Platform
other
Component
abb-ability-symphony-plus-operations
Fixed in
3.3 Service Pack 1
2.1 SP2 Rollup 2
2.2
CVE-2020-24673 describes a critical SQL injection vulnerability affecting ABB Ability™ Symphony® Plus Operations versions up to 3.3 Service Pack 1. This vulnerability allows attackers to inject malicious SQL code, potentially leading to unauthorized access, modification, or deletion of sensitive data. Successful exploitation can compromise the integrity and availability of the industrial control system, impacting operational processes. The vulnerability has been addressed with the release of version 3.3 Service Pack 1.
The impact of CVE-2020-24673 is severe due to the potential for widespread data compromise and system disruption. An attacker exploiting this vulnerability could read sensitive data stored within the database, including configuration information, user credentials, and process data. Furthermore, they could modify database entries, leading to incorrect operational parameters or even the shutdown of the database management system (DBMS). The ability to execute commands on the operating system elevates the risk significantly, potentially allowing for lateral movement within the network and further compromise of connected systems. This vulnerability shares similarities with other SQL injection attacks where database access is leveraged to gain control over the underlying system.
CVE-2020-24673 was publicly disclosed on December 22, 2020. While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity and the potential for significant impact make it a high-priority vulnerability. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the vulnerability's nature makes it likely that such exploits will emerge.
Exploit Status
EPSS
0.40% (61% percentile)
CVSS Vector
The primary mitigation for CVE-2020-24673 is to upgrade to ABB Ability™ Symphony® Plus Operations version 3.3 Service Pack 1 or later. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as restricting network access to the affected system and implementing strict input validation on all user-supplied data. Web application firewalls (WAFs) configured to detect and block SQL injection attempts can also provide a layer of defense. Monitor system logs for suspicious database activity and consider implementing intrusion detection systems (IDS) to identify potential exploitation attempts. After upgrading, verify the fix by attempting a SQL injection attack on the vulnerable endpoint and confirming that it is blocked.
Update to version 3.3 Service Pack 1, 2.1 SP2 Rollup 2 or 2.2 (or higher) as appropriate for the installed version of ABB Ability™ Symphony® Plus Operations. This will resolve the (SQL Injection) vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-24673 is a critical SQL injection vulnerability in ABB Ability™ Symphony® Plus Operations ≤3.3 SP1, allowing attackers to potentially read, modify, or delete database data and execute operating system commands.
If you are running ABB Ability™ Symphony® Plus Operations versions prior to 3.3 Service Pack 1, you are potentially affected by this vulnerability.
The recommended fix is to upgrade to ABB Ability™ Symphony® Plus Operations version 3.3 Service Pack 1 or later. Implement temporary workarounds if an immediate upgrade is not possible.
While no active exploitation campaigns have been publicly confirmed, the vulnerability's severity warrants immediate attention and mitigation.
Refer to the official ABB security advisory for detailed information and mitigation guidance: [https://www.abb.com/security-advisories](https://www.abb.com/security-advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.