CVE-2022-2526 ABB CVE debrief

Who should care

OT operators, system administrators, and security teams responsible for ABB ARM600 deployments or ABB M2M Gateway SW. This is especially important for environments where the device is reachable from less-trusted networks, remote administration paths, or internet-facing management infrastructure.

Technical summary

The issue is a use-after-free caused by missing reference-count increments for the DnsStream object in on_stream_io() and dns_stream_complete(). That can leave later callbacks operating on freed memory, which the advisory says may allow an authenticated user to execute arbitrary code. The exposed product ranges in the CISA CSAF are ABB M2M Gateway ARM600 firmware versions 4.1.2 through 5.0.3 and ABB M2M Gateway SW versions 5.0.1 through 5.0.3. The CVSS vector provided is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:W/RC:R, indicating network reachability with high impact if successfully exploited.

Defensive priority

High. Prioritize remediation for any affected ABB ARM600 or M2M Gateway SW instance that is externally reachable, accessible by multiple users, or used in sensitive OT environments. Even though the advisory is not listed in the supplied KEV data, the impact profile is severe enough to warrant prompt review and containment.

Recommended defensive actions

• Review ABB and CISA guidance for the affected ARM600 and M2M Gateway SW releases and determine whether your deployed version falls within the affected ranges.
• Reduce exposure by avoiding direct internet access to the system; if remote connectivity is required, expose only the minimum necessary VPN service.
• Use a private cellular APN or a DMZ-based design where appropriate so remote connections do not terminate directly on the protected OT network.
• Apply firewall allowlisting so only required ports, protocols, and source/destination hosts are permitted.
• Change any default credentials to strong, unique values and use administrator privileges only when necessary.
• Keep supporting engineering PCs and related systems updated, and scan transferred files and firmware images for malware before introducing them to the OT environment.
• Maintain tested backups, and use continuous monitoring and intrusion detection/prevention to detect anomalous behavior on the system.

Evidence notes

This debrief is based on the supplied CISA CSAF source item for ICSA-25-105-08 and its referenced ABB/CISA materials. The source explicitly identifies the vulnerable functions (on_stream_io() and dns_stream_complete()), the memory-safety root cause, the affected ABB product families and version ranges, and the mitigation/hardening guidance. Timing context uses the supplied advisory publication date of 2025-04-07; the CVE identifier itself dates to 2022.

Official resources