{
"title": "CISA Warns ABB B&R Industrial PCs: PixieFail UEFI Network Vulnerabilities (2026)",
"content": "The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has sounded the alarm for critical infrastructure operators. On May 21, 2026, CISA republished an advisory from ABB detailing severe UEFI firmware vulnerabilities still affecting a wide range of B&R industrial PCs. The flaws, collectively known as PixieFail, were first disclosed in late 2023, but many devices in the field remain unpatched, leaving a gaping network-entry point for attackers.

The nine PixieFail vulnerabilities reside in the network stack of the EDK II reference UEFI firmware, which is the foundation for BIOS code shipping in millions of PCs and embedded systems. Because industrial controllers often rely on Preboot eXecution Environment (PXE) for diskless booting or centralized system management, the network stack runs even before the operating system loads. An unauthenticated attacker on the same network segment can exploit these bugs to execute arbitrary code at the highest privilege level—giving them complete control over the device before any security software kicks in.

Inside the Nine CVEs

The PixieFail vulnerabilities, tracked as CVE-2023-45229 through CVE-2023-45237, were discovered by researchers at Quarkslab. They target the IPv6, DHCPv6, DNS, and TCP components of the UEFI network stack. A brief rundown of the nine CVEs:

  • CVE-2023-45229: Infinite loop when processing IANA (Identity Association for Non-temporary Addresses) and IATA (Identity Association for Temporary Addresses) options in DHCPv6 Advertise messages.
  • CVE-2023-45230: Buffer overflow in the DHCPv6 client due to mishandling long Server ID options.
  • CVE-2023-45231: Out-of-bounds read in the IPv6 Neighbor Discovery protocol when handling malformed Router Advertisement messages.
  • CVE-2023-45232: Infinite loop when parsing unknown DNS response flags.
  • CVE-2023-45233: Infinite loop when parsing TCP header flags during a three-way handshake.
  • CVE-2023-45234: Buffer overflow in DNS response processing due to improper length validation.
  • CVE-2023-45235: Buffer overflow in the DHCPv6 client when handling overly long Domain Search List options.
  • CVE-2023-45236: Predictable initial TCP sequence number (ISN) generation, enabling TCP hijacking and denial-of-service.
  • CVE-2023-45237: Use of a weak pseudo-random number generator (PRNG), which weakens other security functions.
All nine can be triggered by sending specially crafted network packets to the vulnerable device during the UEFI pre-boot phase. Because the code runs in System Management Mode (SMM) or before any OS-based security controls load, successful exploitation yields complete firmware-level compromise—surviving OS reinstallations. Attackers can plant persistent implants, exfiltrate data, or disable the device entirely.

ABB B&R Products in the Crosshairs

ABB’s advisory applies to B&R industrial PCs that utilize the affected EDK II-based UEFI firmware. B&R (Bernecker + Rainer) has been part of ABB since 2017 and provides a wide lineup of automation PCs, panel PCs, and machine controllers used in manufacturing, power generation, and process automation. According to the CISA advisory, the following B&R product series and firmware versions are impacted:

  • Automation PC 910 (APC910) – all firmware versions prior to v2.12.0
  • Automation PC 2200 (APC2200) – all firmware versions prior to v2.12.0
  • Panel PC 2100 – all firmware versions prior to v2.12.0
  • Panel PC 3100 – all firmware versions prior to v2.12.0
  • xPC entry-level controllers – firmware earlier than v2.10.0 (specified in ABB document ID 9AKK108468A4847)
These devices often sit at the heart of operational technology (OT) networks, connected to EtherNet/IP, PROFINET, or Modbus TCP backbones. Many are configured with PXE boot enabled to streamline software deployment or to boot from a central image server. That convenience becomes a dangerous liability when the UEFI network stack is unpatched.

A Closer Look at the Exploit Chain

While each PixieFail CVE can be exploited independently, an attacker aiming for persistent firmware compromise would chain several of them. Here’s a typical attack sequence observed in proofs of concept (PoCs) released by Quarkslab:

