ABBCVELIST:CVE-2021-22272CVE-2021-22272 ControlTouch Cloud Service vulnerability: Serial Number can be misused during commissioning phase.
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
9 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
42.6%
The vulnerability origins in the commissioning process where an attacker of the ControlTouch can enter a serial number in a specific way to transfer the device virtually into her/his my.busch-jaeger.de or mybuildings.abb.com profile. A successful attacker can observe and control a ControlTouch remotely under very specific circumstances. The issue is fixed in the cloud side of the system. No firmware update is needed for customer products. If a user wants to understand if (s)he is affected, please read the advisory. This issue affects: ABB and Busch-Jaeger, ControlTouch
CNA Affected
[
{
"platforms": [
"virtual"
],
"product": "mybuildings.abb.com",
"vendor": "ABB",
"versions": [
{
"lessThan": "2021-05-03",
"status": "affected",
"version": "2021-05-03",
"versionType": "custom"
}
]
},
{
"platforms": [
"virtual"
],
"product": "my.busch-jaeger.de",
"vendor": "Busch-Jaeger",
"versions": [
{
"lessThan": "2021-05-03",
"status": "affected",
"version": "2021-05-03",
"versionType": "custom"
}
]
}
]Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
9 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
42.6%