PatchSiren cyber security CVE debrief

CVE-2022-3564 Linux CVE debrief

CVE-2022-3564 is a Linux kernel Bluetooth use-after-free issue that ABB lists as affecting ARM600 and ABB M2M Gateway SW. In the ABB/CISA advisory published on 2025-04-07, the affected ranges are ARM600 firmware 4.1.2 through 5.0.3 and ABB M2M Gateway SW 5.0.1 through 5.0.3. The reported impact is potential data leakage or denial of service. The CVSS vector provided in the source is 6.8 (Medium), while the advisory text describes the issue as critical; in practice, this is most important for environments that run the affected ABB gateways, especially where availability and remote connectivity matter.

Vendor: Linux
Product: SIMATIC S7-1500 TM MFP - GNU/Linux subsystem
CVSS: HIGH 7.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2023-06-13
Original CVE updated: 2024-04-09
Advisory published: 2023-06-13
Advisory updated: 2024-04-09

Who should care

Asset owners, OT/ICS operators, and defenders responsible for ABB ARM600 or ABB M2M Gateway SW deployments should review this CVE. Network/security teams should also care if these devices sit near remote-access, VPN, or boundary segments, because the source recommends minimizing exposure and hardening internet-facing paths.

Technical summary

The source describes a use-after-free in Linux kernel Bluetooth code, specifically l2cap_reassemble_sdu in net/bluetooth/l2cap_core.c. ABB maps that underlying issue to two product families: ABB M2M Gateway ARM600 and ABB M2M Gateway SW. The source does not provide exploit details, but it states the outcome could be information leakage or denial of service. The advisory’s CVSS vector is AV:A/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H, indicating that exploitation is not trivial and requires local network proximity, low privileges, and user interaction in the scored model.

Defensive priority

High

Recommended defensive actions

Identify whether any ABB ARM600 firmware versions 4.1.2 through 5.0.3 are deployed, and whether ABB M2M Gateway SW versions 5.0.1 through 5.0.3 are present.
Use the vendor/CISA advisory and ABB lifecycle guidance to plan remediation for any affected systems, including firmware/software updates where available.
Reduce exposure of ARM600 and related components to the internet; if external access is required, limit it to necessary VPN paths as described in the source.
Apply firewall allowlisting and segment the system so only required hosts, ports, and protocols are permitted.
Place internet-terminated connections in a DMZ when VPN tunnels or remote access must traverse the internet.
Change default credentials, use strong non-reused passwords, and restrict administrator/root use to necessary tasks only.
Keep supporting engineering/configuration PCs patched and virus-scanned before they are connected to the OT environment.
Maintain validated backups of configurations and firmware, and verify they can be restored if needed.

Evidence notes

All product and version assertions are taken from the CISA CSAF advisory for ICSA-25-105-08 and its referenced ABB materials. The advisory explicitly lists ABB M2M Gateway ARM600 firmware 4.1.2 through 5.0.3 and ABB M2M Gateway SW 5.0.1 through 5.0.3 as affected. The vulnerability description in the source states the issue is a Linux kernel Bluetooth use-after-free in l2cap_reassemble_sdu that can lead to data leakage or denial of service. Timing uses the provided publication date of 2025-04-07; no KEV listing is present in the supplied data.

Official resources

Public advisory published by CISA on 2025-04-07 as ICSA-25-105-08, with the same date used for the supplied CVE publication and modification timestamps. No KEV designation is included in the supplied corpus.