CISA flags nine CVEs in ABB B&R industrial PCs; patch now

Nine of the CVEs share a common root: vulnerabilities in the EDK2 UEFI firmware network package, specifically its DHCPv6 implementation. The flaw classes include out-of-bounds reads, improper memory buffer restrictions, infinite-loop conditions, and use of a cryptographically weak PRNG, a cluster that collectively covers the full range from denial-of-service to confidentiality loss to potential code execution.

All ten product lines carry the same CVE set, which means the exposure is broad across ABB's B&R automation PC portfolio. The affected units are deployed primarily in energy-sector environments worldwide, raising the operational stakes for unpatched systems.

Who needs to act and how

Nine of the ten lines have vendor fixes available. The patched versions are: APC4100 1.09, C80 1.14, MPC3100 1.24, PPC1200 1.14, PPC900 2.16, APC2200 1.35, PPC2200 1.35, APC3100 1.45, and PPC3100 1.45. Update to those versions.

APC910 is the exception. ABB has confirmed no patch will be released for that model. Operators running APC910 should pull ABB's advisory directly for the specified mitigation measures and treat network segmentation and access control as the primary compensating controls in the interim.

The underlying EDK2 DHCPv6 vulnerabilities (particularly CVE-2023-45229) are not novel in the ICS space; they have appeared in prior advisories against other vendors using the same firmware base. If your environment runs other EDK2-based embedded systems, this is a prompt to audit that inventory as well.