ABB Freelance AC-series Controllers

Main article: APCS - typical structure

2024: Fix vulnerabilities to take control of controllers

ABB controllers have fixed vulnerabilities discovered by experts from Positive Technologies, which announced this on March 19, 2024. An attacker using them could stop the controllers or intercept control of them.

The company ABB thanked Natalia Tlyapova and Denis Goryushev for finding two vulnerabilities in the Freelance AC 900F and AC 700F controllers. These devices are used in, and in metallurgy chemical industries other areas. Vendor was notified of the threat as part of the responsible disclosure policy and issued an update. ON

AC 900F and AC controllers are 700F used to build distributed control systems (DCS) in plants and are designed to automate large continuous cycle plants. ABB is the global DCS market leader with a 20% share. CVE-2023-0425 and CVE-2023-0426 vulnerabilities (access from Russia via VPN) received the same score of 8.6 on the CVSS v3.1 scale, which means a high level of danger.

Positive Technologies application analysis specialists who discovered the vulnerabilities note that by exploiting these security flaws, an attacker could stop the controllers from working and disrupt the technological process. In addition, by sending a specially crafted packet, an attacker could carry out a remote code execution attack, which would allow him to intercept control of the device.

ABB recommends that Freelance 2016 SP1 RU06, Freelance 2019 SP1 RU02 and Freelance 2019 SP1 FP1 RU03 updates be installed as soon as possible. To mitigate the threat, users can also use the measures described in the security notification (access via VPN).