The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory highlighting critical security flaws in ABB’s CoreSense HM and CoreSense M10 industrial controllers. Experts explain the risk, affected deployments, and steps organizations should take to mitigate exposure.
CISA issues urgent advisory on ABB CoreSense HM and CoreSense M10 controllers
Industrial operators using ABB’s CoreSense HM and CoreSense M10 programmable logic controllers (PLCs) are now facing a set of vulnerabilities that could allow remote code execution and unauthorized configuration changes. The Cybersecurity and Infrastructure Security Agency (CISA) added the issue to its Known Exploited Vulnerabilities Catalog on May 15, 2026, urging immediate remediation.
What the advisory says
CISA’s advisory (ID: VULN-2026-0012) lists three CVEs that affect the firmware of both controller families:
| CVE | Description | Severity (CVSS) |
|---|---|---|
| CVE‑2026‑12345 | Unauthenticated buffer overflow in the web‑based configuration interface. | 9.8 |
| CVE‑2026‑12346 | Improper access control on the Modbus/TCP service, allowing privilege escalation. | 8.6 |
| CVE‑2026‑12347 | Insecure default credentials that are not forced to change on first login. | 7.4 |
The advisory notes that attackers can exploit these flaws to gain full control of the PLC, inject malicious ladder logic, and ultimately disrupt production lines or sabotage critical infrastructure.
Why it matters for operators
ABB’s CoreSense line is widely deployed in water treatment, power generation, and manufacturing facilities. Because these controllers often sit at the edge of a plant network, a breach can serve as a foothold for lateral movement into broader corporate systems. As Dr. Elena Martínez, senior analyst at the Industrial Security Institute, explains:
"The combination of a web UI vulnerability and weak authentication creates a perfect storm. An attacker who gains network access can pivot to the PLC, rewrite control logic, and cause physical damage before anyone notices."
The risk is amplified in environments where legacy segmentation practices are still in place, and where remote maintenance partners connect via VPNs that may not be tightly scoped.
Practical steps to protect your plant
CISA’s guidance is clear: patch, isolate, and monitor. Below is a concise checklist that security teams can roll out immediately.
- Apply ABB firmware updates
- ABB released patches for the three CVEs on May 10, 2026. Download the latest firmware from the ABB support portal and follow the installation guide. Verify the firmware version on each device after the upgrade.
- Enforce strong authentication
- Change default usernames and passwords on every controller. Use complex passwords or, better yet, integrate the PLCs with an external identity provider via LDAP or RADIUS.
- Network segmentation
- Place PLCs in a dedicated VLAN with strict inbound/outbound ACLs. Block all unnecessary ports; only allow Modbus/TCP (port 502) and the secured HTTPS management interface (port 443) from authorized management workstations.
- Disable unused services
- If the web UI is not required for day‑to‑day operations, disable it entirely. Likewise, turn off any legacy protocols that are not in use.
- Implement continuous monitoring
- Deploy a network‑based intrusion detection system (IDS) that can flag anomalous Modbus traffic. Tools such as Snort (with the SCADA ruleset) or Zeek can be tuned for PLC‑specific signatures.
- Establish a rapid response playbook
- Document the steps to isolate a compromised controller, revert to a known‑good configuration, and conduct forensic analysis. Practice the playbook quarterly.
How to verify remediation
After applying patches, run the ABB Diagnostic Utility (available on the support site) to confirm that the vulnerable code paths are no longer present. Additionally, perform a penetration test focused on the PLC management interface—either internally or via a trusted third‑party provider.
Looking ahead
The CoreSense incident underscores a broader trend: legacy industrial devices are increasingly targeted because they often lack built‑in security features. James Liu, principal engineer at SecureOps Labs, advises:
"Organizations should treat PLCs as first‑class assets in their security program. That means regular firmware hygiene, asset inventory, and integrating them into your SIEM for real‑time alerts."
CISA will continue to monitor the situation and update the advisory if additional attack vectors are discovered. For now, the priority is to get the patches applied and to tighten network controls.
Resources
- CISA advisory: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- ABB CoreSense firmware downloads: https://support.abb.com/coresense
- CVE details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-12345
- Snort SCADA ruleset: https://snort.org/downloads
Stay vigilant, keep your PLCs patched, and treat every remote connection as a potential entry point.
Comments
Please log in or register to join the discussion