ABB RMC-100

Plan PatchCVSS 8.2ICS-CERT ICSA-25-196-02Jul 3, 2025

ABBManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The RMC-100 and RMC-100 LITE controllers contain three vulnerabilities in their MQTT and REST interface implementation: unauthenticated access to MQTT configuration data, weak cryptography allowing decryption of stored MQTT broker credentials, and a denial-of-service condition in the REST configuration web server. These vulnerabilities allow an attacker with network access to the device to read sensitive configuration, decrypt credentials, or disrupt the REST interface. Exploitation requires network access to the control network but no valid credentials. The REST interface is enabled by default.

What this means

What could happen

An attacker with access to your control network could decrypt stored MQTT broker credentials, read MQTT configuration data without authentication, or crash the REST configuration interface, potentially disrupting remote monitoring or control operations.

Who's at risk

Manufacturing facilities and process automation environments that use ABB RMC-100 or RMC-100 LITE remote management controllers, particularly those using MQTT for remote monitoring, configuration, or telemetry.

How it could be exploited

An attacker on your internal control network sends unauthenticated requests to the RMC-100's REST interface to access or enumerate MQTT configuration data, decrypt stored credentials, or send requests that cause the web server to become unresponsive. The attack requires network access to the device's REST interface (default port 8080) but no valid credentials.

Prerequisites

Network access to RMC-100 REST interface (port 8080 or configured port)
RMC-100 is on the same network or reachable via network routing
REST interface is enabled (enabled by default)

remotely exploitableno authentication requiredlow complexityaffects MQTT security credentials and configurationdefault configuration is vulnerable

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (4)

2 with fix2 EOL

ProductAffected VersionsFix Status

RMC-100≥ 2105457-043|≤ 2105457-0452105457-046

RMC-100 LITE≥ 2106229-015|≤ 2106229-0162106229-018

RMC-100: >=2105457-043|<=2105457-045≥ 2105457-043|≤ 2105457-045No fix (EOL)

RMC-100 LITE: >=2106229-015|<=2106229-016≥ 2106229-015|≤ 2106229-016No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

RMC-100

WORKAROUNDDisable the REST interface on RMC-100 and RMC-100 LITE when not actively configuring MQTT functionality

HARDENINGRestrict network access to the RMC-100 REST interface using firewall rules; allow connections only from authorized engineering workstations or configuration systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

RMC-100

HOTFIXUpdate RMC-100 to firmware version 2105457-046 or later

HOTFIXUpdate RMC-100 LITE to firmware version 2106229-018 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: RMC-100: >=2105457-043|<=2105457-045, RMC-100 LITE: >=2106229-015|<=2106229-016. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate the control network (RMC-100 and automation devices) from general office networks and the Internet

CVEs (4)

CVE-2025-6074 CVE-2025-6073 CVE-2025-6072 CVE-2025-6071

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6d5edc7f-17ff-4623-9f40-a86fa3fb574c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.