CISA Warns of Critical Vulnerabilities in ABB Ability Camera Connect Due to Outdated VLC Component
CISA warns of multiple critical vulnerabilities in ABB Ability Camera Connect due to an outdated VLC media player component, with CVSS scores up to 9.8.
CISA has issued an advisory warning of multiple critical vulnerabilities in ABB Ability Camera Connect versions 1.5.0.14 and below, stemming from an outdated third-party VLC media player component (version 2.2.4). The vulnerabilities include heap-based buffer overflows, integer overflows, integer underflows, and use-after-free flaws, with CVSS scores reaching as high as 9.8. An attacker who successfully exploits these vulnerabilities could potentially achieve remote code execution or cause denial of service.
The affected product, ABB Ability Camera Connect, is used across critical infrastructure sectors including chemical, commercial facilities, communications, critical manufacturing, energy, and transportation systems. The product is deployed worldwide, with the vendor headquartered in Switzerland. The vulnerabilities are primarily associated with CVE-2024-46461 (integer overflow in VLC) and CVE-2023-47360 (integer underflow), among others.
ABB has released version 1.5.0.15 of Camera Connect, which updates the VLC component to address these issues. The vendor also notes that the VLC-based component operates in completely isolated environments without internet access or external network connectivity, which significantly reduces the attack surface. However, ABB still recommends that customers apply the update at their earliest convenience.
CISA's advisory highlights that while the air-gapped deployment mitigates remote exploitation, the vulnerabilities could still be exploited if an attacker gains physical access or through other means. The agency urges organizations to review the advisory and apply the necessary patches to protect critical infrastructure.
This advisory is part of CISA's ongoing effort to secure industrial control systems and critical infrastructure from cyber threats. Organizations using ABB Ability Camera Connect should prioritize updating to version 1.5.0.15 or updating the VLC media player component directly to mitigate the risks.