ABB PCM600

View CSAF Summary Successful exploitation of this vulnerability could allow an attacker to send specially crafted messages to the system node resulting in execution of arbitrary code. The following versions of ABB PCM600 are affected: PCM600 >=1.5|<=2.13  CVSS Vendor Equipment Vulnerabili

# Critical Path Traversal Vulnerability Exposes ABB PCM600 Control Systems to Arbitrary Code Execution

## The Threat

ABB's Protection and Control IED Manager (PCM600) software contains a critical vulnerability that allows attackers to execute arbitrary code on systems running affected versions. Tracked as CVE-2018-1002208, the flaw exists within the SharpZip.dll library included in PCM600 and can be exploited through specially crafted messages sent directly to the system node, bypassing traditional security perimeters.

The vulnerability represents a significant risk to critical manufacturing infrastructure worldwide. PCM600 is widely deployed in power generation, distribution systems, and industrial control environments where reliability and security are paramount. An attacker who successfully exploits this path traversal weakness gains the ability to execute arbitrary commands with the privileges of the affected process, potentially allowing them to modify system behavior, disable protective functions, or launch cascading failures across interconnected systems.

What makes this vulnerability particularly dangerous is its local attack vector combined with user interaction requirements—while exploitation requires some level of access and social engineering, the barrier to entry is notably lower than remote code execution vulnerabilities. Organizations running unpatched versions from 1.5 to 2.13 remain exposed to this risk, particularly in environments where system administrators may not have awareness of the vulnerability or face operational constraints preventing timely patching.

## Severity and Impact

| Metric | Details |

|--------|---------|

| CVE Identifier | CVE-2018-1002208 |

| CVSS v3.1 Score | 4.4 (MEDIUM) |

| CVSS Vector | AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N |

| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory |

| Attack Vector | Local |

| Attack Complexity | High |

| Privileges Required | Low |

| User Interaction | Required |

| Scope | Unchanged |

| Confidentiality Impact | None |

| Integrity Impact | High |

| Availability Impact | None |

The MEDIUM severity rating reflects the local attack vector and authentication requirements, but the integrity impact—the ability to modify files and execute code—remains significant. In industrial control environments, even a MEDIUM-rated vulnerability can have outsized consequences if it enables modification of safety-critical configurations or protective logic.

## Affected Products

The following versions of ABB PCM600 are vulnerable:

ABB PCM600 versions 1.5 through 2.13 (inclusive)

Organizations should verify their installed version through ABB's software interface or system administration tools. Version 2.14 and later contain the necessary patches.

### Compatibility Consideration

ABB has noted a critical compatibility issue: RE_630 protection relays are not compatible with PCM600 version 2.14. Organizations currently running PCM600 with RE_630 protection relays cannot upgrade without replacing or bypassing the relay hardware. For these environments, ABB recommends implementing compensating security controls at the network and system level rather than attempting the upgrade.

## Mitigations

### Immediate Actions

Patch to Version 2.14: ABB released version 2.14 as the corrected version for CVE-2018-1002208. Organizations without RE_630 hardware compatibility concerns should prioritize deployment of this update at the earliest opportunity. Patching should follow standard change management procedures to minimize operational disruption, but given the arbitrary code execution risk, expedited deployment is recommended.

For Systems With RE_630 Relays: Since upgrading to the patched version is not feasible for systems using RE_630 protection relays, organizations should implement the following defense-in-depth measures:

### Network Segmentation and Access Controls

Isolate PCM600 systems from the business network using air-gapping, VLAN segregation, or dedicated network segments

Restrict access to PCM600 through firewalls and access control lists, allowing connections only from authorized administrative workstations

Implement strict network policies that prevent any PCM600 system from being accessible via the internet or untrusted networks

Deploy network intrusion detection and prevention systems capable of monitoring and blocking malicious traffic patterns targeting industrial control systems

### Administrative Controls

Limit user access to PCM600 systems using the principle of least privilege—only operators and engineers who require direct access should have system credentials

Enforce strong authentication on all accounts with PCM600 access, including multi-factor authentication where technically feasible

Monitor and log all access to PCM600 systems to detect unauthorized connection attempts or suspicious activity

Conduct security awareness training for staff on the risks of social engineering and the specific threat posed by this vulnerability

### Additional Defense Layers

Implement application whitelisting to prevent unauthorized executable execution on PCM600 systems

Use file integrity monitoring to detect unauthorized modifications to system files that might indicate exploitation attempts

Maintain offline backups of critical PCM600 configurations to enable rapid recovery if a system is compromised

Develop and regularly test incident response procedures specific to industrial control system compromise scenarios

## References

For complete technical details and remediation guidance, consult the following resources:

ABB PSIRT Security Advisory 2NGA002813 (PDF version): https://search.abb.com/library/Download.aspx?DocumentID=2NGA002813&LanguageCode=en&DocumentPartId=pdf&Action=Launch

ABB PSIRT Security Advisory 2NGA002813 (CSAF version): https://psirt.abb.com/csaf/2025/2nga002813.json

CVE-2018-1002208 Details: National Vulnerability Database and CISA advisories

CWE-22 Reference: https://cwe.mitre.org/data/definitions/22.html

## Recommendations for Security Teams

Organizations operating ABB PCM600 systems should treat this vulnerability with appropriate urgency despite its MEDIUM CVSS rating. Conduct a rapid inventory of all PCM600 deployments to identify affected versions and hardware compatibility constraints. For systems that can be updated, prioritize patching within 30 days. For systems with RE_630 relays, begin implementation of compensating controls immediately and develop a longer-term upgrade strategy that includes hardware replacement or relay migration.

Given the critical nature of manufacturing environments, coordinate patching efforts with operational teams to schedule updates during maintenance windows that minimize production impact. Simultaneously, activate enhanced monitoring and logging on unpatched systems to detect any exploitation attempts during the remediation window.

Report any suspected exploitation to ABB PSIRT and coordinate with CISA for incident response guidance if compromise is suspected.

ABB PCM600

TL;DR – For the Busy Reader

Get threat alerts in your inbox