PatchSiren cyber security CVE debrief
CVE-2023-38408 ABB CVE debrief
CVE-2023-38408 is a high-severity OpenSSH ssh-agent flaw that CISA mapped to ABB M2M Gateway ARM600 and ABB M2M Gateway SW in its 2025-04-07 advisory. The issue is tied to an insufficiently trustworthy search path in the PKCS#11 feature and can lead to remote code execution when agent forwarding is used by an authenticated user on an attacker-controlled system. For ABB environments, the main risk is wherever remote access workflows, SSH agent forwarding, or internet-exposed management paths are present.
- Vendor
- ABB
- Product
- ABB M2M Gateway ARM600
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-04-07
- Original CVE updated
- 2025-04-07
- Advisory published
- 2025-04-07
- Advisory updated
- 2025-04-07
Who should care
ABB ARM600 administrators, OT/ICS operators, remote access and jump-host administrators, SOC/incident response teams, and anyone managing SSH-based administrative access into ABB M2M Gateway environments.
Technical summary
The supplied advisory text states that OpenSSH versions before 9.3p2 contain a PKCS#11-related ssh-agent weakness involving an insufficiently trustworthy search path. Under the described condition, remote code execution may occur if a forwarded agent is used on an attacker-controlled system by an authenticated user. CISA’s CSAF advisory maps this CVE to ABB M2M Gateway ARM600 firmware versions 4.1.2 through 5.0.3 and ABB M2M Gateway SW versions 5.0.1 through 5.0.3, with CVSS v3.1 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Defensive priority
High for environments using SSH agent forwarding or remote administration paths, especially where ABB ARM600 components are reachable from the internet or rely on broad network trust.
Recommended defensive actions
- Review ABB advisory ICSA-25-105-08 and the referenced ABB product guidance for the affected ARM600 and SW versions.
- Avoid exposing any ARM600 system component directly to the internet; if exposure is unavoidable, limit inbound access to VPN only.
- Use a dedicated private cellular APN where feasible so remote traffic does not traverse the public internet.
- Apply firewall allowlisting: explicitly permit only required ports and protocols and block all other traffic.
- If VPN over the internet is required, terminate the connection in a DMZ that is segregated by firewall from the rest of the environment.
- Change default credentials on ARM600 and related gateways; use unique, strong, non-reused passwords.
- Use administrator/root privileges only when required, and keep supporting configuration PCs updated and malware-scanned before use.
- Scan configuration files and firmware update files before transferring them into the OT environment; maintain validated backups and use continuous monitoring/IDS to detect anomalies.
Evidence notes
All product and mitigation claims are taken from the supplied CISA CSAF source item for ICSA-25-105-08 and its listed references. The advisory explicitly describes the OpenSSH ssh-agent PKCS#11 issue and lists ABB M2M Gateway ARM600 firmware 4.1.2 <= 5.0.3 and ABB M2M Gateway SW 5.0.1 <= 5.0.3 as affected. The source does not provide a KEV entry, and the remediation section is primarily compensating controls rather than a vendor-fixed release notice.
Official resources
-
CVE-2023-38408 CVE record
CVE.org
-
CVE-2023-38408 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the supplied CSAF advisory (ICSA-25-105-08) on 2025-04-07T10:30:00.000Z, which is the timing anchor used here. No KEV listing was included in the supplied data.