The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has republished an advisory originally issued by ABB on October 7, 2025, warning that certain ABB EIBPORT KNX building automation devices harbor a high-severity web vulnerability. The alert, disseminated through CISA’s Known Exploited Vulnerabilities (KEV) catalog on May 28, 2026, underscores the persistent risks facing operational technology (OT) environments and the importance of timely firmware updates.

A Delayed but Critical Alert

ABB’s initial disclosure in late 2025 addressed a flaw in the web-based management interface of its EIBPORT V3 KNX and EIBPORT V3 KNX GSM gateways running firmware versions prior to 3.9.2. Despite the original advisory, many installations remained unpatched, prompting CISA to amplify the warning six months later. This pattern—where industrial control system (ICS) vulnerabilities are disclosed by vendors but not promptly remediated by asset owners—is a recurring challenge in critical infrastructure security.

The EIBPORT gateway serves as a bridge between KNX building automation networks and IP-based systems, enabling remote monitoring, configuration, and control of lighting, HVAC, and security systems. Because these devices often sit at the intersection of IT and OT, a compromise can grant attackers a foothold into both enterprise networks and physical operations.

The Vulnerability at a Glance

Although the exact CVE identifier remains undisclosed in CISA’s brief bulletin, the advisory categorizes the flaw as a high-severity web vulnerability. ABB’s own security notice describes it as an improper neutralization of input during web page generation, commonly known as cross-site scripting (XSS) or injection flaw. Such weaknesses allow unauthenticated attackers to inject malicious scripts into the device’s web interface, potentially leading to session hijacking, credential theft, or complete device takeover.

In ICS contexts, even a seemingly low-impact XSS can be weaponized. An attacker who persuades an administrator to click a crafted link could execute arbitrary commands on the gateway, alter KNX telegrams, or pivot to other building systems. The risk is amplified because many EIBPORT units are exposed to the internet for remote building management, often without robust network segmentation.

Affected Products and Remediation

The following ABB products are confirmed vulnerable:

  • EIBPORT V3 KNX (all firmware versions before 3.9.2)
  • EIBPORT V3 KNX GSM (all firmware versions before 3.9.2)

Later models and firmware branches are not affected. ABB strongly advises users to update to firmware version 3.9.2 or later, which contains hardcoded input validation and output encoding controls to neutralize the attack vector. The firmware is available through ABB’s official support portal and authorized distributors.

For organizations unable to patch immediately, ABB and CISA recommend compensating controls:
- Restrict network access to the EIBPORT web interface using firewalls or VPNs.
- Disable the web server if remote management is not required.
- Monitor logs for suspicious HTTP requests targeting the device.
- Implement strong password policies and change default credentials.

CISA’s Role in Amplifying ICS Advisories

CISA’s republishing of ABB’s advisory is part of its Binding Operational Directive (BOD) 22-01, which mandates federal agencies to remediate cataloged vulnerabilities within strict timelines. By adding this flaw to the KEV, CISA signals that it has evidence of active exploitation or a high likelihood of imminent weaponization. This move pressures critical infrastructure owners to prioritize patching or face compliance consequences.

The advisory also feeds into CISA’s Known Exploited Vulnerabilities Catalog, a living list of CVEs that pose significant risk to the federal enterprise. Since its inception, the catalog has become a de facto priority list for security teams worldwide, even in private industry.

The Broader Context: KNX and Building Automation Security

KNX is a globally recognized standard for home and building automation (ISO/IEC 14543-3). It allows interoperability among thousands of products from different manufacturers, from lighting controllers to HVAC systems. However, the standard focuses primarily on device communication and interoperability, not on embedded cybersecurity. As a result, many KNX gateways—like the EIBPORT—introduce web and IP interfaces that are often the weakest link.

Security researchers have highlighted systemic issues in building automation for years. A 2022 study found that 60% of tested building management systems had at least one known vulnerability, and nearly half allowed unauthorized access to critical controls. The EIBPORT flaw is emblematic of a larger problem: legacy OT devices are designed for availability and longevity, not for defense against modern cyber threats.

Real-World Implications

Exploitation of this vulnerability could have cascading effects. An attacker gaining control of an EIBPORT gateway could:

  • Manipulate lighting schedules to cause disruptions or obscure physical intrusions.
  • Remotely unlock doors or disable alarm systems by intercepting KNX commands.
  • Override HVAC setpoints, leading to equipment damage or unsafe conditions in sensitive environments like data centers or hospitals.
  • Use the compromised device as a launchpad to scan and attack other IP-connected building systems.

In a targeted attack against a corporate headquarters, for instance, disabling air conditioning in server rooms could cause thermal shutdowns, while simultaneous lighting chaos could distract security personnel. Such scenarios, once the realm of Hollywood, are increasingly plausible as threat actors turn their attention to operational technology.

The Urgency of Firmware Updates

Despite the clear danger, patching OT firmware is notoriously difficult. Building managers often lack visibility into their device inventory, fear that updates might break critical automations, or simply operate on “if it isn’t broke, don’t update” mentality. This cultural inertia allows known vulnerabilities to persist for years.

CISA’s republishing should serve as a wake-up call. The agency rarely amplifies vendor advisories unless it assesses an elevated risk. By the time an advisory reaches the KEV, proof-of-concept exploit code may already be circulating on dark web forums, or active exploitation may be underway. Waiting to patch is no longer an option.

How to Check Your EIBPORT Firmware Version

Asset owners can verify their firmware version by logging into the EIBPORT web interface and navigating to the “System Information” or “Device Status” page. If the firmware is older than 3.9.2, the device is vulnerable. ABB has published detailed update instructions, which typically involve downloading the firmware image, accessing the device’s maintenance mode, and uploading the new version via a web browser.

For large-scale deployments, network scanning tools like Shodan can identify publicly exposed EIBPORT interfaces. Security teams can query Shodan for “EIBPORT” or specific HTTP response headers to locate vulnerable units across their IP ranges. CISA also recommends using its own Cyber Hygiene scanning service, which identifies internet-facing ICS devices.

Lessons for Cybersecurity Professionals

The ABB EIBPORT advisory reinforced several key lessons for OT security:

  1. Web interfaces in OT are prime targets. Any device with an HTTP(S) interface must be treated as an attack surface, regularly assessed, and hardened.
  2. Vendor advisories are not enough. Even when a vendor acts responsibly, slow adoption of patches undermines fleet security. CISA’s amplification is a forcing function.
  3. Asset inventory is foundational. You cannot patch what you don’t know you have. Continuous discovery of connected OT assets is essential.
  4. Network segmentation saves lives. Segregating building automation systems from corporate IT networks and the internet limits the blast radius of a breach.

A Call to Action

CISA’s republishing of ABB’s advisory turns a voluntary vendor notice into an imperative. Federal agencies, critical infrastructure operators, and any organization using EIBPORT V3 gateways should treat the firmware update as urgent. The May 28, 2026, KEV addition reminds the community that industrial cybersecurity is not a one-time effort but a continuous race against adversaries who are increasingly comfortable in OT environments.

Patch now, verify the fix, and harden your building automation networks. The next attack may already be scanning for your unpatched device.