RMC-100 Vulnerability in the Web UI (REST Interface)
Plan Patch7.59akk108470a8565Mar 11, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in the RMC-100 and RMC-100 LITE web UI REST interface can be exploited to cause a denial-of-service condition that stops the web UI from responding. The vulnerability is in versions RMC-100 2105457-036 through 2105457-044 and RMC-100 LITE 2106229-010 through 2106229-016. An attacker with network access to the device can send a crafted request that crashes the web interface, preventing remote monitoring and control operations until the device is restarted or updated.
What this means
What could happen
An attacker could crash the web interface of the RMC-100 flow computer, preventing remote monitoring and control of flow measurement or process operations through the web UI until the device is restarted or patched.
Who's at risk
Water utilities, municipal electric utilities, and oil/gas operators using ABB RMC-100 or RMC-100 LITE flow computers for remote flow measurement and process control. Impact affects any organization relying on the web UI for monitoring or adjusting process parameters.
How it could be exploited
An attacker with network access to the REST API endpoint on the RMC-100 web UI (port 80/443) can send a malformed request that causes a denial-of-service condition. No authentication or valid user credentials are required to exploit this vulnerability.
Prerequisites
- Network access to the RMC-100 web UI (HTTP/HTTPS port)
- No valid credentials required
remotely exploitableno authentication requiredlow complexityaffects remote monitoring capability
Exploitability
Moderate exploit probability (EPSS 1.5%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
RMC-100 (2105457-036 to 2105457-044)≥ 210547-036|≤ 2105457-0442105452-048
RMC-100 LITE (2106229-010 to 2106229-016)≥ 2106229-010|≤ 2106229-0162106260-017
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDRestrict network access to the RMC-100 web UI to authorized engineering and monitoring workstations only using firewall rules
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate RMC-100 to firmware version 2105452-048 or later
HOTFIXUpdate RMC-100 LITE to firmware version 2106260-017 or later
Long-term hardening
0/1HARDENINGSegment the RMC-100 device on a protected network separate from untrusted networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b2bfa418-6628-4c72-9379-8cfceae65b9e