ABB CP635 HMI
Plan Patch8.8ICS-CERT ICSA-19-178-03Jun 27, 2019
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
ABB CP600 control panels (CP620, CP630, CP635 series) running board support package (BSP) UN31 v1.76 and earlier contain hardcoded credentials or authentication bypass vulnerability (CWE-798). Successful exploitation allows remote code execution, denial of service, or unauthorized control of the panel. ABB has declared these products end-of-life and will not provide firmware patches. Panel Builder 600 v2.8.0.424 and BSP UN31 v2.31 were released but only apply to newer revision variants not listed in the affected products.
What this means
What could happen
An attacker with network access to an ABB CP600 control panel can execute arbitrary code, alter panel operations, or deny access to legitimate operators. This could disrupt production processes controlled through the HMI.
Who's at risk
Manufacturing facilities using ABB CP620, CP630, and CP635 HMI control panels for process monitoring and control. These are typically used in automotive, food and beverage, chemical, and discrete manufacturing plants to display real-time process data and allow operators to adjust setpoints and manage production workflows.
How it could be exploited
An attacker with local network access (not Internet-facing) can send specially crafted network packets to the CP600 panel to exploit hardcoded credentials or authentication bypass, gaining the ability to upload and execute arbitrary code on the panel itself.
Prerequisites
- Network access to the CP600 panel via Ethernet (UDP or TCP, port not specified in advisory)
- Panel must be running BSP UN31 v1.76 or earlier
- No authentication required for exploitation
No authentication requiredNo patch available (end-of-life product)Low network complexityLocal network access only (not directly Internet-exploitable)Allows arbitrary code execution
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (9)
9 with fix
ProductAffected VersionsFix Status
CP620 order code: 1SAP520100R0001 revision index G1 with BSP UN31 v1.76 and prior1SAP520100R0001 | G1 with BSP ≤ UN31 1.76v2.31 or later
CP630 order code: 1SAP530100R0001 revision index G1 with BSP UN31 v1.76 and prior1SAP530100R0001 | G1 with BSP ≤ UN31 1.76v2.31 or later
CP635-WEB order code: 1SAP535200R0001 revision index G1 with BSP UN31 v1.76 and prior1SAP535200R0001 | G1 with BSP ≤ UN31 1.76v2.31 or later
CP620 order code: 1SAP520100R4001 revision index G1 with BSP UN31 v1.76 and prior1SAP520100R4001 | G1 with BSP ≤ UN31 1.76v2.31 or later
CP630-WEB order code: 1SAP530200R0001 revision index G1 with BSP UN31 v1.76 and prior1SAP530200R0001 | G1 with BSP ≤ UN31 1.76v2.31 or later
CP635 order code: 1SAP535100R0001 revision index G1 with BSP UN31 v1.76 and prior1SAP535100R0001 | G1 with BSP ≤ UN31 1.76v2.31 or later
CP635 order code: 1SAP535100R5001 revision index G1 with BSP UN31 v1.76 and prior1SAP535100R5001 | G1 with BSP ≤ UN31 1.76v2.31 or later
CP635-B order code: 1SAP535100R2001 revision index G1 with BSP UN31 v1.76 and prior1SAP535100R2001 | G1 with BSP ≤ UN31 1.76v2.31 or later
Remediation & Mitigation
0/5
Do now
0/3HARDENINGIsolate control system networks behind a firewall and do not expose CP600 panels to the Internet
HARDENINGRestrict network access to CP600 panels to authorized engineering and operations staff only
WORKAROUNDUse VPN with current updates when remote access to CP600 panels is required
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate BSP (board support package) to UN31 v2.31 or later
HOTFIXUpdate Panel Builder 600 software to v2.8.0.424 or later (available via Automation Builder 2.2 SP2)
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d1637dd3-a16f-423d-a6ef-58bdb00960b2