ABB has released an urgent security update for its Ability Camera Connect software after discovering that a set of high-severity vulnerabilities in the embedded VLC media player component could allow attackers to take over industrial camera systems. The flaws, present in versions 1.5.0.15 and earlier, expose critical infrastructure and manufacturing facilities to remote code execution risks.

In June 2024, the Swiss-Swedish automation giant published advisory 1KHL050164 detailing how outdated VLC libraries inherited by the software opened a door to exploitation. The patch, delivered in version 1.5.0.16, addresses seven CVEs—all stemming from the open-source media player bundled with the camera management application.

Industrial control system (ICS) environments rely on ABB Ability Camera Connect to configure, monitor, and manage thousands of network cameras across power plants, oil refineries, and smart manufacturing floors. The software acts as a centralized dashboard for video feeds, and any compromise could grant attackers visual access to sensitive processes or serve as a pivot point to deeper OT network infiltration.

How an Outdated VLC Component Became a Plant Floor Threat

ABB integrates VLC to handle video streaming and format decoding within Camera Connect. The trouble began when researchers at the Open Source Automation Development Lab (OSADL) and other groups uncovered multiple memory corruption flaws in VLC versions prior to 3.0.19. ABB had bundled VLC 3.0.x in its application but failed to update it across recent Camera Connect releases, leaving the door open.

The vulnerabilities—CVE-2023-39383, CVE-2023-47359, CVE-2023-47360, CVE-2023-47361, CVE-2023-47362, CVE-2023-47363, and CVE-2023-47364—range from heap buffer overflows to integer overflows. All can be triggered by tricking a user into opening a specially crafted media file or, in some scenarios, visiting a malicious webpage that feeds malformed video data to the VLC plugin.

In an OT context, a successful exploit could mean an intruder executing arbitrary code with the privileges of the Camera Connect application. Given that many operators run such software on engineering workstations with elevated access, the damage could quickly escalate to affecting process logic controllers or SCADA masters.

Affected Versions and Risk Exposure

ABB confirmed that all versions up to and including 1.5.0.15 are impacted. The advisory explicitly lists Ability Camera Connect 1.5.0.14 and earlier, along with 1.5.0.15. No exploits in the wild had been reported at the time of disclosure, but the ease of crafting a malicious media file makes the threats practical.

The CVSS v3.1 base scores for these vulnerabilities sit between 7.8 and 8.8, categorizing them as high severity. The most dangerous vector involves a local attack scenario where an operator is lured into opening a poisoned video file—a routine task for security personnel reviewing camera footage.

ABB’s advisory warns that the software is typically deployed in air-gapped or segmented networks, yet the human element remains the weak link. A USB drive carrying a maintenance video or an email attachment opened on a dual-homed engineering laptop could bypass network isolation.

Patch and Mitigation Steps

ABB responded by releasing Camera Connect 1.5.0.16, which updates the embedded VLC component to version 3.0.19 or later, effectively neutralizing the vulnerabilities. The company urges all customers to apply the update immediately, especially those running systems without strict perimeter defenses.

For organizations unable to patch right away, ABB recommends restricting file opening to trusted sources, disabling automatic preview of video files, and applying strict user account controls on workstations that run Camera Connect. Network-level mitigations include blocking VLC-specific traffic on firewall rules serving OT subnets.

The advisory also lists additional hardening steps: operating system-level exploit protections such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) can reduce exploit reliability, though they are not a substitute for patching.

The OT Software Supply Chain Problem

This incident underscores a growing pain point for operational technology: third-party component risk. ABB did not develop the vulnerable code; it inherited it by bundling open-source software. Yet the responsibility to ship safe updates falls squarely on the vendor.

The lag between VLC patches becoming available and ABB incorporating them into Camera Connect reveals a systemic issue. In IT environments, users can often auto-update standalone applications. In OT, updates are vendor-driven and must pass rigorous regression testing before deployment, slowing the process. The delay can stretch from months to over a year, as seen here with VLC fixes dating back to late 2023.

Cybersecurity authorities like CISA and the UK’s NCSC have repeatedly warned about software supply chain risks in industrial systems. The ABB case is a textbook example: a widely used media library becomes a Trojan horse because its maintenance is overlooked during product lifecycle management.

Asset owners should now press all OT vendors for software bills of materials (SBOMs) to identify similar nested dependencies. Without visibility into what lies beneath the user interface, factory floor computers will remain ticking time bombs.

Lessons for OT Security Teams

Beyond patching, the ABB vulnerability highlights the need for stringent media handling policies in control environments. Operators should treat every video file from external sources as untrusted. Security awareness training must cover the danger of launching media on engineering stations, even for routine tasks like reviewing surveillance footage.

Segmentation remains key. If the Camera Connect workstation cannot reach the corporate network or the internet, the attack surface shrinks dramatically. Yet many sites still attach such machines to dual-homed jump hosts that bridge the gap for convenience, undermining isolation.

Additionally, the event demonstrates why OT vulnerability management must go beyond CVE scanning. A typical scanner might not flag the bundled VLC as a risk because the component resides within a vendor’s application directory. Manual SBOM analysis or behavioral monitoring is necessary.

How to Verify the Fix

ABB provides a dedicated download portal for registered users. After installing version 1.5.0.16, administrators can confirm the VLC update by checking the file properties of libvlc.dll in the Camera Connect installation folder—the version should read 3.0.19 or later. ABB’s technical support team can assist with verification scripts.

For facilities with multiple Camera Connect installations, the update must be applied to each. The software does not auto-update, and skipping even one instance leaves a foothold for attackers who might first compromise a less critical node to move laterally.

Moving Forward

ABB’s swift advisory after public VLC disclosures is commendable, but the underlying flaw raises uncomfortable questions. How many other industrial applications bundle outdated open-source components without the operator’s knowledge? The answer likely runs into the thousands.

Regulatory bodies are starting to take notice. The European Union’s Cyber Resilience Act, set to come into force in the coming years, will mandate that digital products have clear vulnerability handling processes and timely patches. Incidents like this will become costlier for vendors who drag their feet.

In the immediate term, OT security teams must treat this as a wake-up call. Patching Camera Connect is urgent, but auditing all third-party software dependencies in industrial hosts is imperative. Only by shining a light into the darkest corners of the software supply chain can plant floor defenses mature beyond perimeter firewalls and into component-level clarity.