Default remote access settings in ABB Automation Builder Gateway allow unauthenticated attackers to discover industrial control systems.
Summary
- ABB’s Automation Builder Gateway for Windows listens on all network adapters by default, enabling remote PLC discovery
- Unauthenticated attackers can scan for PLCs across networks, though PLC access requires authentication unless disabled
- Vulnerability affects critical infrastructure sectors including chemical, energy, and manufacturing worldwide
A vulnerability in ABB’s Automation Builder Gateway for Windows allows unauthenticated attackers to remotely discover programmable logic controllers (PLCs) across industrial networks, CISA reported.
The gateway software, which facilitates communication between clients and AC500 PLCs, listens on port 1217 across all available network adapters by default. This configuration enables remote access even when only local connectivity is required.
“By default, the gateway listens on all available network adapters on port 1217 and can therefore be accessed remotely,” CISA stated in its advisory. “However, remote access to the gateway is only required in certain network configurations.”
Attack Vector and Limitations
The vulnerability, tracked as CVE-2024-41975, carries a CVSS score of 5.3. Attackers can exploit the default configuration to scan for and identify PLCs on restricted networks without authentication.
While attackers can discover PLCs through the exposed gateway, actual access to the controllers remains protected by PLC user management systems. However, this protection fails if user management is disabled on the target PLCs.
The gateway software can be installed as a standalone application or bundled with other ABB products including the CODESYS Development System V3 and CODESYS OPC DA Server.
Affected Systems and Scope
The vulnerability affects ABB Automation Builder Gateway versions prior to 2.9.0. ABB has released version 2.9.0 to address the security flaw.
CISA identifies the impact across multiple critical infrastructure sectors including chemical facilities, critical manufacturing, energy systems, and water treatment plants. The affected systems are deployed globally, with ABB headquartered in Switzerland.
Vendor Response
ABB discovered the vulnerability internally and has provided remediation guidance for organisations that do not require remote gateway access. The company recommends checking the “LocalAddress” setting in the gateway’s configuration file and restarting the service after making changes.
Why It Matters
This vulnerability highlights configuration management risks in industrial control systems that CISOs must address in operational technology environments. Default remote access settings create unnecessary attack surface for critical infrastructure systems.
For CISOs overseeing industrial environments, this represents both immediate remediation requirements and broader governance questions about OT security baselines and vendor configuration reviews.
What To Do Now
- Check the “LocalAddress” setting in the [CmpGwCommDrvTcp] section of ABB Gateway configuration files if remote access is not required
- Restart gateway services after configuration changes
- Update to ABB Automation Builder Gateway version 2.9.0 or later
