Board Support Package Un31
CVE-2019-7229
HIGH
Severity by source
AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
The ABB CP635 HMI uses two different transmission methods to upgrade its firmware and its software components: "Utilization of USB/SD Card to flash the device" and "Remote provisioning process via ABB Panel Builder 600 over FTP." Neither of these transmission methods implements any form of encryption or authenticity checks against the new firmware HMI software binary files.
AnalysisAI
The ABB CP635 HMI uses two different transmission methods to upgrade its firmware and its software components: "Utilization of USB/SD Card to flash the device" and "Remote provisioning process via. Rated high severity (CVSS 8.3), this vulnerability is no authentication required. Public exploit code available.
Technical ContextAI
This vulnerability is classified under CWE-494. The ABB CP635 HMI uses two different transmission methods to upgrade its firmware and its software components: "Utilization of USB/SD Card to flash the device" and "Remote provisioning process via ABB Panel Builder 600 over FTP." Neither of these transmission methods implements any form of encryption or authenticity checks against the new firmware HMI software binary files. Affected products include: Abb Board Support Package Un31, Abb Cp620 Firmware, Abb Cp620-Web Firmware, Abb Cp630 Firmware, Abb Cp630-Web Firmware.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
Same weakness CWE-494 – Download of Code Without Integrity Check
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today