Full Report
[Control systems] ABB security advisory (AV26-580)
Analysis Summary
# Vulnerability: XZ Utils Backdoor Impacting B&R Products
## CVE Details
- **CVE ID:** CVE-2025-31115
- **CVSS Score:** 10.0 (Critical)
- **CWE:** CWE-506 (Embedded Malicious Code)
## Affected Systems
- **Products:** Various B&R / ABB Industrial Control Terminals and Automation Controllers.
- **Versions:**
- PPC3100: versions prior to 1.8.1
- C50: versions prior to 1.8.0
- C80: versions prior to 1.8.0
- FT50: versions prior to 1.8.1
- MT50: versions prior to 1.8.1
- T30: versions prior to 1.8.0
- T80: versions prior to 1.8.0
- T50: versions prior to 1.8.1
- **Configurations:** Systems utilizing vulnerable builds of the Linux-based firmware containing the XZ Utils library.
## Vulnerability Description
This vulnerability stems from the integration of a malicious backdoor discovered in the `liblzma` library (part of the XZ Utils package). The backdoor was designed to intercept and modify data processed by the library, specifically targeting the SSH daemon (`sshd`) to allow unauthorized remote code execution (RCE) by bypassing authentication under specific conditions.
## Exploitation
- **Status:** Not currently reported as exploited in the wild for these specific ABB/B&R implementations; however, the underlying vulnerability is globally documented.
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** Total
- **Integrity:** Total
- **Availability:** Total
## Remediation
### Patches
ABB/B&R has released firmware updates to replace the compromised XZ Utils components. Users should upgrade to the following versions or later:
- **PPC3100:** Upgrade to v1.8.1
- **C50 / C80 / T30 / T80:** Upgrade to v1.8.0
- **FT50 / MT50 / T50:** Upgrade to v1.8.1
### Workarounds
- Ensure industrial control systems are isolated from the public internet.
- Implement strict firewall rules to limit SSH access to known, trusted management stations only.
- Disable unused services and ports on the affected controllers.
## Detection
- **Indicators of Compromise:** Look for unusual SSH login attempts or unauthorized binary modifications in the firmware environment.
- **Detection methods and tools:** Utilize vulnerability scanners updated with the latest definitions for CVE-2025-31115 to identify vulnerable firmware versions within the asset inventory.
## References
- **ABB Advisory:** hxxps[://]global[.]abb/group/en/technology/cyber-security/alerts-and-notifications
- **B&R Specific Advisory (PDF):** hxxps[://]br-cws-assets[.]de-fra-1[.]linodeobjects[.]com/SA26P009-b2b4dd6d[.]pdf
- **Canadian Centre for Cyber Security:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/control-systems-abb-security-advisory-av26-580