ABB Pulsar Plus Controller

Monitor6.3ICS-CERT ICSA-23-082-05Mar 31, 2023

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

The Infinity DC Power Plant and Pulsar Plus System Controller contain CSRF and weak cryptographic vulnerabilities in the web management interface that allow an authenticated attacker to execute unauthorized administrative commands or inject code. The vulnerabilities stem from insufficient anti-CSRF protections (CWE-352) and inadequate random number generation for session tokens (CWE-330). Successful exploitation could allow an attacker to take control of the device or execute arbitrary code.

What this means

What could happen

An attacker with network access and valid user credentials could modify system settings or execute arbitrary code on the power controller, potentially disrupting DC power delivery to critical infrastructure.

Who's at risk

Energy sector organizations operating ABB Infinity DC Power Plant and Pulsar Plus System Controller installations should be concerned. These controllers manage DC power distribution to critical loads in substations, data centers, and renewable energy facilities. Compromised controllers could alter voltage regulation, disconnect critical circuits, or cause unplanned shutdowns.

How it could be exploited

An attacker with credentials to the Pulsar Plus web interface could exploit a CSRF vulnerability (CWE-352) combined with weak cryptography in session management (CWE-330) to perform unauthorized administrative actions or inject malicious code that persists on the device.

Prerequisites

Network access to the controller's web interface port
Valid user credentials for the Pulsar Plus web application
User action required: victim must be logged into the web interface when attacker triggers exploit

Remotely exploitableRequires valid credentialsUser interaction requiredCVSS score in medium rangeAffects power distribution systemsWeak session token generation

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Infinity DC Power Plant: H5692448 G104 G842 G224L G630-4 G451C(2) G461(2) - comcode 150047415H5692448 | G104 | G842 | G224L | G630-4 | G451C(2) | G461(2) | comcode 1500474155.0.0

Pulsar Plus System Controller: NE843_S - comcode 150042936NE843 S comcode 1500429365.0.0

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable network write capability on port NET1 by setting WRE=0 on the controller front panel to prevent remote configuration changes

HARDENINGVerify and tighten firewall rules to restrict access to the controller's web interface and management ports to authorized networks only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Infinity DC Power Plant firmware to version 5.0.0

HOTFIXUpdate Pulsar Plus System Controller firmware to version 5.0.0

CVEs (2)

CVE-2022-1607 CVE-2022-26080

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/48beb1d3-7350-4215-950f-33c0c622c295