CISA has republished a critical advisory for ABB’s PCM600 software, flagging a five-year-old path traversal vulnerability that still threatens operational technology environments. The advisory, re-issued on April 30, 2026, underscores the persistent risk posed by CVE-2018-1002208—a Zip Slip flaw in the SharpZipLib library used by PCM600 versions 1.5 through 2.13. Engineering teams managing protection and control IEDs must move quickly: the vulnerability allows attackers to overwrite files and potentially execute arbitrary code, all through a simple malicious archive file.

The Vulnerability Explained

At the heart of this warning lurks CVE-2018-1002208, a classic directory traversal vulnerability inside the archive extraction process. The Zip Slip family of flaws, first publicized in 2018, targets applications that fail to sanitize file paths when decompressing archives. SharpZipLib, a popular .NET compression library, contained such a flaw. When ABB integrated it into PCM600—the Protection and Control IED Manager used to configure, commission, and maintain intelligent electronic devices in power grids—the vulnerability traveled along.

An attacker crafts a zip file with entries that use “../” sequences to escape the intended extraction directory. If a user opens that file with PCM600, the software can write files to arbitrary locations on the engineering workstation. That could mean planting a malicious DLL in a startup folder, modifying configuration scripts, or overwriting system binaries—all leading to remote code execution or complete system compromise. The flaw scores a 7.8 CVSS v3 base severity, categorizing it as high risk.

A Slow Burn in OT Security

Operational technology environments rarely patch with the speed of IT systems. Substations, power plants, and industrial control networks operate under strict uptime mandates and rigorous change management. Patching engineering workstations that run PCM600 might require testing against custom IED configurations, approval from multiple teams, and a scheduled maintenance window. As a result, even after ABB released a fix—version 2.14, which replaced the vulnerable SharpZipLib component—many organizations continued running older releases.

The CISA advisory makes explicit what many in the ICS security community have suspected: this vulnerability hasn’t gone away. It quietly persists in too many installation bases. When CISA republishes an advisory, it often signals that the threat agency sees either active exploitation, proof-of-concept code circulation, or a notable uptick in scanning. The April 30 reissue includes updated references and may reflect new intelligence about adversaries targeting the energy sector through engineering software.

Why CISA’s Republishing Matters

CISA doesn’t reissue ICS advisories lightly. The original ABB advisory likely dates back to 2020, when ABB first notified customers about the SharpZipLib dependency. Four years later, with the window for routine patching long closed, the republication acts as a final wake-up call. It suggests that utilities, system integrators, and asset owners still have vulnerable instances in production, and that the risk is no longer hypothetical.

The advisory title explicitly warns of “patch compatibility issues.” This phrase hints at a deeper problem: some users may have avoided updating because they feared newer PCM600 versions would break integration with older IEDs or custom configuration tools. ABB maintains a compatibility matrix, and version 2.14 was designed to be backward-compatible for most use cases. Yet the perception of risk often outweighs the actual technical barrier. CISA’s language puts pressure on users to prioritize security over inertia.

What You Need to Patch

ABB’s fix comes in the form of PCM600 version 2.14 and all subsequent releases. Users running any version from 1.5 up to and including 2.13 must upgrade immediately. The updated software replaces SharpZipLib with a patched version or uses a secure archive handling routine that validates paths before extraction. For most organizations, this should be a straightforward update: download the latest installer from ABB’s support portal, uninstall the old version, and deploy the new one. Testing against a staging environment before pushing to production remains essential, but ABB has documented the process thoroughly.

If upgrading isn’t feasible in the short term, CISA and ABB recommend strict mitigations:
- Never open zip archives from untrusted sources on PCM600 workstations.
- Disable automatic archive extraction if the feature isn’t required for daily operations.
- Implement application allowlisting to prevent the execution of any unexpected binaries.
- Segment engineering workstations from the broader OT and corporate networks to contain any potential breach.
- Monitor file system integrity and watch for unusual file writes outside the expected directories.

