
ABB has released a cybersecurity advisory addressing multiple critical vulnerabilities in its FLXeon controllers. These vulnerabilities, tracked as CVE-2024-48841, CVE-2024-48849, and CVE-2024-48852, impact FLXeon firmware versions 9.3.4 and older, with the potential for remote code execution, authentication issues, and information disclosure.
- CVE-2024-48841 (CVSS 10.0): Remote Code Execution (RCE)This vulnerability allows attackers to exploit network access to execute arbitrary code with elevated privileges. ABB highlights that the issue stems from improper control of filenames in PHP program statements, as outlined under CWE-98: “Improper Control of Filename for Include/Require Statement in PHP Programs.” Exploitation could lead to complete system compromise.
- CVE-2024-48849 (CVSS 9.4): Authentication and Authorization IssuesInadequate session management leaves the devices vulnerable to unauthorized HTTPS requests. Exploitation enables attackers to bypass authentication mechanisms and gain access to restricted resources. Attackers could manipulate system operations or disrupt normal functionality.
- CVE-2024-48852 (CVSS 9.4): Information DisclosureSensitive information could be improperly disclosed through HTTPS access, risking confidentiality. ABB attributed this to CWE-532: “Insertion of Sensitive Information into Log File.” Disclosure of critical data could pave the way for further exploitation.
ABB emphasizes that FLXeon devices are not designed to be internet-facing and should be protected behind firewalls. “In order to exploit an FLXEON, an attacker would need a misconfigured system,” clarifies the advisory. ABB strongly advises customers to upgrade to firmware version 9.3.5 to mitigate these risks.
Related Posts:
- Urgent Action Needed: ABB ASPECT Vulnerabilities Expose Buildings to Cyberattacks
- ABB Door Communication Systems exposed serious flaws
- ABB Warns of Critical ASPECT System Vulnerabilities: CVE-2024-6209 and CVE-2024-6298