Drive Composer Path Traversal Vulnerability

Act Now9.89akk108470a5466Feb 5, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A path traversal vulnerability in ABB Drive Composer allows an attacker to bypass file access restrictions and read or write arbitrary files on the host machine. Successful exploitation could lead to unauthorized access to the file system, execution of arbitrary code, data leakage (including motor configurations and credentials), or complete compromise of the engineering workstation.

What this means

What could happen

An attacker could bypass file path restrictions and access arbitrary files on the engineering workstation running Drive Composer, potentially reading sensitive motor control configurations, stealing credentials, or executing code to compromise the machine.

Who's at risk

Drive system engineers and automation technicians who use ABB Drive Composer (entry or pro) to configure and program ABB motor drives. This affects any site running an older version of Drive Composer on engineering workstations or centralized configuration servers.

How it could be exploited

An attacker with network access to the Drive Composer software (likely via web interface or local network if exposed) supplies a specially crafted file path request using traversal techniques (e.g., ../ sequences). The vulnerability fails to properly validate the path, allowing the attacker to read or write files outside the intended directory, such as system configuration files, credential stores, or executable locations.

Prerequisites

Network access to the Drive Composer interface or host machine
Drive Composer software running (versions 2.9.0.1 or earlier)
No credentials required if the interface is exposed on the network

remotely exploitableno authentication requiredlow complexityhigh CVSS (9.8)affects engineering workstations with access to motor control systems

Exploitability

Moderate exploit probability (EPSS 1.7%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Drive Composer entry <= 2.9.0.1≤ 2.9.0.12.9.1

Drive Composer pro <= 2.9.0.1≤ 2.9.0.12.9.1

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to Drive Composer ports using firewall rules; allow only engineering workstations and planning systems to connect

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Drive Composer to version 2.9.1 or later for both entry and pro installations

Long-term hardening

0/1

HARDENINGIsolate Drive Composer onto a dedicated engineering network segment separate from production control systems

CVEs (1)

CVE-2024-48510

View full ABB PSIRT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6e9c88f8-cb96-4903-a2bf-8c5b6ff97574