CVE-2025-13162: Update ABB 800xA to Fix Local DLL Flaw

ABB is urging operators of Advant Master environments to update Control Builder A and 800xA for Advant Master after discovering that vulnerable Online Builder software was included in release media. CVE-2025-13162 can allow an attacker with local access to place a malicious DLL in an insufficiently protected application directory and execute unauthorized code on an affected system node.
CISA republished ABB’s advisory on July 14, following ABB’s original disclosure on June 23. The vulnerability carries a CVSS 3.1 score of 4.4, rated Medium, but its industrial-control context and the confusing release history make inventory verification more important than the score alone suggests.
ABB says it has not received reports of active exploitation, and the flaw was not publicly disclosed before the company’s advisory. Exploitation cannot be performed remotely under the conditions described by ABB: an attacker needs access to the affected node, low-level privileges, user interaction and the ability to place a DLL in the relevant directory.

ABB Advant Master industrial control cybersecurity infographic showing DLL blocking, secure versions, access controls, and network segmentation.A Local DLL Flaw With an Integrity Impact​

Online Builder, or ONB, is included with Control Builder A for configuring and programming Advant Master controllers. It is also supplied through 800xA for Advant Master, the System 800xA extension used to connect with those controllers.
CVE-2025-13162 is classified as CWE-427, an uncontrolled search path element. The affected Online Builder release does not adequately control where it searches for DLLs, potentially allowing Windows to load an unauthorized library from an untrusted location instead of the intended component.
An attacker who has gained the necessary access could place a malicious DLL in the application directory and induce Online Builder to load it. ABB’s CVSS vector assigns no confidentiality or availability impact, but rates the integrity impact as High because successful exploitation could execute arbitrary code and alter the affected node.
The requirement for physical or equivalent local access substantially limits opportunistic exploitation. It does not eliminate risk in plants where engineering workstations are shared, portable maintenance laptops are routinely connected, removable media is common, or third-party technicians receive temporary access.
ABB says exploitation does not affect functional safety. That distinction matters, but it should not be read as a guarantee that a compromised engineering node could have no operational consequences. Unauthorized code execution on a system used to configure controllers remains a security and change-control concern even when the assessed vulnerability does not directly defeat a certified safety function.

The Release Media Is Part of the Problem​

The unusual element in this advisory is not simply that ABB shipped a vulnerable component. It is that an older Online Builder version returned in later release media, while two subsequent packages contained corrected software but reported the wrong product version through ABB’s installation and configuration tools.
Control Builder A 1.4/4 and earlier is affected. ABB recommends moving to Control Builder A 1.4/5 or later.
For 800xA for Advant Master, the affected branches include 6.0.3-1 and earlier, 6.1.1-1 and earlier, 6.1.1-3, and 6.2.0-1. ABB’s recommended destinations are 6.1.1-5 or later for the older and 6.1.1 releases, and 6.2.0-3 or later for the 6.2 branch.
The sequence around 6.1.1 requires particular attention. Version 6.1.1-2 does not contain the vulnerable Online Builder component, but the flaw was reintroduced in 6.1.1-3 because older ONB software was included in that release’s media.
Version 6.1.1-4 also does not contain the vulnerability. ABB nevertheless withdrew it because the 800xA System Installer and System Configuration Console identify it as 6.1.1-3. Customers on any of the 6.1.1-2, 6.1.1-3 or 6.1.1-4 packages are therefore directed toward 6.1.1-5 or later, giving administrators a supported and unambiguous baseline.
A similar issue affects the 6.2 line. Version 6.2.0-2 contains corrected software, but System Installer and System Configuration Console present it as the vulnerable 6.2.0-1 release. ABB withdrew 6.2.0-2 and recommends upgrading both packages to 6.2.0-3 or later.
That history creates an asset-management trap. A version string displayed by the installer or System Configuration Console may not accurately identify the Online Builder files actually present, while a seemingly newer release may contain an older ONB build. Administrators should use ABB’s advisory and approved installation media as the authority rather than inferring exposure from version ordering alone.

The Safe Upgrade Targets​

ABB’s remediation paths can be reduced to three deployment decisions:
  • Control Builder A 1.4/4 and earlier should be upgraded to 1.4/5 or later.
  • 800xA for Advant Master 6.0.3-1 and earlier, 6.1.1-1 and earlier, and the 6.1.1-2 through 6.1.1-4 packages should move to 6.1.1-5 or later.
  • 800xA for Advant Master 6.2.0-1 and 6.2.0-2 should move to 6.2.0-3 or later.
ABB says the corrected Online Builder adds restrictions to the application folder and requires authentication. Customers should perform the usual industrial-control impact analysis before deployment, including checking project compatibility, validating backups and testing the update in a representative environment where possible.
If upgrading is not currently possible, ABB directs customers to contact ABB Support for a workaround rather than attempting an undocumented permission change. Manual changes to application-directory access controls or DLL locations could interfere with engineering software and may produce a configuration ABB has not validated.

Local Access Controls Become the Interim Defense​

Until updates are installed, ABB recommends limiting logon access to authorized users, enforcing strong passwords and changing them regularly. The company also calls for tight control over portable computers, USB storage and other removable media.
On computers physically accessible to ordinary users, ABB recommends disabling removable-media ports or managing them so that only intended device types can be used. For Windows administrators, that may involve a combination of device-control policy, application control, restricted local administrator rights and monitoring for unexpected DLL creation in ABB application directories.
CISA’s broader industrial-control guidance remains applicable: control-system devices should not be exposed to the internet, operational networks should be isolated from business networks, and remote access should use maintained, securely configured VPN infrastructure. Those network controls will not directly stop a person who already has physical access to the affected node, but they can make it harder for an attacker to obtain the foothold or credentials needed to reach it.
The immediate task is to identify every workstation or system node containing Control Builder A or 800xA for Advant Master, then reconcile installed files, source media and displayed version information. 6.1.1-5 and 6.2.0-3 are the clean operational baselines ABB has designated for the affected 800xA branches, avoiding both the vulnerable Online Builder build and the misleading version reporting that caused two intermediate releases to be withdrawn.

References​

  1. Primary source: CISA
    Published: 2026-07-14T12:00:00+00:00
 

Back
Top