The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on May 21, 2026, republished an advisory originally issued by ABB, warning of three medium-severity vulnerabilities in B&R Automation Runtime’s System Diagnostics Manager (SDM). The flaws affect all versions of Automation Runtime prior to 6.4 and could allow an attacker with access to the diagnostic interface to conduct cross-site scripting (XSS) and CSV injection attacks. ABB has released Automation Runtime version 6.4 to completely remediate the issues, and CISA’s amplification of the advisory signals the criticality of patching operational technology (OT) environments promptly.

While CISA routinely issues its own ICS advisories, it also re-publishes vendor advisories to broaden awareness among critical infrastructure owners and operators. The ABB advisory, now accessible through CISA’s Industrial Control Systems (ICS) advisory portal, details how the flaws were identified and fixed in collaboration with security researchers. The three vulnerabilities carry CVSS v3 scores below 7.0, placing them in the medium range, yet their exploitation could disrupt industrial processes or compromise sensitive diagnostic data if left unpatched.

Understanding the Vulnerabilities

The System Diagnostics Manager in B&R Automation Runtime is a web‑based tool used for troubleshooting, performance monitoring, and system configuration in industrial automation controllers. It exposes diagnostic functionality over HTTP, typically within a local control network. The three vulnerabilities stem from insufficient input sanitization and unsafe output handling in the SDM web interface:

  1. Cross‑Site Scripting (XSS) – Two of the flaws are reflective XSS vulnerabilities. An attacker could craft a malicious link or inject a script into a diagnostic parameter. When an authenticated user views the manipulated SDM page, the injected JavaScript executes in the user’s browser. This could lead to session hijacking, theft of credentials, or unauthorized actions on the industrial controller.
  2. CSV Injection – The third flaw allows CSV injection through the export functionality of the SDM. When a user exports diagnostic data to a comma‑separated values (CSV) file and opens it in spreadsheet software, malicious formulas embedded in the file could be executed. This type of attack can lead to command execution in the context of the spreadsheet application, data exfiltration, or further compromise of the engineering workstation.

Both attack vectors require network access to the diagnostic interface, which is often restricted to an internal operational network. However, an attacker who has gained a foothold elsewhere in the industrial environment – through phishing, a compromised VPN, or lateral movement – could leverage these flaws to escalate privileges or tamper with controller diagnostics.

Impact on Industrial Environments

B&R Automation Runtime powers Programmable Logic Controllers (PLCs), industrial PCs, and drive systems that control everything from packaging machinery to energy distribution. The SDM tool is a critical component for maintenance engineers and system integrators. A successful XSS attack could redirect an engineer’s browser to a malicious site that mimics the SDM login page, capturing credentials. CSV injection, while less common, is a potent means to compromise the engineering workstation that typically has deep access to the OT network and the controllers themselves.

ABB’s advisory notes that the vulnerabilities are exploitable only if an attacker can reach the SDM web interface – typically on TCP port 80 or 443. In well‑segmented networks, this reduces the immediate exposure, but many industrial environments still have flat or poorly defended OT networks. The fact that ABB issued a patch and CISA republished the advisory indicates that the risk should not be dismissed, even if the CVSS scores are medium.

The Patch: Automation Runtime 6.4

ABB resolved all three vulnerabilities in B&R Automation Runtime version 6.4. The fix introduces proper output encoding to prevent XSS and sanitizes CSV exports to escape formula characters (such as =, +, -, and @). No other mitigation or configuration workaround is available; ABB explicitly recommends upgrading to the latest version. For systems that cannot be patched immediately, ABB advises restricting network access to the SDM using firewall rules, deleting default accounts, and ensuring only trusted users can access the diagnostic pages. ABB also recommends using a segregated network for management interfaces and enforcing multi‑factor authentication where supported.

Upgrading to Automation Runtime 6.4 is a significant step, as it may require testing against custom control logic and ensuring compatibility with third‑party components. Asset owners should plan the upgrade with a proper test environment and follow ABB’s documented migration procedures.

CISA’s Amplification: Why It Matters

CISA’s role in republishing vendor advisories is to ensure that the widest possible audience – especially U.S. critical infrastructure sectors like energy, water, and manufacturing – becomes aware of OT vulnerabilities that might otherwise remain obscure. By adding the ABB advisory to its own repository, CISA enables asset owners who monitor its ICS‑CERT feed to incorporate the patch into their vulnerability management programs. CISA has not issued its own CVEs or altered the technical details; it merely provides a standardized summary and a direct link to ABB’s full document.

For B&R Automation Runtime users, this republication is an extra prompt: regulators and insurance providers increasingly reference CISA advisories when assessing compliance. Failure to patch a CISA‑listed vulnerability could have contractual or regulatory consequences, especially under directives like the TSA’s pipeline cybersecurity guidelines or state‑level critical infrastructure protection rules.

