FLXeon Controllers Cyber Security Advisory

Act Now109akk108470a5684Jan 20, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Vulnerabilities in ABB FLXEON controllers (FBXi, FBVi, FBTi, CBXi firmware versions 9.3.4 and earlier) allow an attacker with network access to execute arbitrary code and take remote control of the device. The vulnerabilities stem from command injection and improper code execution handling (CWE-77, CWE-1385) as well as information disclosure (CWE-532). While ABB states the devices are not intended to be internet-facing, exploitation occurs when controllers are misconfigured with direct internet exposure or port forwarding. An attacker can insert and run arbitrary commands on the affected device, potentially compromising critical automation functions.

What this means

What could happen

An attacker with network access to a misconfigured FLXEON controller could execute arbitrary code and take remote control of the device, potentially altering process setpoints, stopping operations, or disrupting critical automation functions in water treatment, electric distribution, or other industrial processes.

Who's at risk

This affects organizations operating ABB FLXEON controllers (FBXi, FBVi, FBTi, CBXi models), including water utilities, electric utilities, and industrial automation systems that rely on these devices for process control. The risk is highest for any facility that has exposed these controllers to the internet or implemented port forwarding to allow remote access.

How it could be exploited

An attacker exploits command injection or code execution vulnerabilities (CWE-77, CWE-1385) by sending crafted network requests to a FLXEON controller that is exposed to the internet, improperly configured with port forwarding, or accessible from an untrusted network. The attacker gains remote code execution and can take control of the device.

Prerequisites

Network access to the FLXEON controller
Device running vulnerable firmware version 9.3.4 or earlier
Device exposed to internet, misconfigured with NAT port forwarding, or on an untrusted network
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackRemote code execution and device takeover possibleHigh CVSS 10.0 scoreVendor requires network misconfiguration for exploitation but misconfiguration is common in real-world deploymentsAffects critical automation and control functions

Exploitability

Moderate exploit probability (EPSS 4.2%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

FBXi Firmware≤ 9.3.49.3.5

FBVi Firmware≤ 9.3.49.3.5

FBTi Firmware≤ 9.3.49.3.5

CBXi Firmware≤ 9.3.49.3.5

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDImmediately disconnect any FLXEON devices that are directly exposed to the internet or have internet-facing port forwarding rules configured

HARDENINGIf remote access is required, configure a secure VPN connection to the device; disable any direct internet connectivity

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade all FLXEON devices (FBXi, FBVi, FBTi, CBXi) to firmware version 9.3.5 or later

HARDENINGEnsure physical access controls are in place to prevent unauthorized personnel from accessing FLXEON devices and connected networks

Long-term hardening

0/1

HARDENINGReview network architecture to ensure FLXEON controllers are not on untrusted or external networks; segment them on isolated or secure internal networks only

CVEs (3)

CVE-2024-48841 CVE-2024-48849 CVE-2024-48852

View full ABB PSIRT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7b7080e6-2a47-4952-80b7-6aa80c4f51c7