ABB FLXEON Controllers

Act Now10ICS-CERT ICSA-25-051-02Feb 20, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ABB FLXEON controllers contain vulnerabilities in HTTPS request handling and command execution logic (CWE-77, CWE-1385, CWE-532) that allow unauthenticated remote code execution. The vulnerabilities affect CBXi, FBXi, FBVi, and FBTi firmware versions 9.3.4 and earlier. An attacker with network access to an exposed FLXEON device can send unauthorized HTTPS requests, access sensitive information from HTTPS responses, or execute remote code without authentication. Successful exploitation could allow an attacker to alter process parameters, disrupt operations, or compromise plant safety systems. These vulnerabilities are only exploitable if the FLXEON device is accessible on the attacker's network segment or exposed directly to the Internet.

What this means

What could happen

An attacker with network access to a FLXEON controller could send unauthorized HTTPS requests, intercept sensitive information from responses, or execute arbitrary code on the device—potentially altering process setpoints, disrupting production, or compromising plant safety systems.

Who's at risk

Manufacturing facilities operating ABB FLXEON controllers (CBXi, FBXi, FBVi, FBTi series) used for process automation and control. This affects any plant using these controllers for real-time industrial operations, from small machine controllers to larger distributed control systems.

How it could be exploited

An attacker on the same network segment as a FLXEON device (or able to reach it via port forwarding from the Internet) can exploit these vulnerabilities in the HTTPS handling and command execution logic to send malicious requests directly to the controller's management interface, gaining code execution without authentication.

Prerequisites

Network access to the FLXEON device (local network segment or Internet-exposed via NAT/ISP connection)
No authentication required for exploitation
Device must be running firmware version 9.3.4 or earlier

remotely exploitableno authentication requiredlow complexityhigh CVSS (10.0)affects safety systemsdefault credentials in use

Exploitability

Moderate exploit probability (EPSS 4.2%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

CBXi Firmware≤ 9.3.4>=9.3.5

FBXi Firmware≤ 9.3.4>=9.3.5

FBVi Firmware≤ 9.3.4>=9.3.5

FBTi Firmware≤ 9.3.4>=9.3.5

Remediation & Mitigation

0/7

Do now

0/3

WORKAROUNDDisconnect any FLXEON devices currently exposed directly to the Internet (direct ISP connection or NAT port forwarding)

HARDENINGPlace all FLXEON devices behind a firewall; do not expose directly to the Internet

HARDENINGChange all default passwords on FLXEON devices still using factory credentials

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade all FLXEON controllers (CBXi, FBXi, FBVi, FBTi) to firmware version 9.3.5 or later

HARDENINGIf remote access is required, use only a VPN gateway configured for secure access to the specific network segment containing FLXEON

HARDENINGEnsure VPN gateway and all network components are patched and maintained per industry standards

Long-term hardening

0/1

HARDENINGImplement physical access controls to prevent unauthorized personnel from accessing FLXEON devices and connected equipment

CVEs (3)

CVE-2024-48841 CVE-2024-48849 CVE-2024-48852

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cddd91b2-509a-418f-a3ec-e6c54ec2aa93