PostgreSQL vulnerabilities in ABB Ability™ Symphony® Plus Engineering

Plan PatchCVSS 8.87paa017341Apr 13, 2026

ABB

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

ABB Ability™ Symphony® Plus S+ Engineering versions 2.2 through 2.4 SP2 contain multiple vulnerabilities in embedded PostgreSQL version 13.11 and earlier (CWE-190 integer overflow, CWE-89 SQL injection, CWE-367 race conditions, CWE-271 privilege issues). An attacker with access to the site's S+ Client/Server network could exploit these vulnerabilities to execute arbitrary code and compromise the entire engineering system. ABB has released S+ Engineering 2.4 SP2 RU1 (December 2024) and later versions with corrected PostgreSQL to address these issues.

What this means

What could happen

An attacker with access to your S+ Engineering network could exploit PostgreSQL vulnerabilities to run arbitrary code and take control of the entire engineering system, potentially allowing changes to control logic or shutdown of operations.

Who's at risk

This affects engineering teams using ABB Ability™ Symphony® Plus S+ Engineering versions 2.2 through 2.4 SP2 for control system configuration and programming. Any facility (water utilities, power generation, manufacturing) relying on ABB S+ Engineering for plant operations and process automation is potentially affected if they have not yet upgraded to 2.4 SP2 RU1 or later.

How it could be exploited

An attacker who has gained network access to your S+ Client/Server network (either internal compromise or compromised connection from an engineering workstation) could exploit PostgreSQL vulnerabilities in versions 13.11 and earlier to execute arbitrary code with the database privileges, leading to system compromise.

Prerequisites

Network access to the S+ Client/Server network from an internal or compromised engineering workstation
S+ Engineering version 2.2 through 2.4 SP2 running PostgreSQL 13.11 or earlier
Ability to reach the PostgreSQL database port from within the S+ network segment

remotely exploitable from internal networkslow complexity attackhigh CVSS 8.8affects engineering workstations and control system configurationmultiple vulnerability types (integer overflow, SQL injection, race conditions, privilege issues)

Exploitability

Some exploitation risk — EPSS score 1.6%

Affected products (8)

8 with fix

ProductAffected VersionsFix Status

Ability™ Symphony® Plus S+ Engineering 2.22.2Fix available

Ability™ Symphony® Plus S+ Engineering 2.32.3Fix available

Ability™ Symphony® Plus S+ Engineering 2.3 RU12.3 RU1Fix available

Ability™ Symphony® Plus S+ Engineering 2.3 RU22.3 RU2Fix available

Ability™ Symphony® Plus S+ Engineering 2.3 RU32.3 RU3Fix available

Ability™ Symphony® Plus S+ Engineering 2.42.4Fix available

Ability™ Symphony® Plus S+ Engineering 2.4 SP12.4 SP1Fix available

Ability™ Symphony® Plus S+ Engineering 2.4 SP22.4 SP2Fix available

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGImplement network segmentation to restrict access to the S+ Client/Server network only to authorized engineering workstations and systems

HARDENINGDeploy perimeter firewall rules to prevent external access to S+ Client/Server network ports from untrusted networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade all S+ Engineering installations from versions 2.2 through 2.4 SP2 to S+ Engineering 2.4 SP2 RU1 or later

HARDENINGReview and document all systems and workstations with network access to S+ Client/Server to identify unauthorized connections

CVEs (4)

CVE-2023-5869 CVE-2023-39417 CVE-2024-7348 CVE-2024-0985

View full ABB PSIRT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/60f9d4e2-2d68-4150-a66c-75e66da55cb9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.