AN update has been issued for ABB CoreSense HM and CoreSense M10 to remediate a path traversal vulnerability (CVE-2025-3465) that could allow unauthenticated users to access restricted directories and potentially lead to complete system compromise, according to ABB. The affected products are CoreSense HM <=2.3.1, 2.3.4 and CoreSense M10 <=1.4.1[.]12, 1.4.1[.]31, with a CVSS v3 base score of 7.1 (HIGH).
The vendor fix is to apply CoreSense HM v2.3.4 and CoreSense M10 v1.4.1.31, which ABB recommends doing at the earliest convenience. Mitigating factors note the vulnerability is exploitable only if the attacker has local access to the machine hosting the web application, and ABB has implemented input validation, path sanitisation, and restricted file downloads to a dedicated content directory.
The advisory emphasises the importance of minimising network exposure and ensuring remote access uses secure methods such as VPN, with further guidance available in the ICS recommendations.