Windows News
CISA has republished ABB’s advisory for CVE-2024-41975, spotlighting a dangerous default configuration in the ABB Automation Builder Gateway for Windows. Before version 2.9.0, the software listens on TCP port 1217 by default—without authentication—exposing PLC discovery functions to anyone who can reach that port over the network. The advisory, originally issued by ABB and now amplified by the U.S. Cybersecurity and Infrastructure Security Agency, urges industrial organizations to patch immediately or face the risk of adversaries mapping their critical control systems.
This isn’t just a theoretical risk. In operational technology environments, a broadcast discovery service that answers queries without verifying the requester hands attackers a blueprint of the industrial network. With that information, they can identify the make, model, and even firmware versions of connected programmable logic controllers, and then launch targeted attacks ranging from reprogramming to denial of service.
What the Vulnerability Unlocks
The ABB Automation Builder Gateway serves as the bridge between engineering workstations and the PLCs, drives, and HMIs on the factory floor or power generation site. It streamlines project management, code deployment, and device commissioning. But its default behavior for the discovery protocol on port 1217 was never meant to be exposed to untrusted networks. Any remote system that sends a discovery request to the gateway receives a response containing details about all recognized devices.
According to the ABB advisory, the gateway replies to unauthenticated discovery requests with a list that can include:
- IP addresses and MAC addresses of PLCs
- Device types and firmware revisions
- Project names and network topology hints
- Status information indicating whether a controller is in run, stop, or program mode
An attacker who gains access to this data can build a complete asset inventory, choose the most vulnerable or valuable controller, and then weaponize other exploits or misconfigurations. Because port 1217 is often not filtered by plant firewalls that prioritize IT-OT segmentation, the exposure is frequently reachable from the corporate network or even the internet if a misconfigured VPN or remote access solution is in place.
Affected Products and Version Timeline
The vulnerability is present in all releases of ABB Automation Builder Gateway for Windows earlier than version 2.9.0. ABB addressed the flaw in version 2.9.0, which changes the default listening behavior to bind only to the localhost interface, effectively preventing remote exploitation out of the box. However, administrators must still verify that the update has been applied, because in-place upgrades at many industrial sites lag months—sometimes years—behind vendor releases.
CVE-2024-41975 was reserved in summer 2024 and disclosed privately to ABB through its product security response team. ABB published its own advisory shortly after developing a fix, and CISA subsequently listed it in its dedicated Industrial Control Systems Advisory repository. The republication on May 12, 2026, signals that CISA continues to see unpatched installations in the field and considers the vulnerability a persistent threat to critical infrastructure.
| Component | Impacted Scope |
|---|---|
| ABB Automation Builder Gateway for Windows | All versions before 2.9.0 |
| Default port | TCP 1217 (listens on all network interfaces) |
| Protocol | Proprietary ABB discovery protocol |
| Authentication | None required for discovery responses |
| Remediation | Upgrade to version 2.9.0 or later |
How the Attack Works
Exploiting CVE-2024-41975 requires no special tools beyond a basic TCP client. An attacker simply connects to port 1217 on a target Windows machine running the gateway and sends a discovery request packet. The gateway responds with a structured data payload that lists every ABB controller it has discovered on the local network segment. Because no handshake or challenge-response mechanism is in place, even a single UDP or TCP probe can yield the full reply.
In practice, a penetration tester or malicious actor might do the following:
1. Scan the corporate or guest network for hosts with port 1217 open.
2. Send a crafted discovery request (often just a few bytes matching the protocol header).
3. Parse the response to extract IP addresses, device names, and status flags.
4. Cross-reference the data with publicly known exploits for those firmware versions.
5. Pivot into the OT network using stolen credentials, unpatched remote access, or engineering workstation compromise.
The information-disclosure nature of the bug means it is often used as a reconnaissance step in a larger attack chain. Once the attacker knows which PLCs are present, they can download unencrypted logic from an exposed controller, alter it, and upload a malicious version that disrupts physical processes.
Why Industrial Defaults Matter
Industrial software traditionally assumed a physically isolated network. Developers enabled broad discovery services because engineers needed to see all devices from their laptop without navigating complex firewalls. That design choice collides head-on with modern architectures where IT and OT are converged, remote maintenance is done over VPN, and cloud analytics platforms require continuous connectivity.
Leaving a discovery port open by default on a Windows machine that likely also runs other business applications magnifies the attack surface. It turns a single engineering workstation into a pivot point that bridges the IT and OT domains. Worse, many site administrators don’t realize the gateway is listening externally because the installer never prompts for network configuration during setup.
ABB is not alone—similar default-services vulnerabilities have been found in products from Rockwell Automation, Siemens, and Schneider Electric. But each instance reinforces the need for asset owners to adopt a “least functionality” approach and perform configuration reviews, not just patch rollouts.
Mitigation and Hardening Steps
ABB’s primary recommendation is to update to Automation Builder Gateway 2.9.0 or newer. The updated installer changes the discovery service to bind only to 127.0.0.1 by default. This blocks all remote requests while still allowing the local engineering software to query the service.
