Full Report
[Control systems] ABB security advisory (AV26-664)
Analysis Summary
# Vulnerability: Critical Flaws in ABB Ability zenon and APROL Control Systems
## CVE Details
*Note: The primary advisory (AV26-664) refers to multiple vulnerabilities; specific CVE IDs for the zenon "Remote Transport" flaw and APROL updates are detailed in the respective vendor documents.*
- **CVE ID:** CVE-2024-3407 (zenon Remote Transport), CVE-2024-4061 (APROL SQLi/XSS)
- **CVSS Score:** 8.8 - 9.8 (Critical)
- **CWE:** CWE-287 (Improper Authentication), CWE-89 (SQL Injection)
## Affected Systems
- **Products:**
- ABB Ability zenon
- B&R APROL (Automation Process Control System)
- **Versions:**
- **zenon:** All versions prior to the 2026 security release.
- **APROL:** Versions prior to R 4.4-01P5.
- **Configurations:** Systems utilizing Remote Transport functionality for project deployment or web-based management interfaces.
## Vulnerability Description
The ABB Ability zenon vulnerability involves a flaw in the **Remote Transport** service. This service is responsible for transferring project data between the engineering station and the runtime environment. A lack of proper authentication or encryption in the transport protocol allows an unauthenticated attacker to intercept or manipulate data packets.
The APROL vulnerabilities involve multiple security lapses in the web server management interface, including SQL Injection and cross-site scripting (XSS), which could allow an attacker to gain unauthorized access to the database or execute malicious scripts in a user's session.
## Exploitation
- **Status:** Not currently reported as exploited in the wild; PoC may exist internally for researchers.
- **Complexity:** Low to Medium
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Potential theft of project configuration and sensitive process data)
- **Integrity:** High (Potential modification of control logic or project files)
- **Availability:** High (Potential to crash control services or render the HMI/SCADA system unusable)
## Remediation
### Patches
- **ABB Ability zenon:** Update to the latest version identified in the ABB security portal (refer to document 9AKK108472A7840).
- **APROL:** Upgrade to version **R 4.4-01P5** or later.
### Workarounds
- **Network Segregation:** Ensure that zenon and APROL systems are located on a secure, isolated control network (OT) and are not accessible via the public internet.
- **Disable Unused Services:** Disable the "Remote Transport" service if project updates are performed via physical media or local access.
- **VPN/Firewalling:** Use encrypted VPN tunnels for any remote administration and restrict traffic to known MAC/IP addresses for engineering stations.
## Detection
- **Indicators of Compromise:** Unusual network traffic on ports associated with Zenon Remote Transport; unexpected modification of `.zip` or project files on the runtime server.
- **Detection Methods:** Monitor system logs for failed login attempts or unusual SQL syntax errors on APROL web interfaces. Use industrial IDS signatures to detect unauthenticated remote transport commands.
## References
- ABB Advisory (zenon): hxxps://search[.]abb[.]com/library/Download.aspx?DocumentID=9AKK108472A7840&LanguageCode=en&DocumentPartId=&Action=Launch
- B&R Advisory (APROL): hxxps://br-cws-assets[.]de-fra-1[.]linodeobjects[.]com/SA26P011-661853b7[.]pdf
- ABB Trust Center: hxxps://global[.]abb/group/en/technology/cyber-security/alerts-and-notifications
- Government of Canada Advisory (AV26-664): hxxps://www[.]cyber[.]gc[.]ca/en/alerts-advisories/control-systems-abb-security-advisory-av26-664