CISA Warns of Path Traversal Flaw in ABB CoreSense HM and M10 Devices
CISA has issued an advisory for CVE-2025-3465, a path traversal vulnerability in ABB CoreSense HM and CoreSense M10 products that could allow unauthenticated local attackers to compromise systems and access sensitive data.
CISA published an advisory on May 19, 2026, detailing a path traversal vulnerability (CVE-2025-3465) affecting ABB CoreSense HM and CoreSense M10 products. The flaw, which carries a CVSS v3.1 base score of 7.1 (HIGH), allows unauthenticated attackers with local access to escape restricted directories and potentially achieve complete system compromise and exposure of sensitive information.
The vulnerability exists in CoreSense HM versions up to and including 2.3.1, and CoreSense M10 versions up to and including 1.4.1.12. ABB has released fixes in CoreSense HM v2.3.4 and CoreSense M10 v1.4.1.31. The products are used across critical infrastructure sectors including Food and Agriculture, Commercial Facilities, and Critical Manufacturing, with deployments worldwide. ABB is headquartered in Switzerland.
According to the advisory, the path traversal is caused by unchecked input data in the file parameter of the CoreSense products. An attacker who successfully exploits the vulnerability can gain access to restricted directories, leading to system compromise and data exposure. However, exploitation requires local access to the machine hosting the web application, meaning the attacker must have physical or network access to the system's localhost.
ABB has implemented mitigations including restricting file downloads to a designated directory and enforcing strict input validation and path sanitization. The company recommends that customers apply the update at the earliest convenience and configure affected products to restrict local access to authorized users only. CISA also advises minimizing network exposure for control system devices and isolating them from business networks.
CISA noted that ABB received information about this vulnerability through responsible disclosure, and as of the advisory's publication, there were no reports of active exploitation in the wild. The vulnerability does not affect functional safety, and remote exploitation is not possible.
The advisory is part of CISA's ongoing effort to secure industrial control systems (ICS) against vulnerabilities that could disrupt critical infrastructure. Organizations using ABB CoreSense HM or CoreSense M10 are urged to update to the patched versions immediately and follow CISA's recommended practices for securing control system networks.