ABB M2M Gateway
Act NowCVSS 8.8ICS-CERT ICSA-25-105-08Apr 7, 2025
ABBEnergy
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
The ABB M2M Gateway ARM600 and SW contain multiple vulnerabilities in firmware and software versions 4.1.2 through 5.0.3. These vulnerabilities include integer overflow, improper input validation, use-after-free, path traversal, weak cryptography, insufficient authentication, and other flaws affecting integrity, confidentiality, and availability. Successful exploitation could allow an attacker to stop the product, make it inaccessible, take remote control, or execute arbitrary code.
What this means
What could happen
An attacker with network access and valid credentials could take remote control of the M2M Gateway, execute arbitrary commands, or cause it to crash, disrupting remote site connectivity and Supervisory Control and Data Acquisition (SCADA) communications across your enterprise network.
Who's at risk
This affects energy utilities and industrial operators who use ABB M2M Gateway devices (ARM600 or SW) for remote site management and SCADA communications. Organizations relying on these gateways to connect distributed field sites (substations, generation facilities, grid control nodes) to central monitoring and control systems are at risk. Any site using firmware/software versions 4.1.2 through 5.0.3 is vulnerable.
How it could be exploited
An attacker could exploit multiple vulnerabilities in the M2M Gateway's communication protocols and authentication mechanisms. With network access to exposed ports and valid user credentials, they could inject malicious commands or payloads through multiple pathways—including DNS spoofing, ICMP manipulation, or direct protocol exploitation—to gain code execution on the gateway device and pivot to control remote industrial sites.
Prerequisites
- Network access to the M2M Gateway from the Internet or an adjacent untrusted network
- Valid user credentials (non-default username and password)
- Knowledge of exposed communication ports (TCP/UDP 53, VPN port, or management ports)
Remotely exploitableRequires valid user credentials but CVSS implies low attack complexityHigh EPSS score (92.5%) indicates high exploitation probabilityNo vendor patch planned—end-of-life productAffects critical communication infrastructure for OT networks
Exploitability
Likely to be exploited — EPSS score 92.8%
Metasploit module available — weaponized exploitView module ↗
Public Proof-of-Concept (PoC) on GitHub (10 repositories)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
M2M Gateway ARM600, firmware≥ 4.1.2|≤ 5.0.3No fix (EOL)
M2M Gateway SW, software≥ 5.0.1|≤ 5.0.3No fix (EOL)
Remediation & Mitigation
0/8
Do now
0/5HARDENINGIf M2M Gateway must be Internet-accessible, restrict all inbound traffic to the VPN port only; disable or block all other ports and services
WORKAROUNDBlock TCP/UDP port 53 (DNS) at your firewall if DNS is not used by the M2M Gateway system
HARDENINGConfigure firewall allowlist rules to explicitly permit only required ports and protocols; block all other inbound and outbound traffic by default
WORKAROUNDFilter ICMP type 13 and 14 packets from external networks using firewall rules to prevent time service enumeration
HARDENINGChange all default user credentials on ARM600 and Arctic wireless gateways to complex, non-default, non-reusable passwords with special characters
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGImplement continuous network monitoring and intrusion detection/prevention tools to detect anomalous traffic and commands targeting the M2M Gateway
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: M2M Gateway ARM600, firmware, M2M Gateway SW, software. Apply the following compensating controls:
HARDENINGImplement a private cellular access point (APN) and dedicated SIM subscriptions with your cellular provider to avoid exposing M2M Gateway traffic to the Internet
HARDENINGPlace M2M Gateway in a demilitarized zone (DMZ) segregated from your OT network by firewall; route all Internet-bound VPN traffic through the DMZ
CVEs (42)
CVE-2022-23521CVE-2022-41903CVE-2023-25690CVE-2023-38408CVE-2016-10009CVE-2022-2526CVE-2022-37434CVE-2023-20032CVE-2022-38177CVE-2022-38178CVE-2023-2828CVE-2023-3341CVE-2022-41974CVE-2022-40674CVE-2023-25652CVE-2023-29007CVE-2022-2964CVE-2021-26401CVE-2022-4378CVE-2022-42703CVE-2022-3564CVE-2023-32233CVE-2023-35001CVE-2023-3609CVE-2023-42753CVE-2022-42898CVE-2020-22218CVE-2023-0286CVE-2023-24329CVE-2022-29154CVE-2023-22809CVE-2022-25147CVE-2021-25220CVE-2022-2795CVE-2022-43750CVE-2023-20569CVE-2023-20593CVE-2023-40217CVE-2013-0169CVE-2012-4929CVE-1999-0524CVE-2023-48795
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b7ee78ab-dc3d-4ffd-92cd-9cd77e23aa6eGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.