CVE-2023-2625

CRITICAL

ABB TXpert Hub CoreTec 4 Firmware < 3.0.1 - Authenticated OS Command Injection via Web UI Field

Title source: llm

Description

A vulnerability exists that can be exploited by an authenticated client that is connected to the same network segment as the CoreTec 4, having any level of access VIEWER to ADMIN. To exploit the vulnerability the attacker can inject shell commands through a particular field of the web user interface that will be executed by the system.

References (1)

Core 1

Core References

Vendor Advisory

https://search.abb.com/library/Download.aspx?DocumentID=8DBD000163&LanguageCode=en&DocumentPartId=&Action=Launch

Scores

CVSS v3 9.0

EPSS 0.0017

EPSS Percentile 37.5%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (1)

abb/txpert_hub_coretec_4_firmware < 3.0.1

Published Jun 28, 2023

Tracked Since Feb 18, 2026