cbcvebase.
CVE-2022-30270
published 2022-07-26

CVE-2022-30270: The Motorola ACE1000 RTU through 2022-05-02 has default credentials. It exposes an SSH interface on port 22/TCP. This interface is used for remote maintenance…

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.73%
49.8th percentile
The Motorola ACE1000 RTU through 2022-05-02 has default credentials. It exposes an SSH interface on port 22/TCP. This interface is used for remote maintenance and for SFTP file-transfer operations that are part of engineering software functionality. Access to this interface is controlled by 5 preconfigured accounts (root, abuilder, acelogin, cappl, ace), all of which come with default credentials. Although the ACE1000 documentation mentions the root, abuilder and acelogin accounts and instructs users to change the default credentials, the cappl and ace accounts remain undocumented and thus are unlikely to have their credentials changed.

Detection & IOCsextracted from sources · hover to see the quote

port22/TCP
  • Monitor for SSH authentication attempts on port 22/TCP to Motorola ACE1000 RTUs using any of the five known default accounts: root, abuilder, acelogin, cappl, ace. The 'cappl' and 'ace' accounts are undocumented and especially unlikely to have had credentials rotated.
  • Alert on successful SSH logins to ACE1000 RTUs from unexpected source IPs, particularly using the undocumented 'cappl' or 'ace' accounts, which are high-confidence indicators of exploitation since operators are unlikely to have changed those credentials.
  • Treat any SSH session to an ACE1000 RTU not originating from a known engineering workstation or maintenance IP as suspicious; the SSH interface is intended only for remote maintenance and SFTP file-transfer operations via engineering software.
  • ·CVE-2022-30270 covers hard-coded SSH credentials across five accounts. A separate but related vulnerability (CVE-2022-30271) covers a hard-coded SSH private key where the initialization script only generates a new key if none exists — meaning the hard-coded key is likely in use by default even after deployment.
  • ·All versions of the Motorola Solutions ACE1000 are affected; there is no patched firmware version — vendor recommends migrating to the MC-EDGE intelligent RTU as the full resolution.
  • ·No known public exploits specifically target these vulnerabilities at time of advisory publication, but the low attack complexity (CVSS AC:L) and network-reachable attack vector (AV:N) make exploitation straightforward for any attacker with knowledge of the default credentials.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.