Standard), RMC-100-LITE, XIO, XFCG5 , XRCG5…

more

, uFLOG5 , UDC) allows an attacker who successfully exploited this vulnerability could insert and run arbitrary code in an affected system node.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

abb
rmc-100 firmware
≤ 2105457-037
abb
rmc-100-lite firmware
≤ 2106229-011
abb
xio firmware
≤ 2106198-008
abb
xfcg5 firmware
≤ 2105805-016
abb
xrcg5 firmware
≤ 2105864-016
abb
uflog5 firmware
≤ 2105298-024
abb
udc firmware
≤ 2106177-007

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References