https://feed.craftedsignal.io/vendors/abb/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 30 Apr 2026 12:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-abb-iec61850-dos/Thu, 30 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-abb-iec61850-dos/A vulnerability in ABB's IEC 61850 communication stack allows a remote attacker with access to the IEC 61850 network to cause a denial-of-service condition by sending a specially crafted packet, leading to device faults or communication driver crashes.ABB System 800xA and Symphony Plus IEC 61850 products are vulnerable to a denial-of-service attack due to improper validation of input within the IEC 61850 communication stack. This affects specific modules within the AC800M, Symphony Plus SD Series, Symphony Plus MR, and S+ Operations product lines. An attacker with network access to the IEC 61850 network can exploit this vulnerability by sending a specially crafted 61850 packet. The exploitation leads to device faults in PM 877, CI850, and CI868 modules, requiring manual restarts, or causes unavailability of the S+ Operations 61850 connectivity due to communication driver crashes. The System 800xA IEC61850 Connect is not affected by this vulnerability. This issue was reported to ABB by Hitachi Energy and affects firmware versions prior to the patched releases detailed in ABB’s advisory.

Attack Chain

1. Attacker gains network access to the targeted IEC 61850 network.
2. Attacker identifies a vulnerable ABB device (PM 877, CI850, CI868 modules, or S+ Operations node).
3. Attacker crafts a malicious IEC 61850 packet specifically designed to exploit the input validation vulnerability (CVE-2025-3756).
4. Attacker sends the crafted packet to the targeted vulnerable ABB device via the IEC 61850 network.
5. The vulnerable device processes the malicious packet.
6. Due to the input validation flaw, the processing of the crafted packet triggers a fault condition in PM 877, CI850, or CI868 modules, or a crash in the S+ Operations IEC 61850 communication driver.
7. The affected module or node becomes unavailable, resulting in a denial-of-service.
8. For PM 877, CI850, and CI868 modules, manual restart of the device is required to restore functionality. S+ Operations requires restarting the IEC 61850 communication driver.

Impact

Successful exploitation of this vulnerability can disrupt critical industrial control processes. Affected sectors include Chemical, Critical Manufacturing, Energy, and Water/Wastewater. A successful attack can lead to temporary loss of control and monitoring capabilities, potentially causing process disruptions, safety incidents, or environmental damage. The vulnerability affects devices deployed worldwide. While the S+ Operations node’s overall functionality remains available, the loss of IEC 61850 communication can still impede operations relying on this protocol.

Recommendation

• Apply vendor-provided patches to affected ABB System 800xA and Symphony Plus IEC 61850 products as soon as they are available. Refer to ABB’s advisory for specific version information and patch availability.
• Segment and isolate IEC 61850 networks using firewalls to prevent unauthorized access and lateral movement. Implement strict access control policies to limit access to these networks.
• Monitor network traffic for suspicious IEC 61850 packets that may indicate exploitation attempts. Create network connection rules to only allow traffic from known good IEC 61850 clients.
• Deploy the Sigma rule “Detect Suspicious IEC 61850 Traffic” to detect potential exploitation attempts based on unexpected network activity.
• Enable and review firewall logs to identify and block potentially malicious traffic attempting to reach vulnerable ABB devices.

]]>mediumadvisoryicsdenial-of-serviceindustrial-control-systemiec61850https://feed.craftedsignal.io/briefs/2026-04-abb-pcm600-path-traversal/Thu, 30 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-abb-pcm600-path-traversal/A path traversal vulnerability in ABB PCM600 versions 1.5 to 2.13 (CVE-2018-1002208) allows a local attacker with low privileges to execute arbitrary code by sending a specially crafted message to the system node.ABB PCM600 versions 1.5 through 2.13 are vulnerable to a path traversal flaw (CVE-2018-1002208) within the SharpZip.dll library. Successful exploitation enables a local attacker with low privileges to execute arbitrary code on the affected system. This vulnerability resides in the software used to configure and manage protection and control IEDs (Intelligent Electronic Devices) in critical infrastructure sectors, specifically critical manufacturing. ABB recommends updating to PCM600 version 2.14 to remediate this vulnerability. The vulnerability was reported to CISA by ABB PSIRT.

