PatchSiren cyber security CVE debrief

CVE-2023-35001 Linux CVE debrief

CVE-2023-35001 is a Linux kernel nftables out-of-bounds read/write issue that CISA mapped to ABB M2M Gateway ARM600 and ABB M2M Gateway SW. The advisory says the flaw can lead to local user privilege escalation and assigns CVSS 7.8 (HIGH). CISA published the advisory on 2025-04-07. For defenders, the most important takeaway is that this is a high-impact local-privilege issue affecting specific ABB gateway versions, so exposure control, least privilege, and vendor guidance matter even when direct remote reachability is limited.

Vendor: Linux
Product: SCALANCE XCH328 (6GK5328-4TS01-2EC2)
CVSS: HIGH 7.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2024-02-13
Original CVE updated: 2024-02-13
Advisory published: 2024-02-13
Advisory updated: 2024-02-13

Who should care

ABB M2M Gateway ARM600 and ABB M2M Gateway SW owners, OT/ICS operators, Linux platform administrators, and security teams responsible for privileged access control, gateway hardening, and patch/mitigation validation.

Technical summary

The source advisory describes a kernel nftables issue in nft_byteorder, where vm register contents are poorly handled when CAP_NET_ADMIN is present in any user or network namespace. CISA’s CSAF mapping associates the issue with ABB M2M Gateway ARM600 firmware versions 4.1.2 through 5.0.3 and ABB M2M Gateway SW versions 5.0.1 through 5.0.3. The likely security consequence is local privilege escalation, with the provided CVSS vector indicating local access, low complexity, low privileges, no user interaction, and high impacts to confidentiality, integrity, and availability.

Defensive priority

High. The CVSS score is 7.8 and the stated impact is local privilege escalation on affected ABB gateway products. Prioritize validation of exposure, version inventory, and mitigations for any system that allows non-administrative local access or relies on namespace/capability isolation.

Recommended defensive actions

Inventory ABB M2M Gateway ARM600 and ABB M2M Gateway SW deployments and confirm whether they fall within the affected version ranges listed in the advisory.
Follow ABB and CISA guidance for the affected products; apply any vendor remediation or fixed release that may be available through official support channels.
Reduce attack surface by avoiding internet exposure of the ARM600 and using only required ports and services.
If remote connectivity is required, prefer a private cellular APN, VPN-only access, and DMZ termination as described in the advisory mitigations.
Enforce firewall allowlisting and block all non-essential traffic to the gateway and supporting systems.
Use least privilege: keep administrator/root use to a minimum, change default credentials, and remove unnecessary accounts.
Keep configuration PCs and supporting systems fully updated and virus-scanned before connecting them to OT assets.
Maintain validated backups and monitor for anomalies with intrusion detection or prevention where feasible.

Evidence notes

CISA CSAF advisory ICSA-25-105-08, published 2025-04-07, explicitly describes CVE-2023-35001 as a kernel nftables out-of-bounds read/write issue involving nft_byteorder and CAP_NET_ADMIN in user or network namespaces, with local user privilege escalation as the consequence. The product tree maps the vulnerability to ABB M2M Gateway ARM600 firmware 4.1.2 through 5.0.3 and ABB M2M Gateway SW 5.0.1 through 5.0.3. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H with score 7.8.

Official resources

Public advisory disclosure in the supplied corpus is dated 2025-04-07. The CVE identifier is CVE-2023-35001, and the source advisory maps it to ABB M2M Gateway ARM600 and ABB M2M Gateway SW.