Risks of Using Unpatched Software

Running an unpatched version of PCM600 exposes the entire protection and control infrastructure to a chain of failures. An attacker who gains code execution on an engineering workstation can pivot to the IEDs it manages. Imagine altering relay settings, disabling protective functions, or uploading malicious logic to devices that control circuit breakers. The consequences range from localized outages to cascading grid failures.

Beyond the immediate control impact, a compromised engineering workstation becomes a beachhead for lateral movement. Adversaries can harvest credentials, map the network, and identify additional targets. In a recent trend, state-sponsored groups have used engineering software as an entry point into critical infrastructure, exploiting exactly this kind of software supply chain weakness. The age of CVE-2018-1002208 makes it an even more attractive target: defenders often overlook old vulnerabilities because they assume patches have been applied globally.

Mitigation Strategies Beyond Patching

Patching is the definitive fix, but security doesn’t end with a software version number. Organizations should adopt a defense-in-depth posture tailored to engineering workstations:

  • Network segmentation: Place PCM600 hosts in a dedicated DMZ with tightly controlled access. Use firewalls to restrict communication between the engineering network and the rest of the enterprise.
  • Least privilege: Engineers’ user accounts should not have administrative rights on the workstation. That simple step can block most file-writing attacks that rely on planting files in system directories.
  • Application control: Whitelist only the necessary ABB binaries and signed scripts. Block the execution of anything else, including common interpreter engines like PowerShell, if they aren’t needed.
  • Endpoint detection: Deploy EDR tools that can spot anomalous behavior, such as zip extraction that writes to atypical locations.
  • Incident response plan: Assume breach and prepare. Have a runbook that covers rebuilding a workstation from known-good media, revalidating IED configurations, and auditing device logs.

CISA’s advisory also points to the broader issue of third-party library risk in ICS software. PCM600 is far from alone; many industrial applications bundle open-source libraries without rigorous lifecycle management. The Zip Slip vulnerability has been found in countless Java, .NET, and Go libraries. ABB’s case highlights the need for software vendors to adopt automated dependency scanning and to communicate component vulnerabilities to customers transparently.

The OT Industry’s Patch Lag Problem

Why do OT environments lag in patching? The reasons are deeply structural. For a transmission operator, taking a relay management tool offline for an update might require a maintenance window scheduled months in advance. Any change to a validated configuration can trigger a costly recertification process. Meanwhile, the business case for patching is often weighed against the perceived low probability of exploitation in an air-gapped network—even though air-gapping is a myth in modern interconnected grids.

Regulatory pressure is beginning to shift the calculus. North American Electric Reliability Corporation (NERC) CIP standards now mandate timely vulnerability management, and similar frameworks in Europe are growing teeth. CISA’s advisory, coupled with possible exploitation activity, could push utilities to reassess their risk registers. Failing to patch a known vulnerability with a high CVSS score may be seen as negligence, exposing asset owners to regulatory fines or liability after an incident.

A Call to Action for Asset Owners

If your organization uses PCM600, the message is blunt: schedule your upgrade now. Begin by inventorying all workstations running the software. Confirm the version number—found under Help > About—and cross-reference with ABB’s affected versions list. Engage ABB support if you encounter compatibility concerns; there may be hotfixes or configuration workarounds that smooth the transition. Even if you cannot patch immediately, implement the mitigations described above and start planning the update.

For the broader ICS community, this episode reinforces a painful lesson. Vulnerabilities do not expire. When a vendor issues a patch, the clock starts ticking for attackers to reverse-engineer the flaw and launch exploits. The gap between patch release and widespread adoption is the window where adversaries thrive. By republishing the advisory, CISA has made that window visible. The only acceptable response is to close it.

ABB PCM600 remains a trusted tool in thousands of electrical installations worldwide. Its continued safety depends not just on the quality of the code, but on the vigilance of those who maintain it. CVE-2018-1002208 will be a footnote in cybersecurity history, but only if organizations treat it with the urgency it deserves.