CISA flags nine ABB B&R PC lines; APC910 gets no patch

The nine CVEs all originate in EDK2's Network Package, the open-source UEFI firmware stack that ABB B&R uses across its panel PC and automation PC lines. The vulnerability class is consistent across all affected products: improper bounds checking during DHCPv6 option processing (IA_NA/IA_TA in Advertise messages), weak pseudo-random number generation, and loop conditions that can be driven to hang. A network-adjacent attacker with access to the device's network segment can exploit these without authentication.

Who is affected

All ten product lines share identical CVE exposure. The patched versions are:

• APC4100: 1.09
• C80: 1.14
• MPC3100: 1.24
• PPC1200: 1.14
• PPC900: 2.16
• APC2200: 1.35 / PPC2200: 1.35
• APC3100: 1.45 / PPC3100: 1.45

APC910 at firmware 1.25 and below is the exception. ABB will not release a patch for this line. Operators should consult the advisory's mitigation section directly; CISA's published text references vendor-specified compensating controls.

Operational context

The affected hardware is deployed in energy critical infrastructure, worldwide. The EDK2 origin matters: these are pre-boot network stack flaws, meaning exposure exists at the firmware layer before the operating system is loaded. Conventional endpoint detection tools running on the host OS will not observe exploitation at this layer. Network segmentation and DHCPv6 traffic controls are the practical near-term mitigations for any system that cannot be patched immediately, including all APC910 deployments.

What to do

Apply the vendor-issued firmware updates to all patchable lines now. For APC910, document the compensating controls you are applying and retain that record; if your environment is subject to NERC CIP or similar controls-based requirements, the absence of a vendor patch is a compensating-control scenario that needs formal documentation. Verify that your asset inventory accurately reflects firmware versions across all B&R PC lines before assuming patch status.