CVE-2025-6073 Overview
CVE-2025-6073 is a stack-based buffer overflow [CWE-121] affecting ABB RMC-100 and RMC-100 LITE remote modular controllers used in industrial automation environments. The flaw resides in the REST interface authentication handler, where the username or password buffer can be overflowed under specific conditions. Exploitation requires the REST interface to be enabled, user/password broker authentication to be active, and the attacker to first leverage CVE-2025-6074 to reach the vulnerable code path. Successful exploitation impacts availability of the affected controllers operating on industrial control networks.
Critical Impact
A network-positioned attacker can overflow stack buffers in the REST interface authentication routine, leading to denial of service against ABB RMC-100 controllers when chained with CVE-2025-6074.
Affected Products
- ABB RMC-100 firmware versions 2105457-043 through 2105457-045
- ABB RMC-100 LITE firmware versions 2106229-015 through 2106229-016
- Deployments with REST interface enabled and broker authentication configured
Discovery Timeline
- 2025-07-03 - CVE-2025-6073 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-6073
Vulnerability Analysis
The vulnerability is a classic stack-based buffer overflow [CWE-121] in the REST interface of the ABB RMC-100 and RMC-100 LITE controllers. When user/password broker authentication is enabled, the firmware copies attacker-supplied credential fields into fixed-size stack buffers without enforcing length boundaries. Submitting a username or password that exceeds the allocated stack buffer overwrites adjacent stack memory, including saved return addresses and frame data.
Exploitation is gated by several preconditions. The REST interface must be enabled by the operator, the attacker must have network reachability to the control network, broker authentication must be active, and the related authentication bypass tracked as CVE-2025-6074 must first be exploited to reach the vulnerable parsing routine. The resulting memory corruption disrupts controller operation, producing a loss of availability for the affected device.
Root Cause
The root cause is missing input length validation in the REST authentication handler. Credential fields received over HTTP are copied into stack-allocated buffers using unbounded string operations, allowing oversized inputs to corrupt the stack frame of the authentication function.
Attack Vector
The attack vector is network-based and requires no user interaction. The attacker must reach the controller's REST endpoint over the control network, bypass authentication using CVE-2025-6074, and then submit an oversized username or password field. No verified public exploit code or proof-of-concept is currently available for this issue. Technical details and remediation guidance are documented in the ABB Security Advisory.
Detection Methods for CVE-2025-6073
Indicators of Compromise
- Unexpected restarts, watchdog resets, or crash events on RMC-100 or RMC-100 LITE controllers running affected firmware
- Anomalous HTTP POST or PUT requests to the controller REST endpoint containing oversized username or password fields
- Authentication attempts originating from hosts that do not normally communicate with the controller
Detection Strategies
- Inspect REST traffic to RMC-100 controllers for credential field lengths that exceed normal operational values
- Correlate authentication failures or anomalies with subsequent controller availability events to identify chained exploitation with CVE-2025-6074
- Baseline expected operator workstations and engineering hosts that interact with the REST interface and alert on deviations
Monitoring Recommendations
- Enable logging on perimeter and zone firewalls between the IT network and the control network for all traffic destined to RMC-100 REST endpoints
- Forward controller event logs and network telemetry to a centralized SIEM for correlation and long-term retention
- Monitor for unscheduled reboots or process disruptions on industrial controllers and alert operations staff in real time
How to Mitigate CVE-2025-6073
Immediate Actions Required
- Disable the REST interface on RMC-100 and RMC-100 LITE controllers unless it is operationally required
- Restrict network access to the controller's management interface using firewall rules that permit only authorized engineering workstations
- Inventory all RMC-100 and RMC-100 LITE devices and identify those running firmware versions in the vulnerable ranges
- Review broker authentication configuration and rotate any credentials that may have been exposed
Patch Information
ABB has published remediation guidance in the vendor advisory. Refer to the ABB Security Advisory document 9AKK108471A3623 for firmware updates addressing both CVE-2025-6073 and the chained vulnerability CVE-2025-6074. Apply the vendor-supplied firmware update on RMC-100 (2105457-043 through 2105457-045) and RMC-100 LITE (2106229-015 through 2106229-016) following standard change-control procedures for operational technology environments.
Workarounds
- Disable the REST interface where it is not required for production operations
- Place affected controllers behind a dedicated industrial firewall that blocks REST traffic from untrusted segments
- Segment the control network from the corporate network and enforce strict access control lists between zones consistent with IEC 62443 guidance
- Require VPN access with multi-factor authentication for any remote engineering connections to the control network
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
