Skip to main content
CVE Vulnerability Database

CVE-2025-6074: ABB RMC-100 Auth Bypass Vulnerability

CVE-2025-6074 is an authentication bypass flaw in ABB RMC-100 and RMC-100 LITE that exploits hard-coded cryptographic keys to access MQTT configuration data. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-6074 Overview

CVE-2025-6074 is a use of hard-coded cryptographic key vulnerability [CWE-321] affecting ABB RMC-100 and RMC-100 LITE remote modular controllers. These devices are deployed in industrial control system (ICS) environments, primarily for oil and gas measurement and automation. The flaw allows an attacker with access to source code and the control network to bypass authentication on the REST interface when it is enabled. Successful exploitation exposes MQTT configuration data, which can be leveraged for further reconnaissance or lateral movement within operational technology (OT) networks.

Critical Impact

Authentication bypass on the REST interface exposes MQTT configuration data, undermining confidentiality and integrity of industrial control communications.

Affected Products

  • ABB RMC-100 firmware versions 2105457-043 through 2105457-045
  • ABB RMC-100 LITE firmware versions 2106229-015 through 2106229-016
  • Deployments where the optional REST interface has been enabled by the operator

Discovery Timeline

  • 2025-07-03 - CVE-2025-6074 published to the National Vulnerability Database (NVD)
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-6074

Vulnerability Analysis

The vulnerability stems from a hard-coded cryptographic key embedded within the firmware of the ABB RMC-100 and RMC-100 LITE controllers. The REST management interface relies on this static key material to authenticate requests. Because the key is identical across all deployed devices of the affected firmware ranges, an attacker who obtains the firmware or source code can derive the key and forge valid authentication material.

Once authentication is bypassed, the attacker can query REST endpoints that expose MQTT configuration data. MQTT is commonly used to relay telemetry and control messages in ICS environments, so leaked broker addresses, topics, and credentials can enable adversaries to intercept process data or inject messages into downstream systems.

Exploitation requires two prerequisites: the REST interface must be explicitly enabled by the user, and the attacker must have network access to the control network. This limits opportunistic exploitation but remains realistic for insiders or attackers who have already breached the ICS perimeter.

Root Cause

The root cause is the storage of cryptographic key material directly in firmware rather than provisioning per-device unique keys during manufacturing or first boot. This design pattern is classified under [CWE-321] Use of Hard-coded Cryptographic Key.

Attack Vector

The attack is network-based and targets the REST interface exposed by affected controllers. An attacker with access to the source code or firmware image extracts the embedded key, connects to the control network, and issues authenticated REST requests to retrieve MQTT configuration data without valid credentials.

No verified proof-of-concept code is publicly available. Refer to the ABB Technical Document for vendor guidance.

Detection Methods for CVE-2025-6074

Indicators of Compromise

  • Unexpected REST API requests to RMC-100 or RMC-100 LITE devices from hosts that are not designated management workstations
  • Successful authentication events on the REST interface outside of maintenance windows
  • Egress connections from control network segments to unknown MQTT brokers following REST activity

Detection Strategies

  • Enable and centralize logging from RMC-100 controllers and correlate REST access events with authorized change tickets
  • Baseline normal MQTT broker endpoints and alert on configuration drift or new subscriber connections
  • Deploy passive ICS network monitoring to inspect REST and MQTT traffic patterns on OT segments

Monitoring Recommendations

  • Monitor the control network for HTTP or HTTPS traffic directed at RMC-100 REST endpoints from unauthorized sources
  • Alert on repeated REST authentication attempts or unusual GET requests targeting MQTT configuration resources
  • Track firmware versions across the fleet to identify devices still running affected 2105457-043 through 2105457-045 or 2106229-015 through 2106229-016 builds

How to Mitigate CVE-2025-6074

Immediate Actions Required

  • Inventory all ABB RMC-100 and RMC-100 LITE devices and confirm which have the REST interface enabled
  • Disable the REST interface on any device where it is not operationally required
  • Restrict control network access using segmentation, firewalls, and jump hosts so that only authorized engineering workstations can reach the controllers
  • Rotate any MQTT credentials that may have been exposed through the REST interface

Patch Information

ABB has published guidance in the ABB Technical Document. Operators should upgrade to firmware versions beyond the affected ranges (2105457-045 for RMC-100 and 2106229-016 for RMC-100 LITE) as directed by ABB advisories, and apply any vendor-supplied configuration hardening.

Workarounds

  • Keep the REST interface disabled unless it is strictly required for operations
  • Enforce strict network isolation between IT and OT networks using firewalls and unidirectional gateways where feasible
  • Require VPN or bastion-host access for any administrative interaction with RMC-100 devices
  • Protect firmware images and engineering source repositories with strong access controls to limit exposure of the embedded key
bash
# Example egress restriction for RMC-100 REST interface (adapt to your firewall syntax)
# Allow REST management only from a dedicated engineering workstation
allow tcp from 10.10.20.5/32 to 10.20.30.0/24 port 443
deny  tcp from any            to 10.20.30.0/24 port 443

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.