1. EXECUTIVE SUMMARY
- CVSS v4 10.0
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: ABB
- Equipment: FLXEON Controllers
- Vulnerabilities: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’), Missing Origin Validation in WebSockets, Insertion of Sensitive Information into Log File
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to send unauthorized HTTPS requests, access sensitive information from HTTPS responses, or use network access to execute remote code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
ABB reports that the following products are affected:
- FLXEON Controllers FBXi: Version 9.3.4 and prior
- FLXEON Controllers FBVi: Version 9.3.4 and prior
- FLXEON Controllers FBTi: Version 9.3.4 and prior
- FLXEON Controllers CBXi: Version 9.3.4 and prior
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77
Network access can be used to execute arbitrary code with elevated privileges. This issue affects FLXEON version 9.3.4 and prior.
CVE-2024-48841 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-48841. A base score of 10.0 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories