Executive Summary
In November 2025, ABB disclosed a critical vulnerability (CVE-2018-1002208) in its Protection and Control IED Manager PCM600 software, versions 1.5 through 2.13. This flaw, stemming from the SharpZipLib component, allows attackers to execute arbitrary code by sending specially crafted messages to the system node. The vulnerability, known as 'Zip-Slip,' involves improper limitation of a pathname to a restricted directory, leading to path traversal issues. ABB has addressed this issue in PCM600 version 2.14 and recommends users update promptly. (cyber.gc.ca)
The disclosure underscores the persistent risks associated with third-party libraries in industrial control systems. Organizations must remain vigilant, ensuring timely updates and implementing robust security measures to protect critical infrastructure from evolving cyber threats.
Why This Matters Now
The exploitation of vulnerabilities in industrial control systems can have severe consequences, including operational disruptions and safety risks. The 'Zip-Slip' vulnerability in ABB's PCM600 highlights the importance of promptly addressing software flaws to maintain the integrity and security of critical infrastructure.
Attack Path Analysis
An attacker exploits a path traversal vulnerability in ABB PCM600 to execute arbitrary code, escalating privileges to gain control over the system. They move laterally to other connected devices, establish command and control channels, exfiltrate sensitive data, and potentially disrupt operations.
Kill Chain Progression
Initial Compromise
Description
The attacker exploits a path traversal vulnerability in ABB PCM600, allowing them to execute arbitrary code on the system.
Related CVEs
CVE-2018-1002208
CVSS 5.5A directory traversal vulnerability in SharpZipLib before 1.0 RC1 allows attackers to write to arbitrary files via a '../' in a Zip archive entry, potentially leading to arbitrary code execution.
Affected Products:
ABB PCM600 – 1.5, 2.13
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploitation for Client Execution
Ingress Tool Transfer
DLL Search Order Hijacking
PowerShell
File and Directory Discovery
Inhibit System Recovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Flaw Remediation
Control ID: SI-2
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
CISA ZTMM 2.0 – Asset Management
Control ID: Pillar 3: Devices
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Utilities
Critical infrastructure vulnerability in ABB PCM600 protection control systems enables arbitrary code execution, compromising power grid operations and regulatory compliance requirements.
Oil/Energy/Solar/Greentech
Path traversal vulnerability affects energy sector's protection relay systems, allowing attackers to manipulate critical infrastructure controls through specially crafted messages.
Critical Manufacturing
CISA-identified critical manufacturing sector faces high risk from PCM600 vulnerabilities enabling remote code execution in industrial control and protection systems.
Industrial Automation
ABB PCM600 vulnerability exposes industrial automation networks to lateral movement and command control attacks through compromised protection and control IED managers.
Sources
- ABB PCM600https://www.cisa.gov/news-events/ics-advisories/icsa-26-120-02Verified
- ABB PCM600 Vulnerability Advisoryhttps://psirt.abb.com/csaf/2025/2nga002813.jsonVerified
- NVD Entry for CVE-2018-1002208https://nvd.nist.gov/vuln/detail/CVE-2018-1002208Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it embeds security directly into the cloud fabric, potentially limiting the attacker's ability to move laterally and exfiltrate data.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the path traversal vulnerability may be constrained, reducing the likelihood of arbitrary code execution.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges may be constrained, reducing the scope of their access within the system.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement could be restricted, reducing their ability to access other connected devices.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels may be constrained, reducing their capacity to maintain persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts could be restricted, reducing the volume of sensitive data transferred to external locations.
The attacker's ability to disrupt operations could be constrained, reducing the potential for significant operational downtime.
Impact at a Glance
Affected Business Functions
- Protection and Control System Management
- Substation Automation
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of system configuration files and operational data.
Recommended Actions
Key Takeaways & Next Steps
- • Apply the latest security patches to ABB PCM600 to remediate known vulnerabilities.
- • Implement Zero Trust Segmentation to restrict lateral movement within the network.
- • Deploy East-West Traffic Security controls to monitor and control internal traffic flows.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