Attack Chain

1. Attacker gains low-privilege access to the target system running a vulnerable ABB PCM600 version.
2. The attacker crafts a malicious message containing a path traversal payload designed to exploit CVE-2018-1002208.
3. The attacker sends the crafted message to the system node, targeting the vulnerable SharpZip.dll.
4. The SharpZip.dll processes the message without properly sanitizing the provided path.
5. The path traversal vulnerability allows the attacker to write arbitrary files to locations outside the intended directory.
6. The attacker leverages the file write capability to place a malicious executable or library in a trusted location.
7. The attacker triggers the execution of the malicious code, achieving arbitrary code execution on the system.
8. The attacker can then perform actions such as escalating privileges, installing malware, or disrupting industrial processes.

Impact

Successful exploitation of CVE-2018-1002208 can lead to arbitrary code execution on systems running vulnerable ABB PCM600 versions within critical manufacturing environments. While no specific victim counts or sectors are detailed in the advisory, the vulnerability’s presence in industrial control systems poses a significant risk. A successful attack could disrupt manufacturing processes, cause equipment damage, or lead to data breaches.

Recommendation

• Upgrade to ABB Protection and control IED manager PCM600 version 2.14 to address CVE-2018-1002208 as per the vendor’s recommendation.
• If using RE_630 protection relays with older PCM600 versions, implement system-level defenses as described in ABB’s security advisory 2NGA002813.
• Minimize network exposure for all control system devices and systems, ensuring they are not accessible from the internet, as recommended by CISA.
• Monitor file creation events for suspicious file paths that may indicate path traversal attempts exploiting CVE-2018-1002208, using a rule similar to the example provided.

]]>mediumadvisoryicspath traversalindustrial control systemhttps://feed.craftedsignal.io/briefs/2026-04-abb-edgenius-auth-bypass/Thu, 30 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-abb-edgenius-auth-bypass/An authentication bypass vulnerability in ABB Edgenius Management Portal versions 3.2.0.0 and 3.2.1.1 allows attackers to execute arbitrary code and modify application configurations by sending a specially crafted message to the system node.ABB Edgenius Management Portal versions 3.2.0.0 and 3.2.1.1 are vulnerable to an authentication bypass (CVE-2025-10571). An attacker who has gained network access to a vulnerable Edgenius deployment can send a specially crafted message to the system node, bypassing authentication controls. Successful exploitation allows an attacker to install and run arbitrary code, uninstall applications, and modify the configuration of installed applications. ABB reported this vulnerability to CISA. ABB has released version 3.2.2.0 to address the vulnerability. As a mitigation, ABB advises customers to disable the Edgenius Management Portal until the upgrade can be applied.

Attack Chain

1. The attacker gains access to the network where the Edgenius Management Portal is deployed.
2. The attacker identifies a vulnerable ABB Edgenius Management Portal instance (versions 3.2.0.0 or 3.2.1.1).
3. The attacker crafts a malicious message designed to exploit the authentication bypass vulnerability (CVE-2025-10571).
4. The attacker sends the specially crafted message to the system node of the Edgenius Management Portal.
5. The vulnerable Edgenius Management Portal improperly processes the crafted message, bypassing authentication.
6. The attacker leverages the bypassed authentication to install and execute arbitrary code on the system.
7. The attacker uninstalls applications, further compromising the system’s functionality.
8. The attacker modifies the configuration of installed applications to maintain persistence and control.

Impact

Successful exploitation of this vulnerability allows an attacker to gain full control over the ABB Edgenius Management Portal. The attacker can install malicious software, uninstall critical applications, and modify configurations, leading to significant disruption of industrial processes, data theft, or further lateral movement within the OT network. Affected sectors include critical manufacturing and information technology, with deployments worldwide.

Recommendation

• Upgrade to ABB Ability Edgenius version 3.2.2.0 to remediate CVE-2025-10571, as this version contains the vendor fix.
• Until the upgrade is applied, disable the Edgenius Management Portal to mitigate the vulnerability as recommended by ABB.
• Minimize network exposure for all control system devices by ensuring they are not accessible from the internet, as suggested by CISA.
• Locate control system networks and remote devices behind firewalls, isolating them from business networks per CISA recommendations.
• Implement the Sigma rule “Detect ABB Edgenius Management Portal Exploitation Attempt” to identify potential exploitation attempts based on network traffic patterns.

