OTPulse

ABUP IoT Cloud Platform

MonitorCVSS 6.8ICS-CERT ICSA-25-140-01May 20, 2025
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary

ABUP IoT Cloud Platform contained an authorization bypass vulnerability that allowed authenticated users to access device profiles outside their authorized scope. The vulnerable API method has been removed by the vendor as of April 19, 2025, ending the exposure period. Users should assume that attacker accounts may have accessed device configurations and other profile information during the window prior to remediation.

What this means
What could happen
An attacker with a valid account on the ABUP IoT Cloud Platform could view device profiles and settings they should not have access to, potentially exposing configuration details of connected industrial devices. The exposure period ended on April 19, 2025, when the vulnerable method was removed.
Who's at risk
Water utilities and municipalities using the ABUP IoT Cloud Platform to manage remote sensors, control devices, or industrial equipment should be aware of this vulnerability. Any organization that provisioned devices through this platform and uses it for asset management is affected.
How it could be exploited
An attacker with legitimate credentials to the ABUP IoT Cloud Platform could access the vulnerable API method to retrieve device profiles belonging to other users or devices outside their authorization scope. This requires an existing valid account and the vulnerable method to still be present, though the vendor has since removed it.
Prerequisites
  • Valid user account on ABUP IoT Cloud Platform
  • Network connectivity to the ABUP cloud service
  • Vulnerable API method still present (already remediated by vendor as of April 19, 2025)
no patch availablerequires valid credentialslow EPSS (0.2%) but access to device profiles could enable reconnaissance
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (1)
ProductAffected VersionsFix Status
ABUP IoT Cloud Platform: vers:all/*All versionsNo fix yet
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDReview and reset authentication credentials (passwords, API keys) for all accounts that accessed the ABUP IoT Cloud Platform during the exposure period (before April 19, 2025)
HARDENINGAudit access logs for the ABUP IoT Cloud Platform to identify any unauthorized device profile access during the exposure window
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGEnsure ABUP IoT Cloud Platform access is restricted to trusted networks only; block direct Internet access to the platform from untrusted sources
Long-term hardening
0/1
HARDENINGImplement network segmentation to isolate devices managed through the ABUP platform from business networks and the Internet
View full CISA ICS-CERT advisory
API: /api/v1/advisories/8a00425e-ca86-450b-9fbb-4d83abdac13a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

ABUP IoT Cloud Platform | CVSS 6.8 - OTPulse