PatchSiren cyber security CVE debrief
CVE-2016-10009 ABB CVE debrief
CVE-2016-10009 is a medium-severity OpenSSH issue that CISA mapped to ABB M2M Gateway ARM600 and ABB M2M Gateway SW in its 2025-04-07 CSAF advisory. The vulnerability affects ssh-agent behavior when a forwarded agent socket can be controlled, potentially allowing execution of local PKCS#11 modules. In ABB’s advisory context, the practical risk is highest for systems that expose management or remote-access paths broadly, especially where agent forwarding or similar SSH workflows are in use.
- Vendor
- ABB
- Product
- ABB M2M Gateway ARM600
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-07
- Original CVE updated
- 2025-04-07
- Advisory published
- 2025-04-07
- Advisory updated
- 2025-04-07
Who should care
OT/ICS operators using ABB M2M Gateway ARM600 or ABB M2M Gateway SW versions listed in the advisory, along with administrators responsible for SSH access, remote administration, firewall policy, and jump-host/remote access design.
Technical summary
The supplied description states that ssh-agent in OpenSSH before 7.4 has an untrusted search path vulnerability in ssh-agent.c. An attacker who can leverage control over a forwarded agent socket may cause execution of arbitrary local PKCS#11 modules. CISA’s CSAF advisory associates this CVE with ABB M2M Gateway ARM600 firmware versions 4.1.2 through 5.0.3 and ABB M2M Gateway SW versions 5.0.1 through 5.0.3. The supplied remediation text emphasizes reducing internet exposure, using VPN/DMZ segmentation, allowlisting, strong credentials, least privilege, monitoring, and regular patching/hardening.
Defensive priority
Medium. Treat as important for exposed or remotely administered OT environments, but the supplied data does not place it in KEV. Prioritize where SSH-based remote access, forwarded agent sockets, or broad network exposure may exist.
Recommended defensive actions
- Inventory ABB M2M Gateway ARM600 and ABB M2M Gateway SW deployments to confirm whether affected versions are present.
- Limit internet exposure; if remote access is required, expose only the necessary VPN services and place termination in a DMZ where appropriate.
- Apply strict firewall allowlisting so only required hosts, ports, and protocols can reach the system.
- Review SSH and remote-administration workflows to minimize or disable agent forwarding and other unnecessary privileged access paths where operationally feasible.
- Change default credentials, enforce strong non-default passwords, and restrict root/administrator use to necessary tasks only.
- Use continuous monitoring and intrusion detection/prevention to detect abnormal authentication or remote-access behavior.
- Keep supporting engineering and configuration PCs patched and virus-scanned before use with OT systems.
- Follow the ABB cyber security deployment and user guidance referenced in the advisory for installation, operation, and decommissioning.
Evidence notes
CISA’s CSAF advisory ICSA-25-105-08 (published 2025-04-07) lists CVE-2016-10009 and maps it to ABB M2M Gateway ARM600 and ABB M2M Gateway SW affected versions. The advisory text repeats the OpenSSH ssh-agent untrusted search path description and includes mitigation guidance focused on network exposure reduction, VPN/DMZ design, allowlisting, credential hygiene, least privilege, monitoring, and hardening. The supplied enrichment shows no KEV entry and provides CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:W/RC:C.
Official resources
-
CVE-2016-10009 CVE record
CVE.org
-
CVE-2016-10009 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA CSAF advisory ICSA-25-105-08 on 2025-04-07. The supplied enrichment does not list the CVE in CISA KEV.