Executive Summary
In May 2026, ABB disclosed a critical vulnerability in its EIBPORT V3 KNX and KNX GSM devices, versions prior to 3.9.2. The flaw, identified as CVE-2021-22291, is a cross-site scripting (XSS) vulnerability that could allow attackers to access sensitive information and alter device configurations. ABB has released firmware updates to address this issue and recommends immediate application to mitigate potential risks.
This incident underscores the persistent threat of web-based vulnerabilities in industrial control systems, emphasizing the need for continuous monitoring and timely patch management to protect critical infrastructure from evolving cyber threats.
Why This Matters Now
The disclosure of CVE-2021-22291 highlights the ongoing risks associated with web-based vulnerabilities in industrial control systems, emphasizing the urgency for organizations to implement robust security measures and promptly apply patches to safeguard critical infrastructure.
Attack Path Analysis
An attacker exploited a cross-site scripting (XSS) vulnerability in ABB EIBPORT devices to steal session IDs, gaining unauthorized access. With the stolen session IDs, the attacker escalated privileges to access sensitive device configurations. The attacker then moved laterally to other devices within the network by leveraging the compromised EIBPORT device. Establishing command and control, the attacker maintained persistent access to the network. Sensitive information was exfiltrated from the compromised devices. Finally, the attacker altered device configurations, potentially disrupting operations.
Kill Chain Progression
Initial Compromise
Description
An attacker exploited a cross-site scripting (XSS) vulnerability in ABB EIBPORT devices to steal session IDs, gaining unauthorized access.
Related CVEs
CVE-2024-13967
CVSS 8.8Session management failure in ABB EIBPORT V3 KNX and V3 KNX GSM allows unauthorized access to the configuration web page.
Affected Products:
ABB EIBPORT V3 KNX – < 3.9.8
ABB EIBPORT V3 KNX GSM – < 3.9.8
Exploit Status:
no public exploitCVE-2021-22291
CVSS 8Reflected cross-site scripting vulnerability in ABB EIBPORT V3 KNX and V3 KNX GSM allows attackers to obtain session IDs.
Affected Products:
ABB EIBPORT V3 KNX – < 3.9.2
ABB EIBPORT V3 KNX GSM – < 3.9.2
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
JavaScript
Valid Accounts
Credentials in Files
Web Protocols
Disable or Modify Tools
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Cross-site scripting (XSS) prevention
Control ID: 6.5.7
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Application Security
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Construction
Building automation systems like ABB EIBPORT are critical infrastructure vulnerable to session hijacking attacks enabling unauthorized device access and configuration changes.
Real Estate/Mortgage
Commercial building management systems face cross-site scripting vulnerabilities allowing attackers to compromise HVAC, lighting, and security control systems without authentication.
Facilities Services
KNX-based building automation platforms require immediate firmware updates to prevent unauthorized access to sensitive building control systems and configuration data.
Utilities
Critical infrastructure sectors using building management systems must implement network segmentation and firewall protections against remote exploitation of control devices.
Sources
- ABB EIBPORThttps://www.cisa.gov/news-events/ics-advisories/icsa-26-148-03Verified
- EIBPORT Session Management Failhttps://library.e.abb.com/public/1e16fbae05ac4d4f9416dfc6d63f142c/ABBVREP0049_R9120_Advisory_EIB_Port_Session_Mgm_Fail_2025.pdfVerified
- EIBPORT Reflected XSShttps://library.e.abb.com/public/00ec4c9896474836a29a814365e1ddfe/9AKK108471A7808_en_pdf_A_Advisory%20EIBPort%20Reflected%20XSS.pdfVerified
- NVD - CVE-2024-13967https://nvd.nist.gov/vuln/detail/CVE-2024-13967Verified
- NVD - CVE-2021-22291https://nvd.nist.gov/vuln/detail/CVE-2021-22291Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Aviatrix Zero Trust CNSF would likely have constrained the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial unauthorized access may have been limited by enforcing strict identity-aware controls, reducing the scope of potential exploitation.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been constrained by implementing strict segmentation policies, reducing unauthorized access to sensitive configurations.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement may have been restricted by monitoring and controlling east-west traffic, reducing the ability to compromise additional devices.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control channels could have been detected and disrupted by providing comprehensive visibility and control across multicloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts may have been hindered by enforcing strict egress policies, reducing unauthorized data transfers.
The attacker's ability to alter device configurations could have been constrained by enforcing strict access controls and segmentation, reducing the potential for operational disruptions.
Impact at a Glance
Affected Business Functions
- Building Automation Control
- Facility Management
Estimated downtime: N/A
Estimated loss: N/A
Potential unauthorized access to building automation system configurations and sensitive information stored within the device.
Recommended Actions
Key Takeaways & Next Steps
- • Implement inline intrusion prevention systems (IPS) to detect and block XSS attacks.
- • Enforce zero trust segmentation to limit lateral movement within the network.
- • Utilize egress security and policy enforcement to monitor and control outbound traffic.
- • Deploy threat detection and anomaly response mechanisms to identify and respond to suspicious activities.
- • Regularly update and patch devices to mitigate known vulnerabilities.
