CVE-2024-41975 ABB CVE debrief

Who should care

OT/ICS administrators, ABB Automation Builder users, PLC operators, and network/security teams that manage Windows systems exposing the gateway or bundling it with other CODESYS-based installations.

Technical summary

According to the CISA-republished ABB PSIRT advisory, the gateway is a communication channel for clients to AC500 PLCs and is reachable remotely by default because it listens on all adapters on port 1217. If remote access is not required, ABB recommends setting [CmpGwCommDrvTcp] LocalAddress=127.0.0.1 in Gateway.cfg and restarting the gateway. Starting with Automation Builder 2.9.0, the default is changed to local access only.

Defensive priority

Medium

Recommended defensive actions

• Upgrade to ABB Automation Builder 2.9.0 or later, which changes the gateway default to local access only.
• If remote access is not required, set [CmpGwCommDrvTcp] LocalAddress=127.0.0.1 in the Gateway.cfg file and restart the gateway.
• Review systems where the gateway was installed separately or as part of other CODESYS-related setups, and verify their gateway configuration.
• Limit exposure of TCP port 1217 to only the networks that explicitly require it.
• Follow CISA ICS recommended practices and defense-in-depth guidance for OT network segmentation and access control.

Evidence notes

The supplied CISA CSAF advisory (ICSA-26-132-04) states that the gateway listens on all available network adapters on port 1217 by default and can therefore be accessed remotely. It also states that remote access is only required in certain network configurations, that many users may be unaware of this exposure, and that unauthenticated attackers can search for PLCs, though PLC user management prevents direct PLC access unless disabled. The remediation text says to use LocalAddress=127.0.0.1 for local-only access and that Automation Builder 2.9.0 closes the vulnerability by changing the default. The supplied enrichment marks this CVE as not KEV-listed.

Official resources