SIGNAL/regulator/
ABB Gateway flaw exposes PLC networks to unauthenticated scanning
The vulnerability is real but narrower than it sounds: attackers can enumerate PLCs, not control them, unless PLC user management is already disabled.
Editorial brief
CISA published ICSA-26-132-04 covering CVE-2024-41975 in ABB Automation Builder Gateway for Windows (all versions before 2.9.0). By default, the gateway listens on all network adapters on port 1217, allowing unauthenticated remote attackers to scan for and enumerate connected AC500 PLCs. Actual PLC control requires defeating PLC-level user management separately. ABB scores this CVSS 3.1 Medium (5.3). Fix: upgrade to Automation Builder 2.9.0, which defaults the gateway to local-only access, or manually set LocalAddress=127.0.0.1 in the gateway config file. Sectors affected include Chemical, Critical Manufacturing, Energy, and Water and Wastewater.
The advisory is narrower in impact than the "critical vulnerability" framing in some classifier summaries suggests. CVE-2024-41975 (CWE-1188, insecure default initialization) means the ABB gateway binds to all network adapters on port 1217 rather than localhost alone. That lets unauthenticated network-adjacent or remote attackers discover which PLCs are reachable through the gateway. It does not, by itself, grant control of those PLCs; AC500 PLC user management sits between the gateway and any actual command execution.
The practical risk is reconnaissance and network mapping of OT environments, which is serious enough in sectors like water, energy, and critical manufacturing, where even topology disclosure can inform follow-on targeting.
Who is affected
Any Windows environment running Automation Builder below 2.9.0, including installations where the gateway arrived as a component of the CODESYS Development System V3 or CODESYS OPC DA Server setups rather than a standalone install. That bundled-install path means some operators may not know the gateway is present at all.
What to do
Two options, in order of preference:
- Upgrade to Automation Builder 2.9.0. ABB closed the vulnerability by changing the default binding to local-only. Download is available at the ABB site linked in the advisory.
- If immediate upgrade is not possible, edit the gateway configuration file (example path for AB 2.8:
%ProgramFiles%\ABB\AB2.8\AutomationBuilder\GatewayPLC\Gateway.cfg) and setLocalAddress=127.0.0.1under[CmpGwCommDrvTcp]. A gateway restart is required for the change to take effect.
The workaround is straightforward and low-risk; it limits functionality only if remote gateway access is actually needed in your network configuration. ABB notes that most deployments access the gateway locally and have no operational need for remote binding.
ABB PSIRT self-reported this to CISA, which is worth noting: this came through the vendor's own disclosure process rather than external researcher discovery or incident response.
Published ·Updated ·Deep Fathom