ABB CP651 HMI
Plan Patch8.8ICS-CERT ICSA-19-178-02Jun 27, 2019
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
ABB CP-series HMI units (CP651, CP661, CP665, CP676, and WEB variants) contain a hardcoded credential vulnerability (CWE-798) affecting BSP UN30 firmware v1.76 and prior. An attacker with network access to the device can authenticate using static credentials, allowing remote code execution, arbitrary command execution, or denial of service.
What this means
What could happen
An attacker with access to the network could gain control of the HMI and run commands that alter process displays, stop the device entirely, or insert malicious code—disrupting plant operations and potentially affecting safety interlocks if the HMI controls critical processes.
Who's at risk
Manufacturing facilities using ABB CP-series HMI panels (CP651, CP661, CP665, CP676) for process visualization and control should assess exposure. This includes facilities relying on these panels for manufacturing, batch control, or supervisory display functions that are connected to plant networks.
How it could be exploited
An attacker gains network access to a CP-series HMI (wired Ethernet or wireless if enabled) and uses the hardcoded credentials to authenticate directly to the web interface or management port. Once authenticated, the attacker can execute arbitrary commands on the device or upload and run malicious code, taking full control of the HMI.
Prerequisites
- Network reachability to the HMI device on its management/web port (typically port 80 or 443)
- Knowledge of the hardcoded credentials embedded in the BSP UN30 firmware
- No authentication bypass required—credentials are static and embedded in the firmware
Remotely exploitableNo authentication required (hardcoded credentials)No patch available (end-of-life or unsupported)Allows remote code executionHigh CVSS (8.8)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (8)
8 pending
ProductAffected VersionsFix Status
CP665-WEB order code: 1SAP565200R0001 revision index A0 with BSP UN30 v1.76 and prior1SAP565200R0001 (revision index A0 with BSP ≤ UN30 1.76)No fix yet
CP651 order code: 1SAP551100R0001 revision index B1 with BSP UN30 v1.76 and prior1SAP551100R0001 (revision index B1 with BSP ≤ UN30 1.76)No fix yet
CP665 order code: 1SAP565100R0001 revision index B1 with BSP UN30 v1.76 and prior1SAP565100R0001 (revision index B1 with BSP ≤ UN30 1.76)No fix yet
CP661 order code: 1SAP561100R0001 revision index B1 with BSP UN30 v1.76 and prior1SAP561100R0001 (revision index B1 with BSP ≤ UN30 1.76)No fix yet
CP661-WEB order code: 1SAP561200R0001 revision index A0 with BSP UN30 v1.76 and prior1SAP561200R0001 (revision index A0 with BSP ≤ UN30 1.76)No fix yet
CP676-WEB order code: 1SAP576200R0001 revision index A0 with BSP UN30 v1.76 and prior1SAP576200R0001 (revision index A0 with BSP ≤ UN30 1.76)No fix yet
CP676 order code: 1SAP576100R0001 revision index B1 with BSP UN30 v1.76 and prior1SAP576100R0001 (revision index B1 with BSP ≤ UN30 1.76)No fix yet
CP651-WEB order code: 1SAP551200R0001 revision index A0 with BSP UN30 v1.76 and prior1SAP551200R0001 (revision index A0 with BSP ≤ UN30 1.76)No fix yet
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDImplement network firewall rules to restrict inbound access to the HMI to only authorized engineering workstations, and block all Internet-facing access
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor network traffic to the HMI for suspicious authentication attempts or unexpected connections
Long-term hardening
0/2HARDENINGIsolate CP-series HMI devices on a separate industrial network segment not directly connected to the business network or the Internet
HARDENINGDeploy HMIs behind a DMZ or air-gapped network if possible, with secure remote access (VPN) only for approved maintenance and engineering
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4c62f699-8825-4452-92e1-c45484a63ba9