CVE-2024-12430
📋 TL;DR
This vulnerability allows authenticated attackers to execute arbitrary commands as root on ABB AC500 V3 PLCs after exploiting CVE-2024-12429 (directory traversal). Attackers can inject commands into crafted files that get executed with root privileges. All AC500 V3 products (PM5xxx series) with firmware earlier than 3.8.0 are affected.
💻 Affected Systems
- ABB AC500 V3 PLCs (PM5xxx series)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root-level command execution allowing complete control of industrial PLC, potential disruption of industrial processes, data theft, or ransomware deployment.
Likely Case
Authenticated attackers gaining root access to manipulate PLC logic, modify configurations, disrupt operations, or establish persistence in industrial networks.
If Mitigated
Limited impact with proper network segmentation, authentication controls, and monitoring detecting anomalous file access patterns.
🎯 Exploit Status
Two-step exploitation required: first directory traversal (CVE-2024-12429), then authenticated command injection. Requires knowledge of specific file crafting techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware version 3.8.0 or later
Vendor Advisory: https://search.abb.com/library/Download.aspx?DocumentID=3ADR011377&LanguageCode=en&DocumentPartId=&Action=Launch
Restart Required: Yes
Instructions:
1. Download firmware 3.8.0+ from ABB portal. 2. Backup current configuration. 3. Upload new firmware via engineering tool. 4. Restart PLC. 5. Restore configuration. 6. Verify firmware version.
🔧 Temporary Workarounds
Network segmentation and access control
allIsolate AC500 PLCs in dedicated network segments with strict firewall rules limiting access to authorized engineering stations only.
Strong authentication enforcement
allImplement multi-factor authentication and strong password policies for all accounts with access to PLC engineering tools.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate AC500 devices from untrusted networks
- Enforce least privilege access controls and monitor for anomalous file access patterns
🔍 How to Verify
Check if Vulnerable:
Check firmware version via engineering tool or web interface. If version is earlier than 3.8.0, system is vulnerable.Check Version:
Use ABB Automation Builder or CoDeSys engineering tool to read PLC firmware versionVerify Fix Applied:
Confirm firmware version is 3.8.0 or later via engineering tool display or version query command.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in PLC logs
- Multiple failed authentication attempts followed by successful login
- Unexpected file creation/modification in system directories
Network Indicators:
- Unusual traffic patterns to PLC engineering ports
- Multiple directory traversal attempts followed by file uploads
SIEM Query:
source="plc_logs" AND (event="file_access" AND path="*system*") OR (event="auth" AND result="success" AFTER result="failure")