For sites that cannot upgrade immediately, ABB and CISA recommend the following temporary measures:
- Block TCP port 1217 at the perimeter firewall and on the host’s Windows Defender Firewall. Restrict access to only necessary management IP addresses.
- If the discovery service is not needed for remote operations, disable it entirely through the gateway’s configuration file or service manager.
- Run the gateway executable with a low-privilege service account that lacks access to sensitive files or domain credentials, limiting the fallout if the host is compromised.
- Monitor Windows event logs and network traffic for unexpected connections to port 1217, especially from IP ranges associated with IT or guest VLANs.
- Implement network segmentation that places engineering workstations and the gateway in a dedicated OT zone, reachable only via a jump host with multi-factor authentication.
Longer-term, ABB advises asset owners to follow its secure deployment guides and subscribe to its product security notification mailing list. The company’s security advisory also points to its PSIRT page where customers can report suspected vulnerabilities.
CISA’s Involvement and ICS Advisory
CISA regularly republishes vendor advisories for industrial control systems to give them maximum visibility among U.S. critical infrastructure operators. The May 12, 2026 republication of ABB’s advisory for CVE-2024-41975 does not indicate a new flaw; rather, it suggests that the vulnerability remains a live concern and that CISA believes operators have not completed mitigations at scale.
The advisory, cataloged as ICSA-26-132-01, encourages all owners of ABB controllers to verify whether their engineering workstations run a vulnerable version of the gateway. It also reiterates the standard ICS security recommendations: minimize network exposure, isolate control systems from business networks, and use VPNs with strong authentication for remote access.
Broader Implications for Windows OT Security
Because the gateway software runs on Windows, it inherits the security posture of the host operating system. Many OT environments still deploy Windows 10 or even older releases without consistent patch management. Running an unauthenticated service on such a machine creates a dual risk: an attacker can exploit the discovery port to gather intelligence, then use a separate Windows vulnerability to gain code execution.
This intersection of Windows and OT security is increasingly critical. Microsoft has invested heavily in securing OT assets with Defender for IoT and Azure-arc-enabled device management. Still, third-party applications like ABB Automation Builder remain blind spots unless the owner takes deliberate configuration steps. The default-insecure model must be challenged at every procurement stage—operators should demand that vendors ship products with secure defaults and provide hardening scripts for common deployment scenarios.
Industry regulators are also paying attention. The Transportation Security Administration’s pipeline security directives, the NERC CIP standards for bulk electric systems, and the forthcoming European NIS2 directive all enforce network segmentation and access control. Leaving port 1217 open to anything other than a localhost socket could be deemed a non-compliance finding during an audit.
What Windows Administrators Should Do Right Now
If you manage Windows machines that touch an industrial environment, don’t assume your OT team is handling this. The gateway is installed on standard Windows editions, so your endpoint scanners should be able to detect it. Take the following steps immediately:
- Run a quick network scan or check Windows Firewall rules for port 1217.
- Query for the installed program “Automation Builder Gateway” via PowerShell: Get-WmiObject -Class Win32_Product | Where-Object { $_.Name -like \"*Automation Builder*\" }
- Check the service name and listening addresses: netstat -ano | findstr :1217
- If the service is bound to 0.0.0.0 or an external interface, raise the priority.
- Schedule the update to version 2.9.0, test it in a staging environment, and deploy during the next maintenance window.
- Until then, add a Windows Defender Firewall rule that restricts TCP 1217 to localhost.
You can also deploy a Group Policy Object that blocks the port across all engineering workstations, ensuring configuration is enforced centrally and not easily reverted by local administrators.
The Vendor Response and Ongoing Responsibility
ABB’s product security team followed a responsible disclosure process: they issued a fix within the same major version, communicated clearly via their advisory portal, and cooperated with CISA to amplify the message. The fact that CISA republished the advisory years later is less a reflection on the vendor and more a sign that software patching in critical infrastructure remains stubbornly difficult.
Moving forward, ABB will likely incorporate more secure defaults in future products, but users should not wait for perfection. The IEC 62443 series of standards for industrial automation security explicitly calls for “secure by default” configuration, and this incident underscores why that principle must be embedded from the start, not bolted on after a CVE.
For the wider Windows community, CVE-2024-41975 is a reminder that the operating system’s own security hardening is necessary but not sufficient. Third-party industrial software can undermine years of careful Active Directory design, endpoint protection, and network segmentation with a single unauthenticated listener. Auditing what services your Windows hosts expose to the network is just as vital as monthly patch Tuesday.
Conclusion: A Fix Exists—Now Close the Door
The ABB Automation Builder Gateway vulnerability is a classic example of a well-intentioned engineering feature turned into a serious information disclosure risk. The fix is straightforward: upgrade to version 2.9.0 or later, where the discovery service no longer broadcasts to the world. For organizations that cannot patch immediately, firewall rules and service reconfiguration can block the immediate threat.
CISA’s decision to republish the advisory signals that too many installations remain exposed. Windows administrators and OT engineers alike must collaborate to inventory all engineering workstations, verify the gateway’s configuration, and integrate these checks into routine maintenance. In an era where industrial sabotage is no longer hypothetical, closing an open port is one of the easiest defenses available.