]]>criticaladvisoryabbedgeniusauthentication bypassCVE-2025-10571critical infrastructurehttps://feed.craftedsignal.io/briefs/2026-04-abb-awin-gateways/Thu, 30 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-abb-awin-gateways/Multiple vulnerabilities in ABB AWIN Gateways allow an unauthenticated attacker to remotely reboot the device (CVE-2025-13778) or disclose sensitive system configuration details (CVE-2025-13777, CVE-2025-13779).ABB AWIN Gateways are vulnerable to multiple security flaws that could be exploited by unauthenticated attackers. These vulnerabilities impact ABB AWIN GW100 rev.2 and GW120 devices running specific firmware versions (2.0-0, 2.0-1, 1.2-0, and 1.2-1). Successful exploitation of these vulnerabilities can lead to a denial-of-service condition via remote reboot or the disclosure of sensitive system configuration information, potentially compromising critical manufacturing infrastructure. The vulnerabilities stem from authentication bypass and missing authentication for critical functions. Firmware versions 2.1-0 for GW100 rev. 2 and 2.0-0 for GW120 address these issues.

Attack Chain

1. Attacker identifies an exposed ABB AWIN Gateway on a network (likely adjacent network).
2. Attacker sends a crafted, unauthenticated request to the targeted gateway to trigger CVE-2025-13778.
3. The ABB AWIN Gateway processes the request without authentication.
4. The gateway initiates a reboot, causing a denial-of-service condition.
5. Alternatively, the attacker sends another crafted, unauthenticated request to trigger CVE-2025-13777 or CVE-2025-13779.
6. The gateway responds to the request, disclosing sensitive system configuration information.
7. The attacker uses the disclosed information to gain further insight into the network and potentially plan further attacks.

Impact

Successful exploitation of these vulnerabilities can have significant impacts, particularly within critical manufacturing sectors where these gateways are deployed. A remote reboot (CVE-2025-13778) can disrupt operations, leading to production downtime and financial losses. Disclosure of sensitive system configuration information (CVE-2025-13777, CVE-2025-13779) can provide attackers with valuable insights, enabling them to plan further attacks, such as gaining unauthorized access to other systems or manipulating industrial processes.

Recommendation

• Immediately patch affected ABB AWIN Gateways to the fixed versions (ABB AWIN Firmware 2.1-0 installed on ABB AWIN GW100 rev. 2 and ABB AWIN Firmware 2.0-0 installed on ABB AWIN GW120) as recommended in the ABB PSIRT security advisory 4JNO000329.
• Minimize network exposure for all control system devices and systems, ensuring they are not accessible from the internet as recommended by CISA.
• Monitor network traffic for unauthenticated requests to ABB AWIN Gateways, specifically targeting endpoints related to system reboot or configuration retrieval using the provided Sigma rule.

]]>highadvisoryicsvulnerabilityindustrial_control_systemshttps://feed.craftedsignal.io/briefs/2026-04-abb-symphony-vulns/Thu, 30 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-abb-symphony-vulns/Multiple vulnerabilities in ABB Ability Symphony Plus Engineering, stemming from underlying PostgreSQL flaws, could allow a remote attacker with network access to execute arbitrary code and compromise the system.ABB Ability Symphony Plus Engineering versions 2.2 through 2.4 SP2 are susceptible to multiple vulnerabilities originating in the included PostgreSQL database. An attacker gaining access to the S+ Client Server network could exploit CVE-2023-5869 (Integer Overflow), CVE-2023-39417 (SQL Injection), and CVE-2024-7348 (TOCTOU race condition) to execute arbitrary code and potentially compromise the entire ABB system. This poses a significant risk to organizations in critical infrastructure sectors, including Chemical, Critical Manufacturing, Energy, and Water/Wastewater, as these systems are vital for operational control and safety. Successful exploitation could result in loss of control, data breaches, or disruption of essential services. ABB released S+ Engineering 2.4 SP2 RU1 in December 2024 as a fix.

Attack Chain

1. Attacker gains initial access to the target network, specifically the S+ Client Server network, possibly through existing vulnerabilities or misconfigurations.
2. Attacker authenticates to the PostgreSQL database server used by ABB Ability Symphony Plus Engineering.
3. Attacker exploits CVE-2023-5869 by providing crafted data to trigger an integer overflow, enabling arbitrary code execution.
4. Alternatively, the attacker exploits CVE-2023-39417 by injecting malicious SQL code through extension scripts, leading to arbitrary code execution with administrator privileges.
5. Alternatively, the attacker exploits CVE-2024-7348, leveraging a TOCTOU race condition to execute arbitrary SQL functions with elevated privileges using a PostgreSQL utility.
6. The attacker executes arbitrary code within the context of the compromised ABB Ability Symphony Plus Engineering application or the underlying PostgreSQL database.
7. The attacker leverages the compromised system to move laterally within the OT network, potentially targeting other critical systems or data repositories.
8. Attacker achieves complete compromise of the ABB Ability Symphony Plus Engineering system, allowing manipulation of industrial processes, data exfiltration, or denial of service.

