ABB Automation Builder Flaw Exposes PLCs to Remote Attacks

---
title: "ABB Automation Builder Flaw Exposes PLCs to Remote Attacks"
short_title: "ABB Automation Builder gateway vulnerability exposed"
description: "ABB warns of a medium-severity flaw in Automation Builder Gateway for Windows, allowing unauthenticated attackers to scan for PLCs. Learn how to mitigate CVE-2024-41975."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [abb, plc, cve-2024-41975, industrial-security, vulnerability]
score: 0.65
cve_ids: [CVE-2024-41975]
---

## TL;DR
ABB has disclosed a vulnerability (CVE-2024-41975) in its Automation Builder Gateway for Windows, which allows unauthenticated attackers to remotely scan for PLCs. While user management typically prevents full access, disabling it could expose critical systems. ABB has released a patch (version 2.9.0) and workarounds to mitigate the risk.

Main Content

### Introduction
Industrial control systems (ICS) are increasingly targeted by cyber threats, and vulnerabilities in widely used software like ABB Automation Builder can have far-reaching consequences. ABB recently revealed a medium-severity flaw in its Automation Builder Gateway for Windows, which could enable unauthenticated attackers to scan for and potentially access programmable logic controllers (PLCs). This article explores the vulnerability, its impact, and steps to secure affected systems.

### Key Points
- Vulnerability Identified: CVE-2024-41975 affects ABB Automation Builder Gateway for Windows versions prior to 2.9.0.
- Remote Access Risk: The gateway listens on port 1217 by default, allowing remote access even when unnecessary.
- Attack Vector: Unauthenticated attackers can scan for PLCs, though access is restricted unless user management is disabled.
- Affected Sectors: Critical infrastructure sectors, including chemical, energy, water, and manufacturing, are at risk.
- Patch Available: ABB has released Automation Builder 2.9.0, which restricts gateway access to local networks by default.

### Technical Details
The ABB Automation Builder Gateway serves as a communication channel between clients and AC500 PLCs. By default, the gateway listens on all available network adapters via port 1217, making it accessible remotely. While remote access is only required in specific network configurations, many users are unaware of this capability, leaving their systems exposed.

The vulnerability stems from CWE-1188: Initialization of a Resource with an Insecure Default. Attackers can exploit this flaw to scan for PLCs within restricted networks. However, user management on the PLCs typically prevents unauthorized access—unless it has been disabled.

The gateway can be installed as:
- A standalone setup.
- Part of other setups, such as the CODESYS Development System V3 or CODESYS OPC DA Server.

### Impact Assessment
#### Who Is at Risk?
- Organizations using ABB Automation Builder versions prior to 2.9.0.
- Industries reliant on AC500 PLCs, including:
- Chemical
- Critical Manufacturing
- Energy
- Water and Wastewater Systems

#### Potential Consequences
- Reconnaissance Attacks: Attackers can scan for vulnerable PLCs, gathering intelligence for future attacks.
- Unauthorized Access: If user management is disabled, attackers could gain control of PLCs, leading to disruption of industrial processes.
- Lateral Movement: Compromised PLCs could serve as entry points for deeper network infiltration.

#### CVSS Metrics
The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the following vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Attack Vector (AV): Network
- Attack Complexity (AC): Low
- Privileges Required (PR): None
- User Interaction (UI): None
- Scope (S): Unchanged
- Confidentiality (C): Low
- Integrity (I): None
- Availability (A): None

### Mitigation Steps
ABB has provided two primary mitigation strategies to address this vulnerability:

#### 1. Apply the Patch
- Upgrade to Automation Builder 2.9.0 or later, which restricts gateway access to local networks by default.
- Download the latest version from ABB’s official site: ABB Automation Builder Software Download.

#### 2. Workarounds
If upgrading is not immediately possible, ABB recommends the following workaround:
- Restrict Gateway Access to Localhost:
- Modify the Gateway.cfg file to include the following setting:

    [CmpGwCommDrvTcp]
    LocalAddress=127.0.0.1 ; allow access only from the local computer
    

#### Additional Best Practices
- Isolate Control Systems: Ensure PLCs and industrial networks are not directly accessible from the internet.
- Use Firewalls: Deploy firewalls to restrict access to port 1217 and other critical ports.
- Monitor Network Traffic: Implement intrusion detection systems (IDS) to detect unusual scanning activity.
- Enable User Management: Ensure PLC user management is enabled and properly configured to prevent unauthorized access.

### Affected Systems
| Vendor | Product | Affected Versions | Status |
|------------|--------------------------------------|-----------------------------|---------------------|
| ABB | Automation Builder Gateway for Windows | < 2.9.0 | Fixed in 2.9.0 |

## Conclusion
The CVE-2024-41975 vulnerability in ABB Automation Builder Gateway highlights the risks posed by insecure default configurations in industrial control systems. While the flaw is rated as medium severity, its potential impact on critical infrastructure sectors cannot be underestimated. Organizations using affected versions should apply the patch immediately or implement the recommended workarounds to reduce exposure.

As cyber threats to industrial systems continue to evolve, proactive measures such as network segmentation, access controls, and regular software updates are essential to maintaining security.

## References
[^1]: ABB PSIRT. "ABB Automation Builder Gateway Vulnerability Advisory". Retrieved 2025-01-24.
[^2]: CISA. "ICSA-26-132-04 ABB Automation Builder Gateway for Windows". Retrieved 2025-01-24.
[^3]: MITRE. "CWE-1188: Initialization of a Resource with an Insecure Default". Retrieved 2025-01-24.