ABB Panel Builder 800 DLL Hijacking Vulnerability (Update A)

Monitor7.2ICS-CERT ICSA-16-077-01ADec 19, 2016

Attack VectorLocal

Auth RequiredHigh

ComplexityHigh

User InteractionRequired

Summary

ABB Panel Builder 800 versions 5.1 and earlier are vulnerable to DLL hijacking via improper search path handling. An attacker with local access and high privileges can craft a malicious DLL in a location where Panel Builder searches for libraries, resulting in arbitrary code execution when the application loads that DLL.

What this means

What could happen

An attacker with local administrative access to an engineering workstation running Panel Builder 800 could execute arbitrary code with the privileges of the application, potentially allowing them to modify HMI (human-machine interface) configurations, historical data, or interfere with process control logic deployed through the Panel Builder environment.

Who's at risk

Organizations running ABB Panel Builder 800 for HMI development and configuration, particularly utilities and manufacturers that use ABB control systems for SCADA, process automation, or plant-level monitoring. Any organization deploying ABB automation solutions through Panel Builder 800 is affected if they use version 5.1 or earlier on unpatched engineering workstations.

How it could be exploited

An attacker must first gain local access to a workstation running Panel Builder 800 with high privileges. They then place a malicious DLL in a directory that Panel Builder searches during startup (typically the application's working directory or system path). When an authorized user launches Panel Builder or opens a project, the application loads the hijacked DLL instead of the legitimate library, executing the attacker's code.

Prerequisites

Local access to the engineering workstation
High privileges (administrative-level access) on the target system
Ability to write files to application directories or system paths that Panel Builder searches
User must launch Panel Builder or open an existing project to trigger DLL loading

no patch availablerequires local access and high privilegesaffects engineering workstations (critical for HMI/SCADA design)low complexity exploitation once access is gained

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Panel Builder 800: 5.15.1No fix (EOL)

Remediation & Mitigation

0/3

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor Panel Builder startup and DLL loading events for unusual library loads or file modifications in application directories

Mitigations - no patch available

0/2

Panel Builder 800: 5.1 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGRestrict local access to engineering workstations running Panel Builder 800 through physical security and account controls; limit administrative access to authorized personnel only

HARDENINGImplement application whitelisting or control to prevent unauthorized DLL execution in Panel Builder directories

CVEs (1)

CVE-2016-2281

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/602908c0-0973-47a1-9b60-75fdf3a4d792