Lite Panel Pro Vulnerability in Session Management

MonitorCVSS 6.72crt000008Jun 26, 2025

ABB

Attack path

Attack VectorAdjacent

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

A session management vulnerability in ABB Lite Panel Pro (version 1.0.1 and earlier) allows an attacker with local network access to gain unauthorized access during a limited time window. The vulnerability is caused by improper session handling, potentially allowing attackers to bypass authentication or hijack existing sessions. ABB has released a fix in version 1.1.0.

What this means

What could happen

An attacker with local network access could gain unauthorized access to the Lite Panel Pro HMI during a brief time window, potentially allowing them to view sensitive data or manipulate the interface controlling your process.

Who's at risk

Water utilities and electric utilities using ABB Lite Panel Pro HMI devices (version 1.0.1 and earlier) should prioritize this update. The Lite Panel Pro is commonly used as an operator interface for SCADA and process control systems in municipal water treatment, wastewater, and power distribution operations.

How it could be exploited

An attacker on the local network could exploit a session management flaw to bypass authentication or hijack an active session, gaining temporary unauthorized access to the HMI interface without valid credentials.

Prerequisites

Local network access to the Lite Panel Pro device
Ability to interact with the device during active session window

local network access requiredrequires user interactionno authentication required during exploitation windowaffects human-machine interface (HMI)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Lite Panel Pro≤ 1.0.11.1.0

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGReview and apply defensive measures outlined in the Lite Panel Pro instruction manual 'Mitigation factors' section

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Lite Panel Pro to firmware version 1.1.0 or later from the official ABB product website

Long-term hardening

0/1

HARDENINGImplement network segmentation to restrict local network access to Lite Panel Pro to authorized engineering and operations personnel only

CVEs (1)

CVE-2025-4407

View full ABB PSIRT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/439d6538-f298-4cb5-a6a6-d22450008441

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.