FLXeon Controllers Multiple vulnerabilities

Plan Patch8.89akk108471a7121Sep 9, 2025

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in ABB FLXeon controllers (FBXi, FBVi, FBTi, CBXi firmware versions 9.3.5 and earlier). These are related to hardcoded credentials (CWE-798), insufficient hardening (CWE-1287), and use of hard-coded passwords in client software (CWE-759). An attacker with network access to a misconfigured FLXeon controller can exploit these weaknesses to achieve remote code execution and take complete control of the device. The vulnerabilities require network access but no additional credentials or user interaction. ABB states that proper network isolation and adherence to documented deployment guidelines are required mitigations, as no firmware patches are planned for these end-of-life products.

What this means

What could happen

An attacker with network access to a misconfigured FLXeon controller could run arbitrary code on the device, potentially altering process logic, stopping operations, or modifying control setpoints on all connected equipment.

Who's at risk

Water utilities and municipal electric utilities operating ABB FLXeon controllers (FBXi, FBVi, FBTi, CBXi models) used for process control. This affects any facility relying on these controllers for critical operations such as pump control, valve actuation, power distribution switching, or water treatment processes.

How it could be exploited

An attacker on the same network segment (or with routing to the controller) can send specially crafted requests to exploitable services on the FLXeon controller. The device lacks proper input validation and authentication, allowing the attacker to inject and execute arbitrary code with the same privileges as the controller.

Prerequisites

Network access to the FLXeon controller (same network segment or routed)
FLXeon controller firmware version 9.3.5 or earlier
No additional credentials required
Controller must be reachable from attacker's network (misconfigured network exposure)

No authentication required for exploitationLow complexity attack (AC:L)No patch available (end-of-life product line)Remote code execution capableHigh CVSS score (8.8)Affects control systems directly

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

FBXi Firmware≤ 9.3.5No fix (EOL)

FBTi Firmware≤ 9.3.5No fix (EOL)

CBXi Firmware≤ 9.3.5No fix (EOL)

FBVi Firmware≤ 9.3.5No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/4

HARDENINGImmediately audit network configuration to verify FLXeon controllers are not reachable from untrusted networks (internal networks, especially if connected to corporate IT infrastructure, can be untrusted from the OT perspective)

HARDENINGImplement network segmentation: isolate FLXeon devices on a dedicated, air-gapped or heavily restricted network segment with firewall rules blocking all inbound connections except from authorized engineering workstations

HARDENINGReview and enforce ABB's documented security guidelines for FBXi, CBXi, and ASPECT SOLUTIONS deployment to ensure controllers are placed only on secure, non-internet-facing networks

WORKAROUNDIf FLXeon controllers are currently exposed to any network other than the isolated control network, take them offline until network segmentation is implemented

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXMonitor vendor communications for firmware updates; ABB has not yet released patches, but availability of fixed versions should be tracked

CVEs (4)

CVE-2024-48842 CVE-2024-48851 CVE-2025-10205 CVE-2025-10207

View full ABB PSIRT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d44fa075-62a8-4439-8df4-9c29f81d2f6e