CVE-2025-3395
📋 TL;DR
This vulnerability in ABB Automation Builder allows attackers to access sensitive information stored in cleartext and potentially modify critical resources due to incorrect permission assignments. It affects all users of Automation Builder versions through 2.8.0, potentially exposing sensitive automation configuration data.
💻 Affected Systems
- ABB Automation Builder
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full access to sensitive automation configurations, intellectual property, and credentials, enabling industrial system manipulation, production disruption, or ransomware deployment.
Likely Case
Unauthorized access to sensitive configuration files containing network credentials, device configurations, and proprietary automation logic.
If Mitigated
Limited exposure of non-critical configuration data with no access to production systems.
🎯 Exploit Status
Exploitation requires access to the system where Automation Builder is installed; no authentication bypass needed if attacker has local access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.0 or later
Vendor Advisory: https://search.abb.com/library/Download.aspx?DocumentID=3ADR011407&LanguageCode=en&DocumentPartId=&Action=Launch
Restart Required: Yes
Instructions:
1. Download Automation Builder 2.9.0 or later from ABB's official portal. 2. Run the installer as administrator. 3. Follow installation wizard. 4. Restart the system after installation completes.
🔧 Temporary Workarounds
Restrict File System Access
windowsApply strict file permissions to Automation Builder installation directory and configuration files
icacls "C:\Program Files\ABB\Automation Builder" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "Users:(OI)(CI)RX"
icacls "C:\ProgramData\ABB\Automation Builder" /inheritance:r /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F"
Network Segmentation
allIsolate Automation Builder workstations from production networks and internet
🧯 If You Can't Patch
- Implement strict access controls to Automation Builder workstations using endpoint protection and least privilege principles
- Monitor file access to Automation Builder directories and configuration files for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check Automation Builder version via Help > About in the application or examine installed programs in Windows Control PanelCheck Version:
wmic product where "name like 'ABB Automation Builder%'" get versionVerify Fix Applied:
Verify version is 2.9.0 or later and check that sensitive configuration files are no longer stored in cleartext📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to Automation Builder directories
- Multiple failed authentication attempts on Automation Builder workstations
- Unusual file access patterns in ProgramData\ABB directories
Network Indicators:
- Unexpected network connections from Automation Builder workstations
- Data exfiltration from engineering workstations
SIEM Query:
EventID=4663 AND ObjectName LIKE '%ABB\Automation Builder%' AND AccessMask IN ('0x10000', '0x120089')