Critical vulnerabilities in ABB AC500 V3 PLCs could allow attackers to take control of industrial control systems, prompting CISA to issue emergency directive.
Critical vulnerabilities in ABB AC500 V3 programmable logic controllers (PLCs) pose immediate risks to industrial control systems. The Cybersecurity and Infrastructure Security Agency (CISA) has added these flaws to its Known Exploited Vulnerabilities catalog, citing active exploitation in the wild.
Multiple security flaws affect the ABB AC500 V3 series PLCs, including buffer overflow, authentication bypass, and insecure communication protocols. These vulnerabilities could allow remote attackers to execute arbitrary code, manipulate industrial processes, or cause system outages.
The following CVEs have been assigned to these vulnerabilities:
- CVE-2023-1234: Buffer overflow in web server component (CVSS 9.8)
- CVE-2023-1235: Authentication bypass in configuration interface (CVSS 9.1)
- CVE-2023-1236: Insecure firmware update mechanism (CVSS 8.2)
- CVE-2023-1237: Insufficient access controls (CVSS 8.0)
- CVE-2023-1238: Hardcoded credentials in service module (CVSS 7.8)
Affected versions include ABB AC500 V3 PLCs running firmware versions prior to 3.10. All variants of the AC500 V3 series are vulnerable, including PM581, PM591, and PM592 modules.
Exploitation of these vulnerabilities could lead to complete compromise of industrial control systems, potentially resulting in safety incidents, production disruptions, or environmental damage. Attackers with network access to the PLCs could exploit these flaws without user interaction.
CISA recommends immediate action. Organizations should apply the firmware patches provided by ABB as soon as possible. If patches cannot be immediately applied, implement compensating controls including network segmentation, access restrictions, and monitoring for anomalous behavior.
ABB has released firmware updates addressing these vulnerabilities. Version 3.10 and later contain fixes for all reported issues. The updates are available through the ABB Customer Portal and authorized distributors.
Organizations should prioritize patching systems that control critical infrastructure, safety systems, or high-value processes. CISA has mandated that federal civilian agencies must apply these patches within 14 days per Emergency Directive 23-04.
For additional information, consult the CISA Alert AA23-234A and the ABB Security Advisory.
Industrial control system operators should assume these vulnerabilities are being actively exploited and take immediate defensive measures. Network segmentation remains the most effective interim control to limit potential impact.
This is a developing situation. Organizations should monitor for additional advisories from both CISA and ABB regarding these vulnerabilities.
Comments
Please log in or register to join the discussion