ABB Automation Builder Gateway Vulnerability Exposes Industrial Control Systems
Executive Summary
In February 2026, ABB disclosed a vulnerability (CVE-2024-41975) in its Automation Builder Gateway for Windows, affecting versions prior to 2.9.0. The gateway, by default, listens on all network adapters on port 1217, allowing unauthenticated remote access. This configuration enables attackers to scan for connected Programmable Logic Controllers (PLCs). While PLC user management typically prevents unauthorized access, if disabled, attackers could potentially interact with the PLCs. ABB addressed this issue in version 2.9.0 by restricting the gateway's default access to local connections. (cisa.gov)
This incident underscores the critical importance of secure default configurations in industrial control systems. As cyber threats targeting operational technology environments increase, organizations must ensure that default settings do not expose systems to unnecessary risks. Regularly updating software and reviewing default configurations are essential steps in mitigating such vulnerabilities.
Why This Matters Now
The rise in cyber threats targeting industrial control systems highlights the urgency for organizations to secure default configurations and promptly apply software updates to prevent unauthorized access and potential operational disruptions.
Attack Path Analysis
An unauthenticated attacker remotely accessed the ABB Automation Builder Gateway due to its default configuration listening on all network adapters. This access allowed the attacker to enumerate connected PLCs. If PLC user management was disabled, the attacker could gain unauthorized control over the PLCs, potentially leading to further network compromise.
Kill Chain Progression
Initial Compromise
Description
An unauthenticated attacker remotely accessed the ABB Automation Builder Gateway due to its default configuration listening on all network adapters.
Related CVEs
CVE-2024-41975
CVSS 5.3The ABB Automation Builder Gateway for Windows listens on all network adapters by default, allowing unauthenticated remote attackers to scan for connected PLCs. While direct access to PLCs is prevented by user management, if this is disabled, attackers could gain unauthorized access.
Affected Products:
ABB Automation Builder Gateway for Windows – <2.9.0
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Valid Accounts
Network Service Scanning
External Remote Services
Remote Services
Boot or Logon Initialization Scripts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that all system components are protected from known vulnerabilities by installing applicable security patches
Control ID: 7.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Ensure strong authentication and authorization mechanisms
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Industrial Automation
ABB Automation Builder Gateway vulnerability exposes PLC networks to unauthorized scanning, compromising manufacturing process control and operational technology security across automated facilities.
Chemical
Critical infrastructure vulnerability in PLC gateway systems threatens chemical process control networks, potentially enabling unauthorized access to production systems and safety controls.
Oil/Energy/Solar/Greentech
Energy sector PLC networks face scanning and reconnaissance risks through unsecured gateway defaults, threatening operational technology isolation and industrial control system integrity.
Utilities
Water and wastewater utilities using ABB automation systems vulnerable to network reconnaissance attacks, compromising critical infrastructure protection and operational technology segmentation.
Sources
- ABB Automation Builder Gateway for Windowshttps://www.cisa.gov/news-events/ics-advisories/icsa-26-132-04Verified
- ABB Automation Builder Gateway for Windows with insecure defaultshttps://library.e.abb.com/public/ab7a701952c14946b9840a81f2e1897f/3ADR011525%20Automation%20Builder%20-%20Gateway%20with%20insecure%20defaults.pdfVerified
- CVE-2024-41975 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2024-41975Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit default configurations and move laterally within the network, thereby reducing the potential blast radius.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit default configurations would likely be constrained, reducing unauthorized access opportunities.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely be constrained, reducing unauthorized control over critical systems.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network would likely be constrained, reducing the risk of further system compromises.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels would likely be constrained, reducing persistent access risks.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data would likely be constrained, reducing data loss risks.
The attacker's ability to disrupt operations would likely be constrained, reducing the potential impact on critical systems.
Impact at a Glance
Affected Business Functions
- Industrial Control Systems
- SCADA Operations
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of PLC network configurations and connected device information.
Recommended Actions
Key Takeaways & Next Steps
- • Restrict the ABB Automation Builder Gateway to listen only on local network adapters to prevent unauthorized remote access.
- • Ensure robust user management is enabled on all PLCs to prevent unauthorized control.
- • Implement network segmentation to limit lateral movement opportunities for attackers.
- • Deploy intrusion detection systems to monitor for unauthorized access attempts.
- • Regularly update and patch systems to address known vulnerabilities.