Technical Deep Dive: How XSS and CSV Injection Work in SDM

Reflective XSS occurs when user‑supplied data is included in the HTTP response without proper escaping. In the SDM, diagnostic parameters such as log‑level, module name, or time range are passed via GET or POST requests. If an attacker injects a script tag (e.g., <script>alert(1)</script>) into one of these parameters and the server echoes it back unchanged, the script executes. The attacker could then abuse this to perform actions on behalf of the legitimate user.

CSV injection exploits the fact that spreadsheet applications like Microsoft Excel and Google Sheets may interpret cells starting with certain characters as formulas. For example, if a cell contains =cmd|' /C calc'!A0, opening the file in Excel could trigger a command prompt. In the SDM, exported diagnostic logs with user‑controlled fields such as task names, firmware versions, or custom tags could be tampered with before export, or an attacker could manipulate the query string that generates the CSV. Because engineers frequently open these files on workstations that are also used for email and web browsing, the risk of cross‑pivot into the IT domain is tangible.

Industrial Adversary Tactics and Real‑World Relevance

While the CVSS scores are moderate, OT‑targeting threat actors often chain low‑severity vulnerabilities to achieve high‑impact compromises. For instance, an XSS flaw might be used to phish credentials from a technician; those credentials could then be used to access deeper controller functions, modify logic, or download proprietary recipes. In 2025, a joint advisory from CISA and international partners highlighted how nation‑state actors exploited exactly such web‑interface weaknesses in building automation controllers to maintain persistence and exfiltrate operational data.

CSV injection, although a well‑known attack vector in IT, remains under‑appreciated in OT environments. A single compromised engineering workstation can serve as a pivot point to the entire automation network, because the workstation often holds project files, PLC passwords, and direct development access to controllers. ABB’s swift resolution underscores the seriousness of leaving such vectors open.

Broader Industry Implications

ABB is not alone in grappling with web‑interface vulnerabilities in OT devices. In the past year, vendors like Siemens, Rockwell Automation, and Mitsubishi Electric have patched similar XSS and injection flaws in their own diagnostic and configuration tools. The trend reflects the increasing convergence of IT and OT networks: as industrial components adopt more web‑based management interfaces, they inherit the security challenges of traditional web applications. OT engineers, however, are often not trained in web security, and secure coding practices for embedded devices have historically lagged behind those for enterprise software.

The ABB advisory also serves as a reminder that third‑party components, such as the B&R Automation Runtime used in many ABB systems, extend the attack surface. System integrators and end‑users must track vulnerabilities not just in the PLC firmware but in the entire software stack, including diagnostic tools. Automated software inventory and vulnerability management tools that cover OT assets are becoming essential.

Actionable Steps for Asset Owners

Asset owners who rely on B&R Automation Runtime should take the following steps immediately:

  • Identify affected systems – Check whether any controller or industrial PC runs Automation Runtime version < 6.4. ABB provides a version detection tool and detailed instructions in the advisory.
  • Assess exposure – Determine if the SDM web interface is reachable from any untrusted network. Even if it is behind a firewall, assume that an attacker on the internal OT network could exploit these vulnerabilities.
  • Apply the patch – Plan a maintenance window to upgrade to Automation Runtime 6.4. Validate that all custom programs and peripheral communications function correctly after the upgrade.
  • Implement compensating controls – If immediate patching is not possible, enforce strict IP‑based access controls, disable the SDM if not needed, or use VPN jump hosts with multi‑factor authentication for all remote access.
  • Harden engineering workstations – Ensure that spreadsheet applications are configured to disable automatic execution of formula cells, and train personnel to avoid opening untrusted CSV files from OT systems.

Looking Ahead

ABB has indicated that its product security team continuously tests Automation Runtime for vulnerabilities and will issue updates as necessary. The fact that these medium‑severity flaws garnered a CISA republication suggests a maturing awareness that even moderate weaknesses can be exploited in concert with other techniques. The OT security community should expect more coordinated disclosures of this nature as vendors expand their vulnerability handling capabilities.

For Windows‑centric industrial environments – where many engineering workstations run Windows 10, 11, or Server editions – the interplay between OT vulnerabilities and the Windows ecosystem is particularly salient. CSV injection, for example, directly targets Windows applications like Excel, and XSS attacks can compromise browsers running on Windows clients. Keeping both the OT firmware and the Windows hosts up to date remains a fundamental defense‑in‑depth principle.

CISA’s republication of ABB’s advisory is a low‑friction way to elevate the visibility of a fix whose technical severity might otherwise be downplayed. Asset owners who treat each such advisory as a to‑do item not only protect their own operations but also contribute to the collective resilience of critical infrastructure.