Full Report
[Control systems] ABB security advisory (AV26-346)
Analysis Summary
# Vulnerability: Multiple Flaws in ABB Control Systems and Communication Stacks
## CVE Details
- **CVE ID:** CVE-2025-3756, CVE-2023-5869, CVE-2023-39417, CVE-2024-7348, CVE-2024-0985
- **CVSS Score:** Up to 8.8 (High) (Note: Based on standard PostgreSQL high-severity ratings for referenced CVEs)
- **CWE:** CWE-400 (Uncontrolled Resource Consumption), CWE-89 (SQL Injection), CWE-269 (Improper Privilege Management)
## Affected Systems
- **Products:**
- ABB CI868 AC800M (System 800xA)
- ABB CI850 Symphony Plus SD Series
- ABB PM 877 Symphony Plus MR (Melody Rack)
- ABB S+ Operations (IEC 61850)
- ABB Ability Symphony Plus Engineering
- **Versions:**
- PM 877: Firmware versions 3.10 to 3.52
- Symphony Plus Engineering: Multiple versions using PostgreSQL
- Other communication stacks: Multiple firmware versions (Refer to specific vendor advisories)
- **Configurations:** Systems utilizing the IEC 61850 communication stack or integrated PostgreSQL databases.
## Vulnerability Description
This advisory covers two primary groups of vulnerabilities:
1. **Communication Stack Issues (CVE-2025-3756):** A Denial of Service (DoS) flaw exists in the IEC 61850 communication stack used across several ABB product lines. An attacker could potentially crash the communication interface, disrupting real-time data exchange between control systems and field devices.
2. **Database Vulnerabilities:** Multiple flaws in the integrated PostgreSQL component of ABB Ability Symphony Plus Engineering. These include potential SQL injection, privilege escalation, and memory corruption issues inherent to older versions of the PostgreSQL engine.
## Exploitation
- **Status:** Not exploited in the wild (per current advisory data)
- **Complexity:** Low to Medium
- **Attack Vector:** Network (Most likely via the ICS network or engineering workstation access)
## Impact
- **Confidentiality:** Low to Moderate (Database flaws may expose engineering data)
- **Integrity:** Moderate (Potential for unauthorized configuration changes)
- **Availability:** High (DoS conditions can halt critical industrial communication)
## Remediation
### Patches
- ABB recommends updating to the latest firmware and software versions specified in the individual security advisories.
- **System 800xA / Symphony Plus:** Check hxxps[://]search[.]abb[.]com for specific patch IDs related to the IEC 61850 stack.
- **Symphony Plus Engineering:** Apply updates that bundle patched versions of PostgreSQL.
### Workarounds
- Isolate the IEC 61850 network from the business LAN using firewalls.
- Disable unused protocols and services on CI868/CI850/PM 877 modules.
- Restrict access to Engineering Workstations to authorized personnel only.
## Detection
- **Indicators of Compromise:** Unexpected restarts of communication modules; failed heartbeats in System 800xA; unusual SQL error logs in Symphony Plus Engineering.
- **Detection methods and tools:** Monitor network traffic for malformed MMS (Manufacturing Message Specification) packets or excessive traffic directed at IEC 61850 ports (TCP/102).
## References
- **Vendor Advisories:**
- hxxps[://]search[.]abb[.]com/library/Download[.]aspx?DocumentID=7PAA020125&LanguageCode=en&DocumentPartId=&Action=Launch
- hxxps[://]search[.]abb[.]com/library/Download[.]aspx?DocumentID=7PAA017341&LanguageCode=en&DocumentPartId=&Action=Launch
- **ABB Security Portal:** hxxps[://]global[.]abb/group/en/technology/cyber-security/alerts-and-notifications
- **Canadian Centre for Cyber Security:** AV26-346