CVE-2025-6074 Overview
CVE-2025-6074 is a use of hard-coded cryptographic key vulnerability [CWE-321] affecting ABB RMC-100 and RMC-100 LITE remote modular controllers. These devices are deployed in industrial control system (ICS) environments, primarily for oil and gas measurement and automation. The flaw allows an attacker with access to source code and the control network to bypass authentication on the REST interface when it is enabled. Successful exploitation exposes MQTT configuration data, which can be leveraged for further reconnaissance or lateral movement within operational technology (OT) networks.
Critical Impact
Authentication bypass on the REST interface exposes MQTT configuration data, undermining confidentiality and integrity of industrial control communications.
Affected Products
- ABB RMC-100 firmware versions 2105457-043 through 2105457-045
- ABB RMC-100 LITE firmware versions 2106229-015 through 2106229-016
- Deployments where the optional REST interface has been enabled by the operator
Discovery Timeline
- 2025-07-03 - CVE-2025-6074 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-6074
Vulnerability Analysis
The vulnerability stems from a hard-coded cryptographic key embedded within the firmware of the ABB RMC-100 and RMC-100 LITE controllers. The REST management interface relies on this static key material to authenticate requests. Because the key is identical across all deployed devices of the affected firmware ranges, an attacker who obtains the firmware or source code can derive the key and forge valid authentication material.
Once authentication is bypassed, the attacker can query REST endpoints that expose MQTT configuration data. MQTT is commonly used to relay telemetry and control messages in ICS environments, so leaked broker addresses, topics, and credentials can enable adversaries to intercept process data or inject messages into downstream systems.
Exploitation requires two prerequisites: the REST interface must be explicitly enabled by the user, and the attacker must have network access to the control network. This limits opportunistic exploitation but remains realistic for insiders or attackers who have already breached the ICS perimeter.
Root Cause
The root cause is the storage of cryptographic key material directly in firmware rather than provisioning per-device unique keys during manufacturing or first boot. This design pattern is classified under [CWE-321] Use of Hard-coded Cryptographic Key.
Attack Vector
The attack is network-based and targets the REST interface exposed by affected controllers. An attacker with access to the source code or firmware image extracts the embedded key, connects to the control network, and issues authenticated REST requests to retrieve MQTT configuration data without valid credentials.
No verified proof-of-concept code is publicly available. Refer to the ABB Technical Document for vendor guidance.
Detection Methods for CVE-2025-6074
Indicators of Compromise
- Unexpected REST API requests to RMC-100 or RMC-100 LITE devices from hosts that are not designated management workstations
- Successful authentication events on the REST interface outside of maintenance windows
- Egress connections from control network segments to unknown MQTT brokers following REST activity
Detection Strategies
- Enable and centralize logging from RMC-100 controllers and correlate REST access events with authorized change tickets
- Baseline normal MQTT broker endpoints and alert on configuration drift or new subscriber connections
- Deploy passive ICS network monitoring to inspect REST and MQTT traffic patterns on OT segments
Monitoring Recommendations
- Monitor the control network for HTTP or HTTPS traffic directed at RMC-100 REST endpoints from unauthorized sources
- Alert on repeated REST authentication attempts or unusual GET requests targeting MQTT configuration resources
- Track firmware versions across the fleet to identify devices still running affected 2105457-043 through 2105457-045 or 2106229-015 through 2106229-016 builds
How to Mitigate CVE-2025-6074
Immediate Actions Required
- Inventory all ABB RMC-100 and RMC-100 LITE devices and confirm which have the REST interface enabled
- Disable the REST interface on any device where it is not operationally required
- Restrict control network access using segmentation, firewalls, and jump hosts so that only authorized engineering workstations can reach the controllers
- Rotate any MQTT credentials that may have been exposed through the REST interface
Patch Information
ABB has published guidance in the ABB Technical Document. Operators should upgrade to firmware versions beyond the affected ranges (2105457-045 for RMC-100 and 2106229-016 for RMC-100 LITE) as directed by ABB advisories, and apply any vendor-supplied configuration hardening.
Workarounds
- Keep the REST interface disabled unless it is strictly required for operations
- Enforce strict network isolation between IT and OT networks using firewalls and unidirectional gateways where feasible
- Require VPN or bastion-host access for any administrative interaction with RMC-100 devices
- Protect firmware images and engineering source repositories with strong access controls to limit exposure of the embedded key
# Example egress restriction for RMC-100 REST interface (adapt to your firewall syntax)
# Allow REST management only from a dedicated engineering workstation
allow tcp from 10.10.20.5/32 to 10.20.30.0/24 port 443
deny tcp from any to 10.20.30.0/24 port 443
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

