Summary
ABB became aware of an internally discovered vulnerability in the MConfig product versions listed as affected in the advisory. An attacker with access to local networks who successfully exploits vulnerability could have access to application’s sensitive information. ABB strongly advises customers to update MConfig with latest software version.
The following versions of ABB LVS MConfig are affected:
- LVS <=1.4.9.21
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 7.4 | ABB | ABB LVS MConfig | Cleartext Storage of Sensitive Information in Memory |
Background
- Critical Infrastructure Sectors: Chemical, Critical Manufacturing, Energy, Food and Agriculture, Transportation Systems, Water and Wastewater
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Switzerland
Vulnerabilities
CVE-2025-9970
During the runtime of the MConfig Software application, an attacker can export the memory dump file into the operating system. If passwords are stored in plain text in memory, they will be included in these dump files. If such dump files are mishandled, attackers could obtain them and extract the passwords.
Affected Products
ABB LVS MConfig
ABB
MConfig Version <=1.4.9.21
fixed, known_affected
Remediations
Vendor fix
The vulnerability is resolved in the following product versions: MConfig version 1.4.9.22 ABB advises users to update their devices to the latest software version. Additionally, ABB recommends implementing defensive measures to reduce the risk of vulnerability exploitation, as outlined in the product instruction manual. Please refer to the section “Mitigation factors” for more information
Relevant CWE: CWE-316 Cleartext Storage of Sensitive Information in Memory
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.4 | HIGH | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:H/E:P/RL:O/RC:C/CR:L/IR:L/AR:L |
Acknowledgments
- ABB PSIRT reported this vulnerability to CISA.
Notice
The information in this document is subject to change without notice, and should not be construed as a commitment by ABB. ABB provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall ABB or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if ABB or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from ABB, and the contents hereof must not be imparted to a third-party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners.
Mitigating factors
Mitigating factors describe conditions and circumstances that make an attack that exploits the vulnerability difficult or less likely to succeed. In case customer cannot upgrade the firmware or it is not feasible then please immediately apply mitigating factors mentioned in “General se
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: