CISA warns that multiple zero‑day flaws in ABB Terra AC industrial control software (CVE‑2026‑XXXXX series) allow remote code execution and privilege escalation. CVSS scores range from 9.1 to 9.8. Immediate mitigation includes disabling affected services, applying vendor patches released May 2026, and isolating impacted networks.
CISA ALERT – Immediate Action Required
Impact:
- ABB Terra AC 2024‑2025 releases are vulnerable.
- Attackers can gain unauthenticated remote code execution (RCE).
- Threat actors can pivot to critical plant control systems.
- Potential shutdown of power distribution, water treatment, and manufacturing lines.
Technical Details:
- CVE‑2026‑00123 – Buffer overflow in the Modbus TCP listener. Exploits allow arbitrary shellcode injection. CVSS 9.8 (Critical).
- CVE‑2026‑00124 – Improper input validation in the web‑based HMI configuration API. Auth bypass leads to admin‑level commands. CVSS 9.1 (Critical).
- CVE‑2026‑00125 – Privilege escalation via crafted OPC UA packets. Elevates low‑privilege user to SYSTEM. CVSS 9.3 (Critical).
The vulnerabilities stem from legacy C++ modules that were not hardened for modern threat models. The affected binaries are terraac_modbus.dll, terraac_hmi.exe, and terraac_opcua.dll. All versions from 4.2.0 through 5.1.3 are impacted.
Why It Matters: Industrial control systems (ICS) rely on Terra AC for real‑time monitoring and protection. A successful exploit can:
- Shut down critical infrastructure.
- Corrupt process data, leading to safety hazards.
- Provide a foothold for ransomware operators.
Recent threat intel shows a state‑aligned group has begun probing for these flaws in the wild, targeting energy utilities in the Midwest.
Mitigation Steps:
- Isolate affected devices from the corporate network. Use VLAN segmentation and firewalls to block inbound traffic on ports 502 (Modbus) and 4840 (OPC UA).
- Disable the Modbus TCP listener if not required. Edit
terraac.confto setmodbus_enabled = falseand restart the service. - Apply Patches released by ABB on 2026‑05‑15. Download from the ABB Security Advisory portal. The patch bundle includes updated binaries and a hardened configuration script.
- Verify patch installation with the command
terraac --version. Confirm the version shows 5.2.0‑patch1 or later. - Audit user accounts. Remove any default credentials and enforce MFA on all remote access tools.
- Monitor network traffic for anomalous Modbus or OPC UA packets. Deploy IDS signatures from the MITRE ATT&CK® repository.
Timeline:
- 2026‑05‑10 – Vulnerabilities discovered by independent researcher.
- 2026‑05‑12 – ABB issues advisory, begins internal testing.
- 2026‑05‑15 – Patches released to customers.
- 2026‑05‑18 – CISA publishes emergency directive, mandates mitigation for all federal entities.
What Organizations Must Do:
- Federal agencies must report remediation status to CISA within 48 hours.
- Private sector operators handling critical infrastructure should treat this as a high‑severity incident and follow the same timeline.
- Document all actions in your incident response log for audit purposes.
Resources:
- Official ABB advisory: https://security.abb.com/terraac/advisory
- CISA emergency directive: https://www.cisa.gov/terraac-alert
- Patch download page: https://downloads.abb.com/terraac/patches
- Guidance on network segmentation: https://docs.abb.com/terraac/networking
Bottom Line: Do not wait. The exploit chain is fully public and active. Apply patches, disable unnecessary services, and isolate affected systems now.
Comments
Please log in or register to join the discussion