Back to Intelligence

CVE-2025-3449 & CVE-2025-11498: ABB B&R Automation Runtime Vulnerabilities — Defense Guide

SA
Security Arsenal Team
May 21, 2026
7 min read

CISA has released ICSA-26-141-04, detailing critical vulnerabilities in ABB B&R Automation Runtime. For organizations managing operational technology (OT) and industrial control systems (ICS), this is a signal to act immediately. These vulnerabilities provide a pathway for attackers to hijack valid user sessions or execute arbitrary code within the context of an engineer's browser session, effectively bypassing traditional perimeter defenses.

While the CVSS score of 6.1 might suggest a moderate severity in a traditional IT context, in the OT world, the integrity of the engineering workstation is paramount. If an attacker can compromise the browser session of a legitimate operator, they can manipulate logic, download malicious ladder logic, or pivot into the control network.

Technical Analysis

Affected Products:

  • Product: ABB B&R Automation Runtime
  • Affected Versions: All versions < 6.4 and version 6.4.

The Vulnerabilities: Three distinct CVEs have been identified, which when chained, pose a significant risk to the engineering interface:

  1. CVE-2025-3449 (Generation of Predictable Numbers or Identifiers): The web interface of the Automation Runtime generates session identifiers that are predictable. An attacker can calculate valid session IDs of active users and hijack their sessions without needing to authenticate. This negates the protection of login credentials.

  2. CVE-2025-3448 (Improper Neutralization of Input During Web Page Generation - 'Cross-site Scripting' [XSS]): The application fails to sanitize user input before rendering it in the web interface. An attacker can inject malicious JavaScript into specific parameters. When a targeted administrator or engineer views the affected page, the script executes in their browser context.

  3. CVE-2025-11498 (Improper Neutralization of Formula Elements in a CSV File): Often referred to as CSV Injection, this vulnerability allows an attacker to embed malicious formulas (e.g., =cmd|' /C calc'!A0) into data fields that are later exported to CSV. When an engineer opens this exported file in Microsoft Excel (which is common for log analysis or report generation), the formula executes, potentially leading to code execution on the engineering workstation.

Exploitation Status: Currently, these vulnerabilities are disclosed via vendor analysis. There is no confirmation of active, in-the-wild exploitation at the time of writing, but the public release of CISA advisories often serves as a trigger for threat actors scanning for exposed interfaces.

Detection & Response

Defending against these vulnerabilities requires a multi-layered approach. We need to detect the initial web exploitation attempts (XSS/Session Hijacking) and the follow-on activity (CSV Injection execution).

Sigma Rules

The following Sigma rules target the web server logs for exploitation attempts and the endpoint for the result of CSV Injection.

YAML
---
title: Potential ABB Automation Runtime XSS Injection Attempt
id: 9a1b2c3d-4e5f-6789-0123-456789abcdef
status: experimental
description: Detects potential Cross-Site Scripting (XSS) attempts against ABB Automation Runtime web interfaces via URI parameters.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-141-04
author: Security Arsenal
date: 2025/02/26
tags:
  - attack.initial_access
  - attack.t1190
  - cve-2025-3448
logsource:
  category: webserver
  product: apache
  # Note: If running IIS or other web servers, add appropriate definitions
detection:
  selection_uri:
    c-uri|contains:
      - '<script'
      - 'javascript:'
      - 'onerror='
      - 'onload='
  selection_context:
    c-uri|contains:
      - '/automation'
      - '/webvisu'
  condition: all of selection_*
falsepositives:
  - Legitimate testing by authorized personnel
level: high
---
title: CSV Injection Payload in HTTP Parameters
id: b2c3d4e5-6f78-9012-3456-7890abcdef12
status: experimental
description: Detects characters often used in CSV Injection attacks within HTTP POST parameters, which could target the CVE-2025-11498 vulnerability.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-141-04
author: Security Arsenal
date: 2025/02/26
tags:
  - attack.initial_access
  - attack.t1566.001
  - cve-2025-11498
logsource:
  category: proxy
  product: suricata
  # Can also apply to webserver or firewall logs
detection:
  selection:
    cs-method|contains:
      - 'POST'
    c-uri-query|re: '^[=+\-@].*(cmd|powershell|calc|hyperlink)'
  condition: selection
falsepositives:
  - Valid data exports starting with symbols (rare in OT contexts)
level: medium
---
title: Suspicious Process Spawn via Excel (CSV Injection)
id: c3d4e5f6-7g89-0123-4567-8901bcdef234
status: experimental
description: Detects Microsoft Excel spawning a shell, a common indicator of successful CSV Injection (CVE-2025-11498).
references:
  - https://attack.mitre.org/techniques/T1566/001/
author: Security Arsenal
date: 2025/02/26
tags:
  - attack.execution
  - attack.t1204
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\EXCEL.EXE'
  selection_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\mshta.exe'
  condition: all of selection_*
falsepositives:
  - Legitimate Excel macros used for automation
level: high

KQL (Microsoft Sentinel / Defender)

This hunt query looks for web traffic patterns indicative of XSS attempts targeting the ABB web interface.

