Motorola Solutions ACE1000

Act Now9.8ICS-CERT ICSA-22-179-06Jun 28, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Motorola ACE1000 remote terminal unit contains five critical vulnerabilities: CVE-2022-30269 and CVE-2022-30272: Insecure firmware download and installation procedures allow attackers to inject malicious code without proper verification. CVE-2022-30271: Hardcoded or weak SSH private keys in the device allow attackers to authenticate as the RTU without valid credentials. CVE-2022-30270: Default or weak administrator passwords are present, allowing unauthorized administrative access. CVE-2022-30274: A related vulnerability in MOTOTRBO Capacity systems. Successful exploitation could allow an attacker to manipulate RTU configuration, cause denial of service, or achieve remote code execution on the device managing your water/electrical distribution infrastructure.

What this means

What could happen

An attacker could remotely reconfigure the ACE1000 RTU, manipulate control logic, stop operations entirely, or execute arbitrary commands—allowing direct control over the water/electrical distribution systems the RTU manages.

Who's at risk

Water utilities and electric utilities operating Motorola ACE1000 remote terminal units (RTUs) in SCADA networks. Any facility using ACE1000 to manage remote field equipment, distribution automation, or networked sensors. Organizations using MOTOTRBO radio systems integrated with ACE1000 are also affected.

How it could be exploited

An attacker on the network can exploit multiple weaknesses: use hardcoded credentials to authenticate, exploit insecure download procedures to inject malicious firmware, abuse weak SSH key management, or leverage default/weak passwords to gain administrative access. Each of these leads to full RTU compromise.

Prerequisites

Network access to the ACE1000 (port 22 for SSH, HTTP/HTTPS for web interface, or DNP3/MODBUS ports)
No valid credentials required for some attack vectors (hardcoded credentials and default access)
For password-based attacks: knowledge of weak default or common administrator passwords

remotely exploitableno authentication required (hardcoded credentials)low complexity to exploitaffects safety-critical RTU operationsno vendor patch available for ACE1000 (only upgrade path)affects field devices that directly control physical equipment

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

ACE1000: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/8

Do now

0/5

WORKAROUNDFor CVE-2022-30271: Execute 'ACE1000 SSH Key Rotation' process to replace hardcoded or weak SSH keys

WORKAROUNDFor CVE-2022-30270: Manually change all default administrator passwords on the ACE1000 to strong, unique values

HARDENINGIsolate ACE1000 and all RTU networks behind a firewall; ensure they are not directly accessible from the Internet or business networks

HARDENINGIf remote access to ACE1000 is required, implement a VPN and keep VPN software updated to the latest version

HARDENINGRestrict network access to ACE1000 to only authorized engineering workstations and management systems; block all other sources

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade ACE1000 to MC-EDGE intelligent RTU to resolve all five CVEs at once

HOTFIXFor CVE-2022-30269 and CVE-2022-30272: Apply Motorola's 'Secured Download and Installation for ACE1000' procedure to prevent malicious firmware injection

HOTFIXFor CVE-2022-30274: Upgrade MOTOTRBO system to Capacity Max version

CVEs (5)

CVE-2022-30271 CVE-2022-30270 CVE-2022-30274 CVE-2022-30269 CVE-2022-30272

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/221e157e-f2c2-4e76-b539-900b0f8be11c