CISA Warns of Insecure Default in ABB Automation Builder Gateway Exposing PLCs to Remote Scanning
CISA has issued an advisory for CVE-2024-41975, an insecure default vulnerability in ABB Automation Builder Gateway for Windows that allows unauthenticated remote attackers to scan for AC500 PLCs.
CISA has published an advisory warning of a vulnerability in ABB Automation Builder Gateway for Windows, tracked as CVE-2024-41975. The flaw stems from an insecure default configuration that causes the gateway to listen on all network interfaces on port 1217, making it remotely accessible. While user management on the connected AC500 PLCs prevents unauthorized control unless explicitly disabled, the exposure enables attackers to perform reconnaissance on restricted PLC networks, potentially mapping out industrial control system (ICS) environments.
The ABB Automation Builder Gateway serves as a communication channel for various clients to AC500 PLCs. By default, the gateway listens on all available network adapters on port 1217 and can therefore be accessed remotely. However, remote access to the gateway is only required in certain network configurations. Since the gateway is usually accessed locally, many users are unaware of this remote access option, which can enable scanning of and access to restricted PLC networks. Unauthenticated attackers can therefore search for PLCs, but the user management of the PLCs prevents the actual access to the PLCs – unless it is disabled.
The vulnerability affects all versions of Automation Builder Gateway for Windows prior to 2.9.0. The gateway can be installed as a standalone component or as part of other setups such as the CODESYS Development System V3 or the CODESYS OPC DA Server setup. The affected products are deployed across multiple critical infrastructure sectors, including Chemical, Critical Manufacturing, Energy, and Water and Wastewater systems, with a worldwide footprint. The company headquarters is located in Switzerland.
ABB has released version 2.9.0 of Automation Builder, which closes the vulnerability by setting the default for the gateway to local access only. For users who cannot immediately upgrade, ABB recommends manually editing the gateway configuration file to restrict listening to the local loopback address. Specifically, administrators should locate the `CmpGwCommDrvTcp` section in the `Gateway.cfg` file (typically found at `%ProgramFiles%\ABB\AB2.8\AutomationBuilder\GatewayPLC\Gateway.cfg`) and set `LocalAddress=127.0.0.1`. The gateway must be restarted after making this change.
The vulnerability carries a CVSS v3.1 base score of 5.3 (MEDIUM), with the vector string `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C`. The attack vector is network-based, requires low complexity, no privileges, and no user interaction, but the impact is limited to low confidentiality loss with no impact on integrity or availability. CISA notes that while the vulnerability has been publicly disclosed, ABB has not received any reports of active exploitation as of the advisory's publication.
This advisory highlights a recurring theme in ICS security: insecure default configurations that expose critical infrastructure to unnecessary risk. The ability for an unauthenticated remote attacker to scan for PLCs, even without direct control, provides valuable intelligence for targeted attacks. Organizations using ABB Automation Builder Gateway should prioritize updating to version 2.9.0 or implementing the recommended configuration change to restrict access to localhost only. CISA also recommends following its published best practices for securing industrial control systems, including physical protection, network segmentation, and minimal port exposure.