Severity by source
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Local-only attack path with high complexity for search path manipulation, low privilege required to write the DLL, user interaction required to trigger load; no confidentiality or availability impact per CWE-427 integrity-focused exploitation.
Primary rating from Vendor (ABB).
CVSS VectorVendor: ABB
CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Uncontrolled Search Path Element vulnerability in ABB Control Builder A, ABB 800xA for Advant Master.
This issue affects Control Builder A: through 1.4/4; 800xA for Advant Master: through 6.0.3-1, through 6.1.1-1, 6.1.1-3, 6.2.0-1.
AnalysisAI
Uncontrolled Search Path Element (DLL hijacking) in ABB Control Builder A and 800xA for Advant Master enables a local low-privileged attacker to achieve high-integrity code execution on industrial engineering workstations. Affected versions span Control Builder A through 1.4/4 and 800xA for Advant Master through 6.2.0-1, covering multiple release branches of ABB's flagship OT automation suite. No public exploit or CISA KEV listing is identified at time of analysis, limiting immediate mass-exploitation risk, though OT environments running these ICS platforms warrant targeted patching prioritization given integrity-impact severity.
Technical ContextAI
CWE-427 (Uncontrolled Search Path Element) describes a class of vulnerability where an application resolves DLLs, executables, or libraries by searching directories in a user-controllable order - commonly known as DLL hijacking or binary planting on Windows. ABB Control Builder A (CPE: cpe:2.3:a:abb:control_builder_a) is an engineering tool for configuring ABB Advant Master distributed control systems. ABB 800xA for Advant Master (CPE: cpe:2.3:a:abb:800xa_for_advant_master) is the extended automation platform integrating legacy Advant Master DCS with the 800xA HMI and engineering environment. Both products run on Windows-based engineering workstations in industrial OT environments. The root cause is that the application trusts user-writable directories that appear earlier in the DLL search path than the intended system or application directories, allowing a planted malicious library to be loaded in place of a legitimate one.
RemediationAI
Consult ABB advisory document 7PAA020047 (https://search.abb.com/library/Download.aspx?DocumentID=7PAA020047&LanguageCode=en&DocumentPartId=&Action=Launch) for vendor-released patch guidance; no specific patched version numbers are confirmed in currently available intelligence, so 'Patch available per vendor advisory' is the most accurate characterization. While awaiting patching, apply compensating controls specific to DLL hijacking: restrict write permissions on directories in the application's DLL search path so that only SYSTEM and local administrators can write there, which reduces an attacker's ability to plant a malicious library. Enable Windows SafeDllSearchMode (registry: HKLM\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode=1) to ensure system directories are searched before user-writable locations. Monitor Windows Event Logs and endpoint detection tooling for unexpected DLL load events from non-standard paths within the ABB application process. Limit interactive logon access to engineering workstations to authorized ICS personnel only, reducing the pool of potential low-privilege local attackers. Note: restricting search path write access may require testing against application functionality if the product writes to those directories during normal operation.
Same weakness CWE-427 – Uncontrolled Search Path Element
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210312
GHSA-f2p3-r6h4-xx6j