A newly disclosed denial‑of‑service flaw in ABB’s B&R Automation Runtime, specifically within the System Diagnostics Manager (SDM) component, could allow remote attackers to halt industrial controllers. The vulnerability stems from unchecked input handling in the SDM’s diagnostic web service, and CISA has issued an alert urging operators to apply the vendor’s patch and adopt hardening measures.
What happened
The Cybersecurity and Infrastructure Security Agency (CISA) released an advisory on June 24, 2026 describing a critical denial‑of‑service (DoS) vulnerability in the System Diagnostics Manager (SDM) module of ABB B&R Automation Runtime. The flaw, tracked as CVE‑2026‑XXXXX, resides in the HTTP‑based diagnostic endpoint that industrial controllers expose for remote health monitoring. An unauthenticated attacker can send a specially crafted request that triggers an integer overflow in the request parser, causing the SDM service to enter an unrecoverable state and terminate the runtime process. When the runtime stops, the underlying PLC logic halts, effectively taking the controlled equipment offline.
The advisory notes that the vulnerability is rated 9.8/10 on the CVSS v3.1 scale, primarily because exploitation requires no credentials and can be performed over the network segment that typically houses supervisory control and data acquisition (SCADA) systems. The affected versions are B&R Automation Runtime 4.2.0 through 4.3.5.
Who's responsible
The vulnerability was discovered by the independent security research team ZeroDay Labs during a routine assessment of industrial control system (ICS) exposure. Their report was disclosed responsibly to ABB in early May 2026, and ABB issued a security advisory and a patch (version 4.3.6) on June 12, 2026. No evidence suggests that any nation‑state or criminal group has weaponized the flaw in the wild, but the open nature of the diagnostic service makes it an attractive entry point for opportunistic actors seeking to disrupt production lines.
What it means
For operators of manufacturing plants, water treatment facilities, and other environments that rely on B&R controllers, the impact is immediate and tangible:
- Production downtime – A halted controller forces a stop to the entire automation sequence, potentially causing missed output targets and financial loss.
- Safety implications – In processes where the controller coordinates interlocks or emergency shutdowns, an unexpected stop could leave equipment in an unsafe state until manual intervention restores control.
- Supply‑chain ripple effects – Many OEMs embed B&R runtime in their own products. A vulnerability in the base runtime propagates to downstream devices, expanding the attack surface across multiple industries.
The advisory also highlights that the SDM service is often left exposed on the plant’s internal network to facilitate remote diagnostics. If network segmentation is lax, an attacker who has compromised a less‑privileged host can reach the vulnerable endpoint without needing to breach additional firewalls.
What to do
Immediate actions
- Identify affected devices – Use asset inventory tools to locate all installations running B&R Automation Runtime versions 4.2.0‑4.3.5. ABB provides a searchable CPE list that can be imported into vulnerability scanners.
- Apply the vendor patch – Upgrade to Automation Runtime 4.3.6 or later. The patch addresses the integer overflow by adding bounds checking and sanitizing the request payload. ABB’s patch release notes include step‑by‑step instructions for both on‑prem and remote update scenarios.
- Block external access to SDM – If the diagnostic service is not required for day‑to‑day operations, disable the HTTP listener or restrict it to a management VLAN using firewall ACLs.
Longer‑term hardening
- Network segmentation – Place controllers on a dedicated control network isolated from corporate IT and the internet. Use unidirectional gateways where feasible to limit inbound traffic.
- TLS enforcement – Configure SDM to require TLS 1.2 or higher for all connections. ABB’s runtime supports mutual TLS; deploying client certificates adds a strong authentication layer.
- Monitoring and logging – Enable detailed logging of SDM requests and forward logs to a centralized SIEM. Look for repeated malformed requests or spikes in 5xx response codes, which can indicate probing attempts.
- Periodic vulnerability scanning – Incorporate the B&R runtime version check into regular OT vulnerability assessments. Automation tools such as Tenable.ot can flag outdated firmware before it becomes exploitable.
- Incident response playbook – Update your OT incident response procedures to include a specific run‑book for runtime crashes. Document steps for safely restarting controllers and verifying safe states after a forced reboot.
Resources
- CISA Advisory – CVE‑2026‑XXXXX: https://www.cisa.gov/alerts/abb-br-automation-runtime-sdm-dos
- ABB Security Bulletin: https://library.abb.com/security/BR-RTM-2026-08
- ZeroDay Labs research note: https://www.zerodaylabs.com/research/2026/abb-sdm-dos
- Guidance on securing industrial diagnostics: https://www.isc2.org/Industrial-Diagnostics-Security
By promptly patching, tightening network controls, and enhancing visibility into diagnostic traffic, organizations can mitigate the immediate risk posed by this DoS flaw and reduce the attack surface for future threats.
Comments
Please log in or register to join the discussion