Security Experts:

Connect with us

Hi, what are you looking for?



ABB Patches Many Vulnerabilities in HMI Products

Swiss industrial tech company ABB has patched a dozen vulnerabilities, including serious issues, in some of its human-machine interface (HMI) products.

Swiss industrial tech company ABB has patched a dozen vulnerabilities, including serious issues, in some of its human-machine interface (HMI) products.

Researchers at xen1thLabs, the labs unit of UAE-based cybersecurity firm DarkMatter, discovered 12 vulnerabilities that can be used to bypass authentication, execute arbitrary code, and gain access to information.

The vulnerabilities impact CP635 and CP651 control panels used as HMIs for ABB automation systems, and the PB610 Panel Builder 600 engineering tool for designing HMI applications.ABB HMI

xen1thLabs has described the security holes in 8 advisories and ABB has covered the flaws across 3 advisories (ABB CP635 HMI, ABB PB610, ABB CP651 HMI).

The security holes are related to outdated software components with known vulnerabilities, hardcoded credentials that provide admin access, weaknesses in software update mechanisms, a path traversal that allows access to folders on the FTP server, denial-of-service (DoS) issues, and code execution flaws that can be exploited by unauthenticated attackers by sending specially crafted requests.

“An attacker who successfully exploited this vulnerability could prevent legitimate access to an affected system node, remotely cause an affected system node to stop, take control of an affected system node or insert and run arbitrary code in an affected system node,” the vendor wrote in the advisories covering the control panel flaws.

Learn More About HMI Flaws at SecurityWeek’s 2019 ICS Cyber Security Conference

If a vulnerable system is connected to a network, an attacker with access to the network can exploit the flaws. If the system is isolated from an organization’s network, launching an attack requires physical access to the affected device.

“Recommended practices include that process control sys-tems are physically protected, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed,” ABB said.

According to the vendor, there is no evidence that the details of the vulnerabilities had been made public before their official disclosure or that any of them had been exploited for malicious purposes.

The advisories from xen1thLabs show that the vulnerabilities were reported to ABB in early February and patches were released in early June. The advisories include both technical details and proof-of-concept (PoC) code.

Related: Serious Flaws Found in ABB Safety PLC Gateways

Related: Critical Flaws Expose ABB Door Communication Systems to Attacks

Related: ABB to Patch Code Execution Flaw in HMI Tool

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.