KQL — Microsoft Sentinel / Defender
// Hunt for XSS patterns targeting ABB Automation interfaces
let CommonXSSPatterns = dynamic(["<script", "javascript:", "onerror=", "onload=", "fromcharcode"]);
CommonSecurityLog
| where DeviceVendor in ("ABB", "B&R") or RequestURL contains "/automation"
| where RequestMethod == "GET" or RequestMethod == "POST"
| where isnotempty(RequestURL)
| parse RequestURL with * "?" QueryString
| where QueryString has any (CommonXSSPatterns)
| project TimeGenerated, DeviceIP, SourceIP, RequestURL, QueryString, RequestMethod
| order by TimeGenerated desc

Velociraptor VQL

This VQL artifact hunts for instances of Excel (the likely vector for CSV Injection) spawning command shells on engineering workstations.

VQL — Velociraptor
-- Hunt for Excel spawning child processes (CSV Injection Indicator)
SELECT Parent.ProcessName AS ParentProcess, 
       Process.Name AS ChildProcess,
       Process.Pid,
       Process.Cmdline,
       Process.StartTime
FROM process_events()
WHERE Parent.ProcessName =~ "EXCEL.EXE"
  AND ChildProcess IN ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe")
ORDER BY Process.StartTime DESC
LIMIT 50

Remediation Script

This PowerShell script assists in hardening the network environment by blocking inbound management traffic to Automation Runtime devices from unauthorized subnets as an interim mitigation until patching is complete.

PowerShell
# Hardening Script: Restrict ABB Automation Runtime Management Access
# Usage: Run on the Windows Machine hosting the Engineering Interface or as a Network Policy enforcement script.
# Note: Modify $AllowedSubnets and $Ports as per your specific architecture.

$AllowedSubnets = @("192.168.10.0/24", "10.0.0.5") # Define your Engineering VLANs/Hosts
$Ports = @(80, 443, 44818) # Common ABB Web/Service Ports
$RuleName = "Block_ABB_Runtime_Unauthorized_Access"

# Check if rule exists and remove to update
if (Get-NetFirewallRule -DisplayName $RuleName -ErrorAction SilentlyContinue) {
    Remove-NetFirewallRule -DisplayName $RuleName
}

# Create Block Rule for Public/Untrusted Networks (Default Deny)
New-NetFirewallRule -DisplayName $RuleName `
    -Direction Inbound `
    -Action Block `
    -Protocol TCP `
    -LocalPort $Ports `
    -Profile Any `
    -Description "Block unauthorized access to ABB Automation Runtime ports."

# Create Allow Rules for specific trusted subnets
foreach ($Subnet in $AllowedSubnets) {
    $AllowRuleName = "Allow_ABB_Runtime_$($Subnet.Replace('/','_'))"
    if (Get-NetFirewallRule -DisplayName $AllowRuleName -ErrorAction SilentlyContinue) {
        Remove-NetFirewallRule -DisplayName $AllowRuleName
    }
    
    New-NetFirewallRule -DisplayName $AllowRuleName `
        -Direction Inbound `
        -Action Allow `
        -Protocol TCP `
        -LocalPort $Ports `
        -RemoteAddress $Subnet `
        -Profile Any `
        -Description "Allow ABB Runtime management from trusted subnet $Subnet."
}

Write-Host "Firewall rules applied. Only $AllowedSubnets can access ports $($Ports -join ',')." -ForegroundColor Green

Remediation

  1. Patch Immediately: Apply the update provided by ABB that resolves these vulnerabilities. The vendor has released updates for versions 6.4 and newer. Ensure you are running a version > 6.4 that includes the security fixes mentioned in advisory ICSA-26-141-04.

  2. Network Segmentation: Ensure that the web management interfaces of Automation Runtime devices are not accessible from the internet. Restrict access to the engineering workstation VLANs only.

  3. Verify Configuration: Post-patch, verify that the session management mechanisms have been updated to use cryptographically secure random identifiers.

  4. Review Logs: Audit web server logs for signs of the Sigma rules mentioned above, specifically looking for failed or successful login attempts combined with suspicious URI parameters.

  5. CISA Deadline: As this is a CISA-advised vulnerability affecting Critical Infrastructure, prioritize this patching cycle ahead of standard IT maintenance windows. Failure to patch could result in regulatory findings or operational disruption.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringabbcve-2025-3449cve-2025-11498ics-security

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action