PatchSiren cyber security CVE debrief
CVE-2025-6073 ABB CVE debrief
CVE-2025-6073 is a high-severity ABB RMC-100 issue that can overflow the username or password buffer, but only under a specific chain of conditions: the REST interface must be enabled, an attacker must have access to the control network, user/password broker authentication must be enabled, and CVE-2025-6074 must also be exploited. ABB and CISA list fixed builds for affected RMC-100 and RMC-100 LITE versions, so the primary defense is prompt upgrade plus reducing unnecessary OT exposure.
- Vendor
- ABB
- Product
- RMC-100
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-07-03
- Original CVE updated
- 2026-05-14
- Advisory published
- 2025-07-03
- Advisory updated
- 2026-05-14
Who should care
ABB RMC-100 and RMC-100 LITE asset owners, OT/ICS operators, control-network defenders, patch managers, and incident responders should prioritize this if REST access or broker authentication is enabled anywhere in the environment.
Technical summary
The advisory describes a buffer overflow affecting username or password handling in the broker authentication path. The issue is conditional rather than standalone: it requires user-enabled REST exposure, control-network access by an attacker, enabled user/password broker authentication, and exploitation of CVE-2025-6074. CISA assigns CVSS 3.1 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating network-reachable attack conditions with a high availability impact. Affected versions are RMC-100 2105457-043 through 2105457-045 and RMC-100 LITE 2106229-015 through 2106229-016; fixed versions are RMC-100 2105457-046 and RMC-100 LITE 2106229-018.
Defensive priority
High for environments that run the affected ABB builds, especially where REST access is enabled or control-network segmentation is weak. The availability impact is high, and the vulnerability can be reached remotely within the OT control network when the stated prerequisites are met.
Recommended defensive actions
- Confirm whether any ABB RMC-100 or RMC-100 LITE devices are running affected builds 2105457-043 through 2105457-045 or 2106229-015 through 2106229-016.
- Upgrade to ABB's fixed versions: RMC-100 2105457-046 or RMC-100 LITE 2106229-018.
- If REST functionality is not required, disable it to remove one of the required preconditions.
- Restrict and segment access to the control network so only authorized systems can reach the device management surfaces.
- Review whether user/password broker authentication is enabled and minimize its use where operationally possible.
- Track and remediate CVE-2025-6074 as part of the exposure chain, since CVE-2025-6073 is described as dependent on it.
- Apply CISA and ABB ICS defense-in-depth guidance for segmentation, hardening, and least-privilege control access.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-25-196-02 for ABB RMC-100, which identifies the affected products, affected build ranges, and corrected versions. The advisory description explicitly states the exploit preconditions and that CVE-2025-6074 must be exploited before the buffer overflow in username or password can occur. The CVSS vector supplied in the advisory supports the network-reachable, high-availability impact assessment. The advisory revision history shows initial publication on 2025-07-03 and later republications/updates, including the 2026-05-14 update based on ABB advisory 9AKK108471A3623.
Official resources
-
CVE-2025-6073 CVE record
CVE.org
-
CVE-2025-6073 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA CSAF advisory ICSA-25-196-02 on 2025-07-03. CISA republished the advisory on 2025-07-15, added software package correction details on 2025-08-18, and updated it again on 2026-05-14 based on ABB advisory 9AKK108471