CVE-2022-30270
published 2022-07-26CVE-2022-30270: The Motorola ACE1000 RTU through 2022-05-02 has default credentials. It exposes an SSH interface on port 22/TCP. This interface is used for remote maintenance…
PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.73%
49.8th percentile
The Motorola ACE1000 RTU through 2022-05-02 has default credentials. It exposes an SSH interface on port 22/TCP. This interface is used for remote maintenance and for SFTP file-transfer operations that are part of engineering software functionality. Access to this interface is controlled by 5 preconfigured accounts (root, abuilder, acelogin, cappl, ace), all of which come with default credentials. Although the ACE1000 documentation mentions the root, abuilder and acelogin accounts and instructs users to change the default credentials, the cappl and ace accounts remain undocumented and thus are unlikely to have their credentials changed.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for SSH authentication attempts on port 22/TCP to Motorola ACE1000 RTUs using any of the five known default accounts: root, abuilder, acelogin, cappl, ace. The 'cappl' and 'ace' accounts are undocumented and especially unlikely to have had credentials rotated. ↗
- →Alert on successful SSH logins to ACE1000 RTUs from unexpected source IPs, particularly using the undocumented 'cappl' or 'ace' accounts, which are high-confidence indicators of exploitation since operators are unlikely to have changed those credentials. ↗
- →Treat any SSH session to an ACE1000 RTU not originating from a known engineering workstation or maintenance IP as suspicious; the SSH interface is intended only for remote maintenance and SFTP file-transfer operations via engineering software. ↗
- ·CVE-2022-30270 covers hard-coded SSH credentials across five accounts. A separate but related vulnerability (CVE-2022-30271) covers a hard-coded SSH private key where the initialization script only generates a new key if none exists — meaning the hard-coded key is likely in use by default even after deployment. ↗
- ·All versions of the Motorola Solutions ACE1000 are affected; there is no patched firmware version — vendor recommends migrating to the MC-EDGE intelligent RTU as the full resolution. ↗
- ·No known public exploits specifically target these vulnerabilities at time of advisory publication, but the low attack complexity (CVSS AC:L) and network-reachable attack vector (AV:N) make exploitation straightforward for any attacker with knowledge of the default credentials. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mm5x-xpmp-2mrh: The Motorola ACE1000 RTU through 2022-05-02 has default credentials
ghsa_unreviewed·2022-07-27
CVE-2022-30270 [CRITICAL] CWE-798 GHSA-mm5x-xpmp-2mrh: The Motorola ACE1000 RTU through 2022-05-02 has default credentials
The Motorola ACE1000 RTU through 2022-05-02 has default credentials. It exposes an SSH interface on port 22/TCP. This interface is used for remote maintenance and for SFTP file-transfer operations that are part of engineering software functionality. Access to this interface is controlled by 5 preconfigured accounts (root, abuilder, acelogin, cappl, ace), all of which come with default credentials. Although the ACE1000 documentation mentions the root, abuilder and acelogin accounts and instructs users to change the default credentials, the cappl and ace accounts remain undocumented and thus are unlikely to have their credentials changed.
CISA ICS
Motorola Solutions ACE1000
cisa_ics·2022-06-28·CVSS 9.8
[CRITICAL] Motorola Solutions ACE1000
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
Motorola Solutions ACE1000
Last RevisedJune 28, 2022
Alert CodeICSA-22-179-06
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Motorola Solutions
- Equipment: ACE1000
- Vulnerabilities: Use of Hard-coded Cryptographic Key, Use of Hard-coded Credentials, Insufficient Verification of Data Authenticity
CISA is aware of a public report, known as “OT:ICEFALL” that details vulnerabilities found in multiple operational technology (OT) vendors. CISA is issuing this advisory to provide notice of the reported vulnerabilities and
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
CWE
Use of Default Credentials
mitre_cwe·CVSS 8.1
[HIGH] CWE-1392 Use of Default Credentials
CWE-1392: Use of Default Credentials
The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.
It is common practice for products to be designed to use
default keys, passwords, or other mechanisms for
authentication. The rationale is to simplify the
manufacturing process or the system administrator's task of
installation and deployment into an enterprise. However, if
admins do not change the defaults, it is easier for attackers
to bypass authentication quickly across multiple
organizations.
Modes of Introduction:
Phase: Architecture and Design
Common Consequences:
Scope: Authentication. Impact: Gain Privileges or Assume Identity.
Potential Mitigations:
[Requirements] Prohibit use of default, hard-coded, or other values that
CWE
Use of Default Password
mitre_cwe
CWE-1393 Use of Default Password
CWE-1393: Use of Default Password
The product uses default passwords for potentially critical functionality.
It is common practice for products to be designed to use
default passwords for authentication. The rationale is to
simplify the manufacturing process or the system
administrator's task of installation and deployment into an
enterprise. However, if admins do not change the defaults,
then it makes it easier for attackers to quickly bypass
authentication across multiple organizations. There are many
lists of default passwords and default-password scanning tools
that are easily available from the World Wide Web.
Modes of Introduction:
Phase: Architecture and Design
Common Consequences:
Scope: Authentication. Impact: Gain Privileges or Assume Identity.
Potential Mitigations:
[Requir
CWE
Use of Weak Credentials
mitre_cwe
CWE-1391 Use of Weak Credentials
CWE-1391: Use of Weak Credentials
The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker.
By design, authentication protocols try to ensure that attackers must perform brute force attacks if they do not know the credentials such as a key or password. However, when these credentials are easily predictable or even fixed (as with default or hard-coded passwords and keys), then the attacker can defeat the mechanism without relying on brute force. Credentials may be weak for different reasons, such as: Hard-coded (i.e., static and unchangeable by the administrator) Default (i.e., the same static value across different deployments/installations, but able to be changed by the administrator) Predictable
2022-07-26
Published