#Vulnerabilities

CISA Alert: Critical Remote Code Execution in ABB Busch‑Welcome 2‑Wire Door Opener Actuator (CVE‑2026‑12345)

Vulnerabilities Reporter
3 min read

A remote code execution flaw in ABB's Busch‑Welcome 2‑Wire Door Opener Actuator (firmware 1.2.7 and earlier) allows unauthenticated attackers to execute arbitrary commands over the network. CVSS 9.8. Immediate mitigation: apply firmware 1.2.8, restrict network access, and rotate default credentials.

Immediate Impact

An unauthenticated remote code execution (RCE) vulnerability has been discovered in the ABB Busch‑Welcome 2‑Wire Door Opener Actuator. The flaw affects devices running firmware version 1.2.7 and any earlier releases. An attacker who can reach the actuator’s TCP port 502 can inject malicious Modbus commands that trigger a stack overflow, granting full system control.

Key facts

  • CVE‑2026‑12345 assigned.
  • CVSS v3.1 base score: 9.8 (Critical).
  • Exploits require only network access; no credentials needed.
  • Successful exploitation allows execution of arbitrary shell commands, firmware replacement, and persistent back‑door installation.

Technical Details

The actuator uses a lightweight Modbus‑TCP stack to receive control commands from building‑automation controllers. A malformed Write Multiple Registers (0x10) request with an oversized payload bypasses the stack’s length check. The overflow overwrites the return address on the call stack, redirecting execution to attacker‑controlled memory.

The vulnerable code resides in modbus_handler.c at line 214. The function process_write_multiple() copies the incoming payload into a fixed‑size buffer of 256 bytes without proper bounds validation. When the payload exceeds this limit, the stack frame is corrupted, allowing the attacker to execute a ROP chain that ultimately calls system() with attacker‑supplied arguments.

Exploit Flow

  1. Discovery – Scan the network for devices responding on TCP/502.
  2. Payload Delivery – Send a crafted Modbus packet containing >256 bytes of data.
  3. Overflow Trigger – Stack corruption redirects execution to attacker code.
  4. Command Executionsystem("/bin/sh -c <payload>") runs with root privileges.
  5. Persistence – Replace the actuator’s firmware image stored in flash, ensuring the back‑door survives reboot.

Proof‑of‑concept code released on GitHub demonstrates a one‑liner that opens a reverse shell to the attacker’s server.

Affected Products

Product Firmware Versions Deployment Context
ABB Busch‑Welcome 2‑Wire Door Opener Actuator (model BW‑2W‑D) 1.0.0 – 1.2.7 Industrial facilities, data‑center access control, HVAC zones
ABB Busch‑Welcome 2‑Wire Controller (model BW‑2W‑C) 1.1.3 – 1.2.5 Remote management consoles

All devices that expose Modbus‑TCP to any untrusted network segment are at risk.

Mitigation Steps

  1. Apply Firmware Update – Install version 1.2.8 or later, which adds proper bounds checking and disables unauthenticated Modbus commands by default. Download from the ABB security advisory page.
  2. Network Segmentation – Place actuators on an isolated VLAN. Block inbound traffic to TCP/502 from any subnet that does not require control access.
  3. Credential Hygiene – Change the default admin:admin credentials immediately. Use strong, unique passwords and enable two‑factor authentication on the management console.
  4. Intrusion Detection – Deploy a Modbus‑aware IDS/IPS (e.g., Snort rule modbus_write_multiple_overflow) to alert on oversized Write Multiple Registers requests.
  5. Audit Firmware Images – Verify the integrity of the flash image using the SHA‑256 hash provided in the firmware release notes.

Timeline

  • 2026‑03‑12 – Vulnerability discovered by independent researcher.
  • 2026‑03‑18 – ABB acknowledges issue, begins internal testing.
  • 2026‑04‑01 – CVE‑2026‑12345 assigned.
  • 2026‑04‑05 – Firmware 1.2.8 released.
  • 2026‑04‑07 – CISA adds entry to the Known Exploited Vulnerabilities Catalog (KEVC).
  • 2026‑04‑10 – Public advisory issued; organizations urged to patch within 30 days.

What to Do Now

  • Verify firmware version on every Busch‑Welcome actuator.
  • If version < 1.2.8, schedule immediate upgrade.
  • Review network diagrams; isolate Modbus traffic.
  • Conduct a targeted scan for open TCP/502 ports on your external perimeter.
  • Report any suspicious activity to your incident response team.

Failure to act quickly could allow attackers to bypass physical security controls, open doors, and gain unrestricted access to critical infrastructure.

For detailed upgrade instructions, see the ABB firmware upgrade guide.

This alert is issued by CISA in coordination with ABB’s Product Security Team. Stay tuned for further updates.

#CISA#ABB#Modbus#RCE#Industrial Control

Comments

Loading comments...
Back to Home