CVE-2024-48841 Overview
CVE-2024-48841 is a command injection vulnerability [CWE-77] affecting ABB FLXEON building automation controllers running firmware version 9.3.4 and earlier. Network-adjacent attackers can execute arbitrary code with elevated privileges without authentication or user interaction. The flaw carries a CVSS v4.0 base score of 10.0, the maximum severity rating. An unauthenticated remote attacker who reaches the controller over the network can take full control of the device. Compromised controllers can manipulate building systems, pivot into operational technology networks, or serve as a foothold for lateral movement.
Critical Impact
Unauthenticated network attackers can execute arbitrary code with elevated privileges on FLXEON 9.3.4 and earlier, gaining full control of the building automation controller.
Affected Products
- ABB FLXEON firmware version 9.3.4
- ABB FLXEON firmware versions older than 9.3.4
- ABB FLXEON building automation controllers running affected firmware
Discovery Timeline
- 2025-01-27 - CVE-2024-48841 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-48841
Vulnerability Analysis
CVE-2024-48841 is classified under CWE-77, Improper Neutralization of Special Elements used in a Command (Command Injection). The flaw allows attackers to inject operating system or application commands through network-exposed interfaces on the FLXEON controller. The controller fails to sanitize or validate input that is later passed to a command execution context. Injected commands execute with elevated privileges, which translates to full administrative control over the device.
The attack proceeds over the network and requires no credentials, no user interaction, and no prior access. Successful exploitation impacts confidentiality, integrity, and availability of the controller and adjacent subsystems. With an EPSS score of 4.163% (88.79th percentile), the exploitation likelihood is elevated relative to most published CVEs. A proof-of-concept entry has been recorded in public exploit databases.
Root Cause
The root cause is insufficient input neutralization on a network-facing interface of the FLXEON firmware. User-controlled input flows into a command interpreter without escaping or allow-list validation. Because the affected service runs with elevated privileges, any injected command inherits that privilege level. ABB has documented the issue in a security advisory referenced as ABB Document 9AKK108470A5684.
Attack Vector
The attack vector is network-based with low attack complexity. An attacker sends a crafted request to a vulnerable network service on a FLXEON controller. The payload embeds command separators or shell metacharacters that escape the intended parameter context. The controller then executes the attacker-supplied commands with elevated privileges. No verified public exploit code is included here; refer to the ABB advisory and exploit database entries for technical specifics.
Detection Methods for CVE-2024-48841
Indicators of Compromise
- Unexpected outbound connections originating from FLXEON controller management interfaces to untrusted external hosts.
- Unauthorized configuration changes, new user accounts, or modified scheduling rules on FLXEON devices.
- Anomalous HTTP or RPC requests to FLXEON controllers containing shell metacharacters such as ;, |, &, backticks, or $().
- Controller process crashes, reboots, or service restarts without a corresponding administrative action.
Detection Strategies
- Inspect network traffic to FLXEON management ports for command injection payloads using IDS or IPS signatures targeting CWE-77 patterns.
- Correlate authentication, configuration change, and outbound connection events from FLXEON controllers to identify post-exploitation behavior.
- Compare controller firmware versions against the affected range (<= 9.3.4) during routine asset inventory scans.
Monitoring Recommendations
- Forward FLXEON controller logs and network telemetry to a central SIEM and alert on shell metacharacters in request parameters.
- Monitor OT or building automation network segments for east-west traffic anomalies originating from FLXEON devices.
- Track firmware version drift and unauthorized firmware update attempts across the FLXEON fleet.
How to Mitigate CVE-2024-48841
Immediate Actions Required
- Identify all FLXEON controllers running firmware 9.3.4 or earlier and prioritize them for remediation.
- Restrict network access to FLXEON management interfaces using firewall rules that allow only trusted engineering workstations.
- Place FLXEON controllers on isolated OT network segments separated from corporate and internet-facing networks.
- Review controller configurations, accounts, and logs for signs of prior unauthorized access.
Patch Information
ABB has published remediation guidance in advisory 9AKK108470A5684. Upgrade FLXEON firmware to a release later than 9.3.4 in accordance with the vendor advisory. Validate firmware integrity after the upgrade and confirm controller functionality before returning devices to production.
Workarounds
- Block external and untrusted access to FLXEON network services at the perimeter and at internal segmentation boundaries.
- Require VPN or jump host access for any administrative connection to FLXEON controllers.
- Disable unused network services and management protocols on affected controllers where operationally feasible.
# Example firewall rule restricting FLXEON management access to a trusted subnet
iptables -A INPUT -p tcp -d <FLXEON_IP> --dport 443 -s 10.10.20.0/24 -j ACCEPT
iptables -A INPUT -p tcp -d <FLXEON_IP> --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
