The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory regarding multiple vulnerabilities in ABB FLXEON controllers that could allow attackers to execute arbitrary code and compromise industrial control systems (ICS). These flaws, if exploited, present severe risks to critical infrastructure sectors relying on these programmable logic controllers (PLCs).

Overview of the ABB FLXEON Vulnerabilities

ABB's FLXEON series (models 202, 204, 206) contain three critical security flaws identified by CVE identifiers:

  • CVE-2024-0728 (CVSS 9.8): Command injection via WebSocket interface
  • CVE-2024-0729 (CVSS 7.5): Improper authentication in firmware updates
  • CVE-2024-0730 (CVSS 8.2): Buffer overflow in Ethernet communication module

These vulnerabilities affect firmware versions 1.0.0 through 1.6.2, with approximately 8,500 devices estimated to be exposed globally across manufacturing, energy, and water treatment facilities.

Technical Analysis of the Threats

WebSocket Command Injection (CVE-2024-0728)

The most severe vulnerability allows unauthenticated attackers to send specially crafted WebSocket messages that execute OS commands with root privileges. Researchers found the controllers don't validate input before passing it to system() calls in the web interface.

Firmware Update Authentication Bypass (CVE-2024-0729)

Attackers could upload malicious firmware images by intercepting and modifying update requests. The verification process fails to properly check cryptographic signatures.

Ethernet Stack Buffer Overflow (CVE-2024-0730)

Specially crafted network packets can trigger a stack-based buffer overflow in the Ethernet/IP communication module, potentially leading to remote code execution or denial-of-service conditions.

Impact on Industrial Environments

Successful exploitation could enable:

  • Unauthorized process manipulation in manufacturing systems
  • Disruption of critical infrastructure operations
  • Lateral movement within OT networks
  • Permanent device bricking through corrupted firmware

Mitigation Strategies

ABB has released firmware version 1.7.0 addressing these issues. CISA recommends:

  1. Immediate patching of all affected devices
  2. Network segmentation to isolate FLXEON controllers
  3. WebSocket traffic monitoring for anomalous patterns
  4. Disabling unnecessary services (Telnet, HTTP) where possible
  5. Implementation of application allowlisting on host systems

For systems that cannot be immediately updated, temporary workarounds include:

  • Restricting WebSocket access to trusted IPs
  • Enabling firmware package signature verification
  • Disabling remote firmware update capabilities

Broader ICS Security Implications

This advisory highlights several ongoing challenges in industrial cybersecurity:

  • Legacy protocol risks: Many ICS devices maintain backward compatibility with insecure protocols
  • Supply chain exposures: Third-party components (like the vulnerable WebSocket implementation) introduce hidden risks
  • Patch management difficulties: Many industrial environments cannot tolerate downtime for updates

Detection and Response Guidance

Security teams should monitor for:

  • Unexpected firmware update attempts
  • WebSocket connections from unusual locations
  • Abnormal process commands being sent to controllers
  • Crash logs from the Ethernet communication module

About ABB FLXEON Controllers

ABB's FLXEON series are compact PLCs designed for:

  • Building automation systems
  • Water treatment plant controls
  • Discrete manufacturing applications
  • Energy management systems

Their web-based configuration interface and Ethernet connectivity make them convenient targets for attackers seeking ICS access points.

Timeline of Vulnerability Disclosure

  • 2023-11-15: Vulnerabilities discovered by Claroty Research
  • 2024-01-08: Coordinated disclosure to ABB
  • 2024-02-20: Patch released by ABB
  • 2024-03-05: CISA advisory published

Beyond immediate patching, organizations should:

  • Conduct asset inventories to identify all FLXEON deployments
  • Implement network traffic baselining for anomaly detection
  • Train OT staff on recognizing attack indicators
  • Develop incident response plans specific to controller compromises

This incident reflects broader patterns in industrial cybersecurity:

  1. Increasing focus on protocol-level vulnerabilities
  2. Growing attacker sophistication in manipulating OT systems
  3. Regulatory pressure for better vulnerability disclosure processes
  4. Convergence of IT and OT security practices

Organizations using affected controllers should prioritize remediation given the critical nature of these flaws and the sensitive environments where these devices are typically deployed.