EIBPORT Reflected XSS
Plan PatchCVSS 89akk108471a7808Oct 7, 2025
ABB
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
ABB EIBPORT V3 KNX devices contain reflected cross-site scripting (XSS) vulnerabilities in their web interface. An attacker could inject malicious scripts to access sensitive device configuration information or modify device settings by tricking authenticated users into clicking specially crafted links. A firmware update to version 3.9.2 is available to address these vulnerabilities.
What this means
What could happen
An attacker with legitimate access to the EIBPORT web interface could inject malicious scripts that steal sensitive configuration data or trick authorized users into changing device settings without their knowledge.
Who's at risk
Building automation and KNX gateway administrators. This affects ABB EIBPORT devices used to bridge KNX (power line communication protocol) with IP networks in office buildings and facilities management systems.
How it could be exploited
An attacker crafts a malicious URL containing JavaScript code and tricks an authorized user into clicking it or visiting a page with an embedded link. When the user accesses the EIBPORT web interface through this link, the script executes in their browser with their authentication session, allowing the attacker to read configuration data or submit unauthorized configuration changes.
Prerequisites
- Valid login credentials or session to the EIBPORT web interface
- User with access to EIBPORT must click attacker-supplied link or visit attacker-controlled page embedding the link
High severity (CVSS 8)Requires authentication and user interactionAccess to sensitive configuration data possibleUnauthorized configuration changes possible
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
EIBPORT V3 KNX (2CLA963710W1001)<3.9.23.9.2
EIBPORT V3 KNX (2CSM256242R2001)<3.9.23.9.2
EIBPORT V3 KNX GSM (2CLA963720W1001)<3.9.23.9.2
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate EIBPORT V3 KNX firmware to version 3.9.2 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a9cf7d69-e20d-483a-b9d5-90c0122498c9Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.