ABB Automation Builder

Plan Patch8.5ICS-CERT ICSA-25-133-04May 13, 2025

Summary

ABB Automation Builder contains vulnerabilities in user management that allow an attacker with local access to the engineering workstation to bypass authentication controls. CVE-2025-3394 involves improper file permission handling, and CVE-2025-3395 involves weak encryption of project security settings. Successful exploitation would allow an attacker to overrule user management and gain unauthorized access to modify automation projects. These vulnerabilities are not remotely exploitable and require local filesystem access to Automation Builder project files.

What this means

What could happen

An attacker with local access to an Automation Builder project could bypass user management controls, potentially allowing unauthorized modification of automation logic or access to sensitive project configurations. Since Automation Builder is used to configure industrial processes, this could lead to unauthorized changes to control logic in energy systems.

Who's at risk

Energy sector organizations using ABB Automation Builder for configuring industrial automation systems and PLCs should be concerned. This affects any engineer or operator workstation where Automation Builder projects are stored or edited, particularly in power generation, distribution, and control environments.

How it could be exploited

An attacker must have local access to the Automation Builder engineering workstation or project files. They can exploit improper file permission handling (CVE-2025-3394) or weak encryption (CVE-2025-3395) to bypass the application's user management system and gain unauthorized project access or modify automation configurations without proper authentication.

Prerequisites

Local access to the engineering workstation running Automation Builder
Access to Automation Builder project files on the filesystem
Knowledge of the project structure or ability to examine unencrypted/improperly-protected project data

no patch availableaffects security-sensitive engineering function (user management bypass)local access required but insider threat concernall versions affected

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

Automation Builder: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDIn Automation Builder project settings, set 'Security' to 'Integrity' check (mitigation for CVE-2025-3394)

WORKAROUNDIn Automation Builder project settings, set 'Security' to 'Encryption' (mitigation for CVE-2025-3395)

HARDENINGRestrict local access to engineering workstations running Automation Builder through physical and logical access controls

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement file-level access controls and permissions on Automation Builder project directories to restrict who can read or modify project files

Mitigations - no patch available

0/1

Automation Builder: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate Automation Builder engineering networks from business networks and the Internet using firewalls

CVEs (2)

CVE-2025-3394 CVE-2025-3395

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2c433f3e-e6c7-4e1b-b4cc-3a027de95b80