THE ABB PCM600 ICS Advisory ICSA-26-120-02 was released on 30 April 2026. According to CISA, the advisory states that successful exploitation of this vulnerability could allow an attacker to send specially crafted messages to the system node, resulting in the execution of arbitrary code. The following versions of ABB PCM600 are affected: PCM600 >=1.5|<=2.13, with a CVSS base score of 4.4 (MEDIUM).
The vulnerability is identified as CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) and is linked to CVE-2018-1002208. Remediation includes ABB PCM600 version 2.14 as a fixed release, notes that RE_630 protection relays are not compatible with PCM600 2.14, and provides mitigation guidance via ABB PSIRT security advisories and CSAF JSON references.
No known public exploitation has been reported to CISA, and the vulnerability is not exploitable remotely, with a high attack complexity noted; ABB PSIRT reported the vulnerability to CISA.