CISA Warns of High-Severity XSS Flaw in ABB EIBPORT KNX Building Management Devices
CISA has issued an advisory for CVE-2021-22291, a high-severity cross-site scripting vulnerability in ABB EIBPORT V3 KNX building management devices that could allow authenticated attackers to hijack sessions and alter device configurations.
CISA published an advisory on May 28, 2026, detailing a high-severity cross-site scripting (XSS) vulnerability in ABB EIBPORT V3 KNX building management devices. Tracked as CVE-2021-22291 and carrying a CVSS v3.1 base score of 8.0, the flaw resides in the session management mechanism of firmware versions below 3.9.2. An authenticated remote attacker can exploit the weak session handling to capture session IDs, effectively gaining unauthorized access to the device. Once inside, the attacker could read sensitive data stored on the device and modify its configuration, potentially disrupting building automation systems that rely on the KNX standard.
The affected products include three variants of the EIBPORT V3: the standard KNX model (2CLA963710W1001), the KNX model with a different part number (2CSM256242R2001), and the KNX GSM model (2CLA963720W1001), all running firmware versions prior to 3.9.2. ABB has released a firmware update that remediates the vulnerability by improving how the device verifies login credentials and token or session identifiers. The company also hardened the product configuration wherever possible. CISA recommends that users apply the update at the earliest convenience.
The vulnerability was privately reported to ABB by a researcher known as Psytester. According to the advisory, ABB had not received any reports of active exploitation at the time of publication. However, the company acknowledged that some customers have deployed EIBPORT devices with IP addresses accessible over the Internet or other untrusted networks, which is against ABB's intended use and best-practice recommendations. In such misconfigured environments, the attack surface increases significantly.
CISA's advisory emphasizes that recommended security practices—such as physically protecting control systems, avoiding direct Internet connections, and using firewalls with minimal exposed ports—can mitigate the risk. The agency also notes that process control systems should not be used for web browsing, instant messaging, or email, and that portable media should be scanned for viruses before connection. These measures are standard for industrial control system (ICS) environments but are especially critical for building management systems that bridge IT and operational technology (OT) networks.
The affected sectors include Critical Manufacturing and Information Technology, with devices deployed worldwide. ABB, headquartered in Switzerland, is a major supplier of industrial automation and building management solutions. The EIBPORT device serves as a gateway for KNX-based building automation, allowing centralized control of lighting, HVAC, and security systems. A compromise of such a gateway could have cascading effects on building operations, though ABB notes that the device is not designed as a functional safety device.
This advisory is part of a broader pattern of CISA warnings targeting vulnerabilities in building management and industrial control systems. Earlier this month, CISA also warned of an authentication bypass in ABB's Busch-Welcome 2 Wire Door Opener Actuators, highlighting the growing attention on OT security. The ABB EIBPORT flaw, while not yet exploited in the wild, underscores the importance of secure session management in devices that bridge physical and digital infrastructure. Organizations using affected versions should prioritize patching and review their network segmentation practices to prevent unauthorized remote access.