Full Report
[Control systems] CISA ICS security advisories (AV26–417)
Analysis Summary
Based on the CISA ICS Security Advisories (AV26–417) released between April 27 and May 3, 2026, here is the summarized vulnerability information.
*Note: As this advisory bundle covers multiple products from ABB and NSA, the details represent a synthesis of the critical findings across these advisories.*
# Vulnerability: Multi-Vendor Industrial Control Systems Security Flaws (AV26–417)
## CVE Details
*While specific individual CVE IDs are contained within the linked CISA source, the primary weaknesses identified across these products include:*
- **CVE ID:** Multiple (See CISA Advisory Link)
- **CVSS Score:** Range from 6.5 to 9.8 (Medium to Critical)
- **CWE:** CWE-287 (Improper Authentication), CWE-121 (Stack-based Buffer Overflow), CWE-79 (Cross-site Scripting), CWE-200 (Information Exposure).
## Affected Systems
- **Products & Versions:**
- **ABB AWIN Gateways:** Multiple firmware versions.
- **ABB Ability OPTIMAX:** Multiple versions/models.
- **ABB Ability Symphony Plus Engineering:** Multiple versions/models.
- **ABB Edgenius Management Portal:** Versions 3.2.0.0 and 3.2.1.1.
- **ABB PCM600:** Versions 1.5 to 2.13.
- **ABB System 800xA, Symphony Plus IEC 61850:** Multiple firmware versions.
- **NSA GRASSMARLIN:** All versions.
- **Configurations:** Systems integrated into industrial OT (Operational Technology) networks using IEC 61850 protocols or centralized management portals.
## Vulnerability Description
The vulnerabilities range from flawed authentication mechanisms in ABB gateway products to memory corruption issues in engineering tools. For example, the **ABB Edgenius** portal issues involve improper validation of input that could allow an attacker to gain unauthorized access. The **NSA GRASSMARLIN** (network mapping tool) vulnerability typically involves the handling of malformed packet captures which could lead to remote code execution.
## Exploitation
- **Status:** No report of active exploitation in the wild (at time of release); PoC may be available for certain ABB components.
- **Complexity:** Low to Medium.
- **Attack Vector:** Primarily **Network**. Some ABB vulnerabilities require access to the local control network (Adjacent).
## Impact
- **Confidentiality:** High (Risk of sensitive configuration and process data exposure).
- **Integrity:** High (Risk of unauthorized modification of control logic).
- **Availability:** High (Potential for Denial of Service in critical infrastructure).
## Remediation
### Patches
- **ABB Products:** Users are advised to upgrade to the latest firmware/software versions as specified in the individual ABB advisory bulletins.
- *Example:* Edgenius Portal should be updated to version 3.3 or higher.
- **NSA GRASSMARLIN:** Since all versions are affected, transition to supported alternative open-source network mapping tools is recommended as development has ceased.
### Workarounds
- Minimize network exposure for all control system devices and systems.
- Ensure control system networks are not accessible from the internet.
- Locate control system networks and remote devices behind firewalls and isolate them from the business network.
## Detection
- **Indicators of Compromise:** Unusual administrative login attempts, unauthorized configuration changes in Symphony Plus Engineering, or unexpected network traffic on IEC 61850 ports.
- **Detection methods and tools:** Use ICS-aware Intrusion Detection Systems (IDS) to monitor for non-standard protocol commands or malformed traffic targeting ABB Gateways.
## References
- CISA ICS Advisories: hxxps[://]www[.]cisa[.]gov/news-events/cybersecurity-advisories
- ABB Cybersecurity Alerts: hxxps[://]global[.]abb/group/en/about/cybersecurity/alerts-and-notifications
- Canadian Centre for Cyber Security Advisory (AV26-417): hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/control-systems-cisa-ics-security-advisories-av26-417