THREATNOIR
Subscribe
Back to Feed
VulnerabilitiesMay 21, 2026

ABB B&R PCs

ABB B&R industrial PCs vulnerable to nine network-exploitable flaws in UEFI firmware

Read at source

Summary

ABB disclosed nine CVEs affecting multiple B&R xPC industrial control systems, stemming from vulnerabilities in EDK2's network package within UEFI firmware. Flaws include buffer overflows, out-of-bounds reads, infinite loops, and weak RNG that enable remote code execution, DoS, DNS cache poisoning, and information disclosure. Updates are available for most products; APC910 receives no patch and requires network segmentation and PXE disabling.

Full text

ICS Advisory ABB B&R PCs Release DateMay 21, 2026 Alert CodeICSA-26-141-02 Related topics: Industrial Control System Vulnerabilities, Industrial Control Systems View CSAF Summary ABB became aware of vulnerability in the product versions listed as affected in the advisory. An update is now available that addresses and remediates the vulnerability. A network attacker could exploit the vulnerabilities to execute remote code, initiate DoS attacks, conduct DNS cache poisoning, or extract sensitive information. The following versions of ABB B&R PCs are affected: APC4100 <1.09, 1.09 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) APC910 <=1.25 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) C80 <1.14, 1.14 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) MPC3100 <1.24, 1.24 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) PPC1200 <1.14, 1.14 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) PPC900 <2.16, 2.16 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) APC2200 <1.35, 1.35 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) PPC2200 <1.35, 1.35 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) APC3100 <1.45, 1.45 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) PPC3100 <1.45, 1.45 (CVE-2023-45229, CVE-2023-45230, CVE-2023-45231, CVE-2023-45232, CVE-2023-45233, CVE-2023-45234, CVE-2023-45235, CVE-2023-45236, CVE-2023-45237) CVSS Vendor Equipment Vulnerabilities v3 8.3 ABB ABB B&R PCs Out-of-bounds Read, Improper Restriction of Operations within the Bounds of a Memory Buffer, Loop with Unreachable Exit Condition ('Infinite Loop'), Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Background Critical Infrastructure Sectors: Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2023-45229 EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. View CVE Details Affected Products ABB B&R PCs Vendor:ABB Product Version:ABB APC4100 <1.09, ABB APC910 <=1.25, ABB C80 <1.14, ABB MPC3100 <1.24, ABB PPC1200 <1.14, ABB PPC900 <2.16, ABB APC2200 <1.35, ABB PPC2200 <1.35, ABB APC3100 <1.45, ABB PPC3100 <1.45 Product Status:fixed, known_affected Remediations Vendor fixThe problems are corrected in the following product versions: - APC4100 1.09 - APC910 No patch will be released (Please refer to the mitigation measures specified in this advisory). - C80 1.14 - MPC3100 1.24 - PPC1200 1.14 - PPC900 2.16 - APC2200 1.35 - PPC2200 1.35 - APC3100 1.45 - PPC3100 1.45 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. MitigationDeactivate the vulnerable component - The vulnerabilities exist in the Preboot eXecution Environment (PXE) of the UEFI firmware. If this functionality is not needed, it is recommended to disable it in the UEFI settings, thus making the vulnerabilities not exploitable. Limit accessibility - If PXE functionality is required, users should tightly restrict network traffic to legitimate users and block illegitimate PXE traffic, specifically related to IPv6. For instance, by blocking IPv6 network traffic on the control network firewall. https://help.br-automation.com/#/en/6/cyber-security/defense-in-depth-for-br-products/reference_architecture.html Refer to section “General security recommendations” for further advise on how to keep your system secure. Relevant CWE: CWE-125 Out-of-bounds Read Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.5 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C CVE-2023-45230 EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality, Integrity and/or Availability. View CVE Details Affected Products ABB B&R PCs Vendor:ABB Product Version:ABB APC4100 <1.09, ABB APC910 <=1.25, ABB C80 <1.14, ABB MPC3100 <1.24, ABB PPC1200 <1.14, ABB PPC900 <2.16, ABB APC2200 <1.35, ABB PPC2200 <1.35, ABB APC3100 <1.45, ABB PPC3100 <1.45 Product Status:fixed, known_affected Remediations Vendor fixThe problems are corrected in the following product versions: - APC4100 1.09 - APC910 No patch will be released (Please refer to the mitigation measures specified in this advisory). - C80 1.14 - MPC3100 1.24 - PPC1200 1.14 - PPC900 2.16 - APC2200 1.35 - PPC2200 1.35 - APC3100 1.45 - PPC3100 1.45 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. MitigationDeactivate the vulnerable component - The vulnerabilities exist in the Preboot eXecution Environment (PXE) of the UEFI firmware. If this functionality is not needed, it is recommended to disable it in the UEFI settings, thus making the vulnerabilities not exploitable. Limit accessibility - If PXE functionality is required, users should tightly restrict network traffic to legitimate users and block illegitimate PXE traffic, specifically related to IPv6. For instance, by blocking IPv6 network traffic on the control network firewall. https://help.br-automation.com/#/en/6/cyber-security/defense-in-depth-for-br-products/reference_architecture.html Refer to section “General security recommendations” for further advise on how to keep your system secure. Relevant CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.3 HIGH CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H/E:P/RL:O/RC:C CVE-2023-45231 EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing Neighbor Discovery Redirect message. This vulnerability can be exploited by an attacker to gain unauthorized access and potentially lead to a loss of Confidentiality. View CVE Details Affected Products ABB B&R PCs Vendor:ABB Product Version:ABB APC4100 <1.09, ABB APC910 <=1.25, ABB C80 <1.14, ABB MPC3100 <1.24, ABB PPC1200 <1.14, ABB PPC900 <2.16, ABB APC2200 <1.35, ABB PPC2200 <1.35, ABB APC3100 <1.45, ABB PPC3100 <1.45 Product Status:fixed, known_affected Remediations Vendor fixThe problems are corrected in the following product versions: - APC4100 1.09 - APC910 No patch will be released (Please refer to the mitigation measures specified in this advisory). - C80 1.14 - MPC3100 1.24 - PPC1200 1.14 - PPC900 2.16 - APC2200 1.35 - PPC2200 1.35 - APC3100 1.45 - PPC3100 1.45 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. MitigationDeactivate the vulnerable component - The vuln

Indicators of Compromise

  • cve — CVE-2023-45229
  • cve — CVE-2023-45230
  • cve — CVE-2023-45231
  • cve — CVE-2023-45232
  • cve — CVE-2023-45233
  • cve — CVE-2023-45234
  • cve — CVE-2023-45235
  • cve — CVE-2023-45236
  • cve — CVE-2023-45237

Entities

ABB (vendor)ABB B&R PCs (APC4100, APC910, C80, MPC3100, PPC1200, PPC900, APC2200, PPC2200, APC3100, PPC3100) (product)EDK2 (technology)UEFI (technology)PXE (technology)