CVE-2025-6072 Overview
CVE-2025-6072 is a stack-based buffer overflow [CWE-121] affecting ABB RMC-100 and RMC-100 LITE remote modular controllers used in industrial automation environments. The flaw resides in the REST interface handling of the JSON configuration, where the date of expiration field can be overflowed when processed by the device. Exploitation requires the REST interface to be enabled, network access to the control network, and chaining with CVE-2025-6074. Successful exploitation impacts availability of the controller, disrupting process control operations.
Critical Impact
An attacker with control-network access can overflow a stack buffer through the REST JSON configuration interface, causing denial of service on RMC-100 controllers managing industrial processes.
Affected Products
- ABB RMC-100, firmware 2105457-043 through 2105457-045
- ABB RMC-100 LITE, firmware 2106229-015 through 2106229-016
- Deployments where the REST interface is enabled by the user
Discovery Timeline
- 2025-07-03 - CVE-2025-6072 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-6072
Vulnerability Analysis
The vulnerability is a stack-based buffer overflow classified under [CWE-121]. It is triggered through the REST management interface exposed by the RMC-100 and RMC-100 LITE controllers. The device accepts a JSON configuration payload that contains a date of expiration field. When this field is processed, the firmware copies attacker-supplied data into a fixed-size stack buffer without enforcing length boundaries.
The issue is not directly reachable in a default secure configuration. The REST interface must be enabled, the attacker must reach the control network, and CVE-2025-6074 must be exploited to bypass the protection that normally restricts the JSON configuration path. Once chained, the overflow corrupts adjacent stack memory, including saved return addresses, which leads to a controller crash and loss of availability for the affected industrial process.
Root Cause
The root cause is missing input length validation on the date of expiration field within the JSON configuration parser. The firmware assumes the field conforms to a fixed date format and copies it into a stack buffer sized for that format. Oversized input writes beyond the buffer, overwriting control data on the stack.
Attack Vector
The attack vector is network-based and unauthenticated, but conditional. The attacker must first obtain access to the control network segment that hosts the RMC-100 device. The attacker then exploits CVE-2025-6074 to access the REST configuration endpoint and submits a crafted JSON document with an oversized date of expiration value. The malformed payload reaches the vulnerable parser and overflows the stack buffer, impacting controller availability.
No verified public proof-of-concept code is available. Technical specifics are described in the ABB security advisory.
Detection Methods for CVE-2025-6072
Indicators of Compromise
- Unexpected restarts, watchdog resets, or loss of process control on RMC-100 or RMC-100 LITE devices
- HTTP/HTTPS POST or PUT requests to the controller REST endpoint containing oversized date of expiration values
- JSON configuration payloads originating from non-engineering workstations or unmanaged hosts on the control network
- Failed or partial controller configuration writes correlated with subsequent device unavailability
Detection Strategies
- Inspect network traffic to the RMC-100 REST interface for JSON payloads that exceed expected field lengths
- Alert on any REST configuration activity sourced from outside the authorized engineering subnet
- Correlate device availability alarms in the SCADA historian with REST API requests received in the same time window
- Track firmware versions across the fleet and flag devices running 2105457-043 through 2105457-045 or 2106229-015 through 2106229-016
Monitoring Recommendations
- Enable verbose logging on perimeter firewalls and OT gateways for traffic destined to RMC-100 management ports
- Forward controller syslog and SCADA polling status into a centralized SIEM for correlation with network telemetry
- Baseline normal REST configuration cadence and alert on off-hours or high-frequency configuration attempts
- Monitor for repeated TCP resets or connection failures to the controller, which may indicate crash-loop behavior
How to Mitigate CVE-2025-6072
Immediate Actions Required
- Disable the REST interface on RMC-100 and RMC-100 LITE devices unless it is operationally required
- Restrict control network access using firewall rules and ACLs so only authorized engineering workstations can reach the controller
- Identify and inventory all RMC-100 and RMC-100 LITE devices running affected firmware ranges
- Apply the vendor-provided firmware update once available for your specific device model
Patch Information
ABB has published a security advisory describing the affected firmware ranges and remediation guidance. Refer to the ABB security advisory PDF for firmware update instructions covering RMC-100 versions 2105457-043 through 2105457-045 and RMC-100 LITE versions 2106229-015 through 2106229-016.
Workarounds
- Turn off the REST interface in the controller configuration when not actively required for integration
- Place RMC-100 devices behind an OT-aware firewall that blocks inbound HTTP/HTTPS from non-engineering hosts
- Segment the control network from corporate IT and remote access zones using a demilitarized zone with strict allow-listing
- Require jump-host access with multifactor authentication for any operator that needs to reach controller management interfaces
# Example: restrict REST access to a single engineering workstation using iptables on an upstream OT gateway
iptables -A FORWARD -p tcp -s 10.10.20.15 -d 10.20.30.0/24 --dport 443 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.20.30.0/24 --dport 443 -j DROP
iptables -A FORWARD -p tcp -d 10.20.30.0/24 --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