Impact

Successful exploitation of these vulnerabilities in ABB Ability Symphony Plus Engineering can have severe consequences, particularly in critical infrastructure sectors. Affected sectors include chemical, critical manufacturing, energy, and water/wastewater facilities worldwide. A compromised system could allow attackers to manipulate industrial processes, leading to equipment damage, environmental incidents, or disruption of essential services like power generation or water treatment. The vulnerabilities could allow attackers to gain unauthorized access to sensitive data, intellectual property, or control systems, resulting in significant financial losses, reputational damage, and potential safety risks.

Recommendation

• Immediately upgrade ABB Ability Symphony Plus Engineering to version 2.4 SP2 RU1 (re-leased in December 2024) or later, as recommended by ABB, to address the identified vulnerabilities (Vendor fix).
• Review and enforce network segmentation and firewall configurations to restrict access to the S+ client/server network, mitigating the risk of external attackers exploiting these vulnerabilities (Mitigation).
• Monitor network traffic for suspicious activity indicative of PostgreSQL exploitation attempts. Deploy the Sigma rule Detect Suspicious PostgreSQL Utility Execution to identify potential exploitation of CVE-2024-7348.
• Enable logging of PostgreSQL queries and analyze logs for SQL injection attempts, specifically looking for suspicious use of extension scripts. Deploy the Sigma rule Detect SQL Injection in PostgreSQL Logs to identify potential exploitation of CVE-2023-39417.

]]>criticaladvisoryvulnerabilityicspostgresqlhttps://feed.craftedsignal.io/briefs/2026-04-optimax-auth-bypass/Thu, 30 Apr 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-optimax-auth-bypass/CVE-2025-14510 allows an attacker to bypass Azure Active Directory Single-Sign On authentication in vulnerable ABB Ability OPTIMAX versions, potentially granting unauthorized access to critical infrastructure systems.A critical vulnerability, CVE-2025-14510, affects ABB Ability OPTIMAX versions that utilize Azure Active Directory (Azure AD) for Single-Sign On (SSO) authentication. This flaw stems from an incorrect implementation of the authentication algorithm, potentially allowing attackers to bypass the Azure AD authentication mechanism and gain unauthorized access to the OPTIMAX system. The affected versions include ABB Ability OPTIMAX 6.1 and 6.2 (all versions), 6.3 versions prior to 6.3.1-251120, and 6.4 versions prior to 6.4.1-251120. Successful exploitation could lead to significant disruption in energy, water, and wastewater sectors. The vulnerability was reported to CISA by ABB PSIRT.

Attack Chain

1. An attacker identifies an ABB Ability OPTIMAX installation using Azure AD SSO with a vulnerable version (6.1, 6.2, 6.3 < 6.3.1-251120, or 6.4 < 6.4.1-251120).
2. The attacker crafts a malicious authentication request, exploiting the incorrect implementation of the authentication algorithm (CWE-303).
3. The crafted request bypasses the expected Azure AD authentication checks within OPTIMAX.
4. OPTIMAX incorrectly validates the attacker’s session, granting them access to the system.
5. The attacker leverages their unauthorized access to gain control over OPTIMAX functionalities.
6. The attacker can then modify control parameters, manipulate data, or disrupt operations within the connected industrial processes.

Impact

Successful exploitation of CVE-2025-14510 enables unauthorized access to ABB Ability OPTIMAX systems, potentially leading to severe consequences in critical infrastructure sectors such as energy, water, and wastewater. An attacker could manipulate industrial processes, disrupt critical services, or cause significant financial and operational damage. Given the widespread deployment of ABB Ability OPTIMAX systems globally, a successful campaign exploiting this vulnerability could have far-reaching impact.

Recommendation

• Immediately update ABB Ability OPTIMAX to fixed versions (6.3.1-251120 and later) to remediate CVE-2025-14510.
• Refer to ABB PSIRT security advisory 9AKK108472A1331 for detailed mitigation steps and recommendations.
• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet, as per CISA’s recommended practices.

]]>highadvisoryauthentication bypassicsvulnerability