ABB Arctic Wireless Gateways

Act NowCVSS 9.2ICS-CERT ICSA-25-100-09Apr 7, 2025

ABBEnergyTransportation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

ABB Arctic Wireless Gateways (ARG600, ARC600, ARR600, ARP600) firmware versions 3.4.10 through 3.4.13 contain multiple critical vulnerabilities (CWE-120 buffer overflow, CWE-269 improper access control, CWE-200 information exposure, CWE-22 path traversal, CWE-362 race condition). These vulnerabilities enable arbitrary code execution with elevated privileges, denial of service, and interception of unencrypted traffic. Exploitation is possible via malicious binary SMS messages to the embedded Telit PLS62-W cellular modem module or weak SSH authentication on exposed ports. The vulnerabilities reside in both the gateway firmware and the cellular modem itself, and currently no firmware patches are available.

What this means

What could happen

An attacker could execute arbitrary code on ABB Arctic Wireless Gateways with high privileges, potentially changing control logic, stopping operations, or intercepting unencrypted remote management traffic. A denial-of-service attack is also possible.

Who's at risk

Energy utilities and transportation operations using ABB Arctic ARG600, ARC600, ARR600, or ARP600 wireless gateways with firmware versions 3.4.10 through 3.4.13 are affected. These gateways are commonly deployed for remote SCADA system management and remote terminal unit (RTU) communication over cellular networks. Operations staff managing utility distribution networks, substations, and remote field sites should prioritize this.

How it could be exploited

An attacker on a mobile network could send specially crafted binary SMS messages to the Telit PLS62-W modem module, or exploit weak SSH authentication if the SSH port is exposed to the internet. Successful exploitation grants privileged code execution on the gateway, which sits between your utility's control network and remote management systems.

Prerequisites

Network access to cellular network or SSH port (typically 22) exposed to internet
Cellular modem module present (Telit PLS62-W) or SSH service enabled
No authentication required for modem-based attack; weak or default SSH credentials for SSH vector

Remotely exploitable over cellular networkHigh EPSS score (46.7%)No patch available for vulnerable firmware versionsAffects remote management and control systemsAffects products with Telit PLS62-W module (all versions, no fix planned)Default or weak SSH credentials common in legacy industrial equipment

Exploitability

Likely to be exploited — EPSS score 48.1%

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (11)

8 pending3 EOL

ProductAffected VersionsFix Status

Arctic ARG600 with firmware version>=3.4.10 to <=3.4.13≥ 3.4.10|≤ 3.4.13No fix yet

Arctic ARC600 with firmware version>=3.4.10 to <=3.4.13≥ 3.4.10|≤ 3.4.13No fix yet

Arctic ARR600 with firmware version>=3.4.10 to <=3.4.13≥ 3.4.10|≤ 3.4.13No fix yet

Arctic ARP600 with firmware version>=3.4.10 to <=3.4.13≥ 3.4.10|≤ 3.4.13No fix yet

Arctic Wireless Gateway ARG600 with Telit PLS62-W wireless modem module.All versionsNo fix (EOL)

Arctic ARG600 with firmware version>=3.4.10 to <=3.4.13ARG600No fix yet

Arctic ARC600 with firmware version>=3.4.10 to <=3.4.13ARC600No fix yet

Arctic ARR600 with firmware version>=3.4.10 to <=3.4.13ARR600No fix yet

Remediation & Mitigation

0/7

Do now

0/4

WORKAROUNDRequest your cellular provider to disable binary SMS service on all mobile subscriptions used by Arctic gateways

HARDENINGClose the SSH port (port 22) to public networks and the internet; restrict SSH access to private networks or VPN-only connections

HARDENINGIf SSH remote administration is required, establish all SSH connections through an OpenVPN tunnel instead of direct access

HARDENINGDisable SMS services completely if they are not required for operations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGSegment Arctic Wireless Gateways behind firewalls and separate networks from office/general networks

HARDENINGRestrict physical access to all Arctic gateway devices

Long-term hardening

0/1

WORKAROUNDRequest a private cellular access point from your mobile provider to limit broadcast attack surface

CVEs (8)

CVE-2023-47610 CVE-2023-47611 CVE-2023-47612 CVE-2023-47613 CVE-2023-47614 CVE-2023-47615 CVE-2023-47616 CVE-2024-6387

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8d1d4522-95a2-4ef9-a262-1c5ac09bca6d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.