Vulnerability Description
The vulnerability origins in the commissioning process where an attacker of the ControlTouch can enter a serial number in a specific way to transfer the device virtually into her/his my.busch-jaeger.de or mybuildings.abb.com profile. A successful attacker can observe and control a ControlTouch remotely under very specific circumstances. The issue is fixed in the cloud side of the system. No firmware update is needed for customer products. If a user wants to understand if (s)he is affected, please read the advisory. This issue affects: ABB and Busch-Jaeger, ControlTouch
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Abb | Mybuildings | < 2021-05-03 |
| Busch-Jaeger | Mybusch-Jaeger | < 2021-05-03 |
Related Weaknesses (CWE)
References
- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107992A3688&LanguageVendor Advisory
- https://search.abb.com/library/Download.aspx?DocumentID=9AKK107992A3688&LanguageVendor Advisory
FAQ
What is CVE-2021-22272?
CVE-2021-22272 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The vulnerability origins in the commissioning process where an attacker of the ControlTouch can enter a serial number in a specific way to transfer the device virtually into her/his my.busch-jaeger.d...
How severe is CVE-2021-22272?
CVE-2021-22272 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-22272?
Check the references section above for vendor advisories and patch information. Affected products include: Abb Mybuildings, Busch-Jaeger Mybusch-Jaeger.