Network access can be used to execute arbitrary code with elevated privileges. This issue affects FLXEON 9.3.4 and older.
An attacker with network access to the FLXEON device can send a specially crafted request that leads to execution of arbitrary system commands (command injection, CWE-77). The vulnerability does not require authentication, user interaction, or special attack conditions. Code execution occurs with elevated privileges, giving the attacker full control of the system.
An attacker can remotely take full control of the device by executing arbitrary code with elevated privileges, which may lead to violation of confidentiality, integrity, and availability of both the device itself and systems connected to it.
Apply patches available from the manufacturer according to references (ABB documentation number 9AKK108470A5684). Until the update is implemented, it is recommended to isolate FLXEON devices from untrusted networks and restrict network access to the minimum through firewall or network segmentation.
ABB FLXEON version 9.3.4 and earlier.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X