Skip to content
.ca
sign in
4 mincritical

ABB B&R Automation Studio

ABB has disclosed multiple vulnerabilities in B&R Automation Studio versions prior to 6.5, stemming from an outdated third-party SQLite component. These flaws, which include heap-based buffer overflows and integer overflows, could potentially be exploited to achieve remote code execution, data exposure, or denial of service, though no active exploitation has been observed.

Conf:highAnalyzed:2026-05-24Google

Authors: CISA, ABB PSIRT

ICSAutomation StudioVulnerabilitySQLiteABB

Source:CISA

IOCs · 25

Detection / HunterGoogle

What Happened

ABB has identified several security vulnerabilities in its B&R Automation Studio software, specifically in versions older than 6.5. These issues are caused by an outdated, built-in database component called SQLite. If exploited, attackers could potentially gain unauthorized access, steal data, or run malicious code on the affected systems. This is a critical issue because it affects industrial control systems used worldwide. Organizations using this software should update to version 6.5 immediately and ensure their control systems are isolated from the public internet.

Key Takeaways

  • ABB B&R Automation Studio versions prior to 6.5 contain multiple vulnerabilities due to an outdated SQLite component.
  • The vulnerabilities could allow unauthorized access, data exposure, or remote code execution (RCE).
  • The maximum CVSS v3 score is 9.8 (Critical).
  • Users are strongly advised to update to B&R Automation Studio version 6.5.
  • No active exploitation has been observed in the wild.

Affected Systems

  • ABB B&R Automation Studio < 6.5

Vulnerabilities (CVEs)

  • CVE-2025-6965
  • CVE-2025-3277
  • CVE-2023-7104
  • CVE-2022-35737
  • CVE-2020-15358
  • CVE-2020-13632
  • CVE-2020-13631
  • CVE-2020-13630
  • CVE-2020-13435
  • CVE-2020-13434
  • CVE-2020-11656
  • CVE-2020-11655
  • CVE-2019-19646
  • CVE-2019-19645
  • CVE-2019-8457
  • CVE-2018-20506
  • CVE-2018-20505
  • CVE-2018-20346
  • CVE-2018-8740
  • CVE-2017-10989
  • CVE-2016-6153
  • CVE-2015-6607
  • CVE-2015-5895
  • CVE-2015-3717
  • CVE-2015-3416

Attack Chain

The advisory details vulnerabilities in the SQLite component embedded within ABB B&R Automation Studio. An attacker could potentially exploit these flaws by supplying crafted inputs or malformed SQL queries to the application. Successful exploitation of the memory corruption, buffer overflow, or integer overflow vulnerabilities could lead to arbitrary code execution, denial of service, or unauthorized data access. No active exploitation or specific attack chain has been observed in the wild.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules are provided in the advisory; detection relies on identifying vulnerable software versions in the environment.

Detection Engineering Assessment

EDR Visibility: Low — EDR may catch post-exploitation activity (e.g., unexpected child processes from Automation Studio), but the initial exploitation of SQLite memory corruption is difficult to detect without specific memory scanning or application crash logs. Network Visibility: Low — Exploitation likely occurs via application-specific protocols or local file parsing, which are typically encrypted or proprietary and hard to inspect at the network level. Detection Difficulty: Hard — Detecting exploitation of embedded SQLite vulnerabilities requires deep application-level inspection or catching the resulting anomalous behavior post-compromise.

Required Log Sources

  • Application Crash Logs
  • Software Inventory Logs
  • Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for unexpected child processes or shell executions originating from the ABB B&R Automation Studio process, which may indicate successful remote code execution.Process creation logs (Event ID 4688 or Sysmon Event ID 1)ExecutionLow
Consider monitoring for frequent or unexplained application crashes of ABB B&R Automation Studio, which could indicate failed exploitation attempts of memory corruption vulnerabilities.Windows Application Event Logs (Event ID 1000)ExecutionMedium

Control Gaps

  • Lack of application-level input validation
  • Outdated third-party dependencies

Key Behavioral Indicators

  • Unexpected child processes from Automation Studio
  • Application crash events (Event ID 1000) related to Automation Studio

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Consider updating ABB B&R Automation Studio to version 6.5 or later at the earliest convenience.

Infrastructure Hardening

  • Evaluate whether control system networks and remote devices can be located behind firewalls and isolated from business networks.
  • Consider minimizing network exposure for all control system devices and ensuring they are not accessible from the internet.
  • If remote access is required, consider using secure methods such as updated Virtual Private Networks (VPNs).

User Protection

  • Consider restricting access to the Automation Studio environment to authorized personnel only.

Security Awareness

  • Consider training ICS operators on the risks of processing untrusted project files or connecting to untrusted networks.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1203 - Exploitation for Client Execution

Related