CVE-2024-7348 ABB CVE debrief

Who should care

ABB Ability Symphony Plus S+ Engineering administrators, OT/ICS security teams, and operators responsible for affected installations in industrial environments.

Technical summary

CISA’s republished ABB PSIRT advisory describes a PostgreSQL time-of-check time-of-use (TOCTOU) race condition affecting ABB Ability Symphony Plus S+ Engineering versions 2.2 through 2.4 SP2. The issue can allow an attacker to execute arbitrary SQL functions by leveraging a PostgreSQL utility often run with high privileges. The CVSS vector is 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), and the advisory states that exploitation requires access to the site’s S+ client/server network.

Defensive priority

High. Prioritize upgrading affected systems to S+ Engineering 2.4 SP2 RU1 or later, especially where the client/server network is reachable or poorly segmented.

Recommended defensive actions

• Inventory ABB Ability Symphony Plus S+ Engineering deployments and confirm whether any systems are running versions 2.2 through 2.4 SP2.
• Upgrade impacted systems to S+ Engineering 2.4 SP2 RU1 or later at the earliest convenience.
• If immediate upgrade is not possible, apply ABB’s mitigating factors by tightening network architecture and perimeter firewall controls to restrict access to the S+ client/server network.
• Treat this advisory as installation-specific risk guidance because ABB states that no workarounds are available.
• Follow ABB’s general security recommendations and defense-in-depth practices for industrial control systems.

Evidence notes

This debrief is based on the CISA CSAF republished advisory ICSA-26-120-06 / ABB PSIRT advisory 7PAA017341, plus the linked CVE.org and NVD records. The source corpus provides the affected version range, the upgrade target, the no-workaround statement, and the network-access mitigation context. The vendor field in the supplied metadata is low confidence, so the advisory attribution is kept aligned with the source material.

Official resources