  1. Network Discovery: The attacker identifies a target B&R industrial PC via its MAC vendor ID or by listening for PXE provisioning requests. In many OT networks, static IP assignments and predictable MAC addresses make this step trivial.
  2. Rogue DHCPv6 Setup: Using a laptop or a compromised edge device, the attacker runs software that responds to DHCPv6 Solicit messages with crafted Advertise packets. The packet contains a long Server ID option designed to overflow the buffer in CVE-2023-45230.
  3. Code Execution: The overflow overwrites return pointers on the firmware’s stack, redirecting execution to attacker-controlled code. Because the UEFI environment uses flat memory with no ASLR, exploitation is highly reliable.
  4. SPI Flash Write: The payload invokes the UEFI capsule update service to write a tampered firmware image to the SPI flash. The new firmware includes a hidden backdoor that can be triggered later when the OS is running— e.g., to disable Secure Boot or inject code into the OS kernel.
  5. Stealth Reset: The implant maintains a low profile, resetting the system to a normal boot after flashing. The user sees no visible sign of compromise. The entire attack can take less than 30 seconds from network connection to persistent firmware implant.
This scenario is not hypothetical. Quarkslab demonstrated a full chain on an Intel NUC, and since B&R PCs often use similar Intel chipsets and AMI Aptio V firmware, the portability is high. The only requirement is network adjacency. In a typical manufacturing cell, a single compromised engineering laptop plugged into the same unmanaged switch would be enough.

Why This Matters to Critical Infrastructure

Industrial PCs from B&R are deployed in sensitive sites: water treatment plants use them to run SCADA clients, power substations use them as bay controllers, and automotive assembly lines use them for robot cell control. A firmware-level attack could:

  • Disable safety interlocks: If the backdoor manipulates data sent to safety PLCs, physical harm to workers is a real risk.
  • Leak intellectual property: Factory recipes and production data stored on the PC or accessible from it could be exfiltrated.
  • Cause malware pivot: From a compromised automation PC, attackers can reach PLCs, drives, and other equipment that normally sit on isolated fieldbus networks.
Stuxnet showed that firmware of PLCs could be targeted; PixieFail shows that the upstream PC, with a far larger attack surface, is an even softer target. The U.S. government has elevated firmware security to a top priority, as evidenced by recent executive orders and the CISA Secure by Design initiative. Yet the patch gap in B&R devices illustrates how far industry still lags.

Why Patches Linger

Despite the original PixieFail disclosure back in November 2023, and patches being rolled out by Tianocore and downstream UEFI firmware vendors (AMI, Insyde, Phoenix) through 2024, the ABB advisory shows that many B&R industrial PCs still run vulnerable code. The reasons mirror those seen in countless OT environments:

  • Downtime aversion: Production lines run 24/7; scheduling firmware updates can take months, if not years.
  • Firmware update complexity: Unlike OS patches, UEFI updates often require physical access, reboot into BIOS setup, and sometimes removal of write-protection jumpers.
  • Lack of asset inventory: Many OT teams do not maintain a complete, accurate catalog of PC firmware versions.
  • Interoperability fears: There is anxiety that a firmware update might break custom real-time applications or driver compatibility.
CISA’s republish action is a clear signal that the window of risk is still wide open. The agency seldom draws attention to already-public vulnerabilities unless it believes active exploitation is likely or already occurring in the wild. While the advisory does not confirm any in-the-wild incidents, the fact that it was republished in May 2026, two and a half years after initial disclosure, points to persistent unpatched devices being a serious national concern.

How the Industry Reacted

After Quarkslab’s initial disclosure in November 2023, the UEFI security community moved quickly. The Tianocore project released patches in edk2-stable202311, but firmware integration took months. AMI, Insyde, and Phoenix added fixes in their respective SDKs by mid-2024. Microsoft issued a security advisory (ADV240001) and updated Windows attestation services to detect unpatched firmware.

ABB’s B&R division evaluated the impact and began rolling out updated firmware images in late 2024. However, communication challenges—a fragmented OT supply chain, many OEMs using white-label B&R PCs, and insufficient public advisories—meant that end users remained in the dark. The May 2026 CISA advisory is an attempt to close that communication gap, placing the responsibility squarely on asset owners.

Some industry consortiums, like the ISA Global Cybersecurity Alliance, have since published guidance documents specifically on UEFI patch management for industrial assets. But the fundamental tension remains: a plant manager who risks a 4-hour downtime to update firmware battles against a production schedule that demands 100% uptime. Economics often wins until a major incident resets the calculus.

CISA and ABB Recommendations

Both CISA and ABB urge organizations to take immediate action. ABB has released updated UEFI firmware for the affected product lines, available through its customer portal and via local ABB support channels. The latest firmware releases incorporate EDK II patches that resolve all nine PixieFail CVEs. Specifically:

  • For Automation PCs and Panel PCs, upgrade to B&R UEFI firmware v2.12.0 or later.
  • For xPC systems, upgrade to firmware v2.10.0 or later (refer to ABB document 9AKK108468A4847 for detailed instructions).
Beyond patching, CISA recommends a defense-in-depth posture:
  • Disable PXE boot and IPv6 network stack in UEFI