ID CVE-2021-22272
Summary The vulnerability origins in the commissioning process where an attacker of the ControlTouch can enter a serial number in a specific way to transfer the device virtually into her/his my.busch-jaeger.de or mybuildings.abb.com profile. A successful attacker can observe and control a ControlTouch remotely under very specific circumstances. The issue is fixed in the cloud side of the system. No firmware update is needed for customer products. If a user wants to understand if (s)he is affected, please read the advisory. This issue affects: ABB and Busch-Jaeger, ControlTouch
References
Vulnerable Configurations
  • cpe:2.3:a:abb:mybuildings:*:*:*:*:*:*:*:*
    cpe:2.3:a:abb:mybuildings:*:*:*:*:*:*:*:*
  • cpe:2.3:a:busch-jaeger:mybusch-jaeger:-:*:*:*:*:*:*:*
    cpe:2.3:a:busch-jaeger:mybusch-jaeger:-:*:*:*:*:*:*:*
CVSS
Base: 9.0 (as of 08-10-2021 - 14:16)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:C/A:C
Last major update 08-10-2021 - 14:16
Published 27-09-2021 - 14:15
Last modified 08-10-2021 - 14:16
Back to Top