Rittal CMC III Access systems

Monitor4.8ICS-CERT ICSA-23-061-03Mar 6, 2023

Attack VectorPhysical

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

The Rittal CMC III access control system contains a vulnerability that allows an attacker with physical access and low-level credentials to open electronically secured control cabinet locks. The vulnerability affects all versions of the CMC III product. Rittal has declared the CMC III and CMC compact products end-of-life and will not release patches; the vendor plans to address security gaps in next-generation products.

What this means

What could happen

An attacker with physical access to the facility and valid low-level credentials (such as a maintenance card) could unlock Rittal-secured control cabinets without authorization, potentially gaining access to PLCs, switches, or other critical equipment inside and altering or disabling operations.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using Rittal CMC III cabinets for physical access control to network switches, PLCs, RTUs, or power distribution equipment. Any facility with electronically locked control cabinets housing operational technology is affected.

How it could be exploited

An attacker with physical proximity to a CMC III reader, holding a valid low-privilege access card, exploits a flaw in the authentication logic to generate or spoof a high-privilege unlock command. The attacker then uses this to open the cabinet lock without entering a PIN or additional authentication factor.

Prerequisites

Physical access to the CMC III reader on a control cabinet
A valid but low-privilege access card (e.g., maintenance or contractor card)
Knowledge of or ability to derive the unlock mechanism

No patch available—product is end-of-lifeAffects physical security controls protecting critical equipmentLow complexity exploitationValid credentials required but potentially held by many staff or contractors

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

CMC III: *All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGPhysically secure access cards and issue them only to authorized personnel. Conduct audit of who holds active cards and revoke those no longer needed.

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGAdd a PIN pad to CMC III cabinets to enforce two-factor authentication (access card + PIN). Contact Rittal support for hardware compatibility and installation guidance.

HARDENINGRestrict physical access to areas where CMC III-locked cabinets are located. Use additional door locks, video surveillance, or access logging at the room level.

Long-term hardening

0/1

HOTFIXPlan upgrade to Rittal next-generation access control products as part of long-term capital equipment refresh cycle.

CVEs (1)

CVE-2022-40633

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c1b853f3-0dd9-4a8b-8160-754018d18c30