IM
IronMonkey Threat Research
‹ Back to ICS Advisories

Security Issues addressed in APROL R 4.4-01P5

CRITICAL
CVSS 9.8
Date 2026-07-06T00:30:00+00:00
Source abb-psirt
Published by ABB PSIRT

// Description

An update is available that resolves several vulnerabilities and updates one or more 3rd party components in the product versions listed as affected in the advisory. An attacker who successfully exploited these vulnerabilities could impact the availability of the product, spoof identities or elevate privileges.

// Vulnerabilities (6)

CVE ID CVSS Score Severity Description
CVE-2026-6900 7.4 high
CVE-2026-6900. An Improper Certificate Validation vulnerability in the LDAP Server Connector used in APROL version prior to R 4.4-01P5 may allow network-based attackers to conduct adversary -in-the-middle attacks causing information disclosure or identity spoofing.
CVE-2024-52317 6.5 medium
CVE-2024-52317. Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the re-quest and response used by HTTP/2 requests could lead to request and/or response mix-up between users
CVE-2024-50379 9.8 critical
CVE-2024-50379. Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case-insensitive file systems when the default servlet is enabled for write (non-default configuration)
CVE-2026-6901 7.7 high
CVE-2026-6901. An Untrusted Search Path vulnerability in the webserver used in APROL version prior to R 4.4-01P5 may allow authenticated local attackers to elevate their privileges.
CVE-2024-54677 5.3 medium
CVE-2024-54677. Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service due to lacking data upload limits
CVE-2024-56337 9.8 critical
CVE-2024-56337. Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. The previous mitigation for CVE-2024-50379 was incomplete, permitting an RCE on case insensitive file systems when the default servlet is enabled for write

// Remediations (3)

Mitigation: Refer to section “General security recommendations” for further advise on how to keep your system se
Refer to section “General security recommendations” for further advise on how to keep your system secure.
Workaround: Remove or replace all wildcard AliasMatch directives in the Apache configuration file For example,
Remove or replace all wildcard AliasMatch directives in the Apache configuration file For example, replace: AliasMatch ^/(.*)/PROJECTS/(.*)/WEB/(.*)/DOCS/(.*) "/home/$1/ENGIN/PROJECTS/$2/WEB/$3/DOCS/$4" with: AliasMatch ^/<systemname>/PROJECTS/<projectname>/WEB/(.*)/DOCS/(.*) "/home/<systemname>/PROJECTS/<projectname>/WEB/$1/DOCS/$2"
Patch: The problem is corrected in the following product versions: - APROL >= R 4.4-01P5 B&R recommends th
The problem is corrected in the following product versions: - APROL >= R 4.4-01P5 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual.

// References