CISA Warns of UEFI PXE Flaws in ABB B&R Industrial PCs Allowing Remote Code Execution
CISA published an advisory for nine UEFI firmware vulnerabilities in ABB B&R industrial PCs that could let network attackers execute remote code, cause denial of service, or poison DNS caches.
CISA has issued an advisory (ICSA-26-141-02) detailing nine vulnerabilities—tracked as CVE-2023-45229 through CVE-2023-45237—affecting ABB B&R industrial PCs. The flaws reside in the Preboot eXecution Environment (PXE) component of the UEFI firmware, a critical interface used for network booting in industrial environments. With a CVSS v3 base score of 8.3, the vulnerabilities pose a serious risk to energy-sector deployments worldwide.
The affected product line includes a wide range of ABB B&R models: APC4100, APC910, C80, MPC3100, PPC1200, PPC900, APC2200, PPC2200, APC3100, and PPC3100. Each model is impacted by all nine CVEs, which cover out-of-bounds reads, buffer overflows, infinite loops, and use of a cryptographically weak pseudo-random number generator. An attacker with network access could exploit these flaws to execute arbitrary code, trigger denial-of-service conditions, conduct DNS cache poisoning, or extract sensitive information from the device.
ABB has released firmware updates for most affected models. The fixed versions are: APC4100 1.09, C80 1.14, MPC3100 1.24, PPC1200 1.14, PPC900 2.16, APC2200 1.35, PPC2200 1.35, APC3100 1.45, and PPC3100 1.45. However, the APC910 model will not receive a patch. For that device, ABB recommends disabling PXE in the UEFI settings if the functionality is not required, or tightly restricting network traffic to block illegitimate PXE traffic, particularly IPv6.
The vulnerabilities originate from the EDK2 open-source UEFI firmware project, which is widely used across multiple vendors. CVE-2023-45229 involves an out-of-bounds read when processing DHCPv6 Advertise messages, while CVE-2023-45230 is a buffer overflow via a long server ID option in the DHCPv6 client. Other flaws include infinite loops and weak PRNG usage, all of which can be triggered by a network-adjacent attacker without authentication.
CISA's advisory highlights that these systems are deployed in the energy sector globally, making them attractive targets for nation-state actors and industrial espionage groups. The agency urges organizations to apply the firmware updates immediately and, where patching is not possible, to implement the recommended mitigations. Disabling PXE when not in use is the most straightforward defense, as it removes the attack surface entirely.
This advisory follows a pattern of increasing scrutiny on UEFI firmware security, particularly in industrial control systems. Previous disclosures have targeted similar PXE and network boot vulnerabilities in products from other vendors, underscoring the systemic risk posed by shared firmware components like EDK2. Organizations should inventory their ABB B&R assets, prioritize patching, and ensure network segmentation limits exposure of these devices to untrusted traffic.