Skip to content
.ca
sign in
4 minhigh

ABB EIBPORT

ABB EIBPORT building management systems running firmware prior to version 3.9.2 contain a high-severity Cross-Site Scripting (XSS) vulnerability (CVE-2021-22291). Successful exploitation allows attackers to steal session IDs, leading to unauthenticated device access, sensitive information disclosure, and unauthorized configuration changes.

Conf:highAnalyzed:2026-05-28Google

Authors: CISA, ABB PSIRT

ICSEIBPORTXSSCVE-2021-22291ABB

Source:CISA

IOCs · 1

Detection / HunterGoogle

What Happened

ABB EIBPORT devices, which are used for building automation, have a security flaw in versions older than 3.9.2. This flaw allows an attacker to steal a user's session and gain unauthorized access to the device. If accessed, the attacker could view sensitive information and change the building management system's settings. Organizations using these devices should immediately update to firmware version 3.9.2 or later. Additionally, these devices should never be directly connected to the internet.

Key Takeaways

  • ABB EIBPORT devices running firmware versions prior to 3.9.2 are vulnerable to Cross-Site Scripting (XSS).
  • Exploitation of CVE-2021-22291 allows attackers to steal session IDs and gain unauthenticated access.
  • Successful attackers can access sensitive information and modify device configurations.
  • ABB has released firmware version 3.9.2 to address these vulnerabilities.
  • Devices should not be exposed to the internet and must be placed behind firewalls.

Affected Systems

  • ABB EIBPORT V3 KNX (2CLA963710W1001) versions < 3.9.2
  • ABB EIBPORT V3 KNX (2CSM256242R2001) versions < 3.9.2
  • ABB EIBPORT V3 KNX GSM (2CLA963720W1001) versions < 3.9.2

Vulnerabilities (CVEs)

  • CVE-2021-22291

Attack Chain

An attacker targets an ABB EIBPORT device running vulnerable firmware. By exploiting a Cross-Site Scripting (XSS) vulnerability (CVE-2021-22291), the attacker intercepts or receives a copy of a valid session ID. Using this stolen session ID, the attacker bypasses authentication to access the device. Once authenticated, the attacker can extract sensitive information and modify the device's configuration.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: None — ABB EIBPORT is a specialized ICS/building management hardware device that does not support the installation of traditional EDR agents. Network Visibility: Medium — Network traffic monitoring can potentially identify XSS payloads targeting the device's web interface or detect anomalous access patterns. Detection Difficulty: Moderate — Detecting XSS payloads in web traffic is standard, but identifying stolen session ID reuse requires a behavioral baseline of source IPs accessing the device.

Required Log Sources

  • Network IDS/IPS
  • Firewall Logs
  • Web Application Firewall (WAF) Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for anomalous source IP addresses accessing the EIBPORT web interface using existing, valid session IDs, which may indicate session hijacking.Web Server Logs, Network TrafficCredential AccessMedium
If you have visibility into network traffic targeting ICS devices, consider hunting for common XSS payloads in HTTP requests directed at ABB EIBPORT devices.Network IDS/IPSInitial AccessLow

Control Gaps

  • Lack of EDR visibility on embedded ICS devices
  • Direct internet exposure of ICS devices by improper configuration

Key Behavioral Indicators

  • Unexpected configuration changes on EIBPORT devices
  • Multiple distinct IP addresses utilizing the same session ID concurrently

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Consider applying the ABB EIBPORT firmware update (version 3.9.2 or later) at the earliest convenience.
  • Evaluate whether any EIBPORT devices are directly accessible from the internet and immediately restrict access if found.

Infrastructure Hardening

  • Consider locating control system networks and remote devices behind firewalls, isolating them from business networks.
  • If remote access is required, evaluate using secure methods such as Virtual Private Networks (VPNs) with up-to-date software.
  • Ensure process control systems are physically protected from direct access by unauthorized personnel.

User Protection

  • Consider restricting process control systems from being used for internet surfing, instant messaging, or receiving emails.
  • Evaluate scanning portable computers and removable storage media for malware before connecting them to a control system.

Security Awareness

  • Consider training personnel on the risks of exposing ICS/OT devices to untrusted networks and the importance of network segmentation.

MITRE ATT&CK Mapping

  • T1190 - Exploit Public-Facing Application
  • T1539 - Steal Web Session Cookie

Related