CVE-2024-12430
HIGHABB AC500 V3 < 3.8.0 - Authenticated OS Command Injection via Crafted File
Title source: llmDescription
An attacker who successfully exploited these vulnerabilities could cause enable command execution. A vulnerability exists in the AC500 V3 version mentioned. After successfully exploiting CVE-2024-12429 (directory traversal), a successfully authenticated attacker can inject arbitrary commands into a specifically crafted file, which then will be executed by root user. All AC500 V3 products (PM5xxx) with firmware version earlier than 3.8.0 are affected by this vulnerability.
References (2)
Core 2
Core References
Various Sources
https://search.abb.com/library/Download.aspx?DocumentID=3ADR011377&LanguageCode=en&DocumentPartId=&Action=Launch
Mailing List
http://seclists.org/fulldisclosure/2025/Jan/5
Scores
CVSS v3
7.0
EPSS
0.0033
EPSS Percentile
24.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-280
Status
published
Products (1)
ABB/AC500 V3
< 3.8.0
Published
Jan 07, 2025
Tracked Since
Feb 18, 2026