CVE-2019-7225

Public Exploit

Description

The ABB HMI components implement hidden administrative accounts that are used during the provisioning phase of the HMI interface. These credentials allow the provisioning tool "Panel Builder 600" to flash a new interface and Tags (MODBUS coils) mapping to the HMI. These credentials are the idal123 password for the IdalMaster account, and the exor password for the exor account. These credentials are used over both HTTP(S) and FTP. There is no option to disable or change these undocumented credentials. An attacker can use these credentials to login to ABB HMI to read/write HMI configuration files and also to reset the device. This affects ABB CP635 HMI, CP600 HMIClient, Panel Builder 600, IDAL FTP server, IDAL HTTP server, and multiple other HMI components.

References

Link	Tags
http://seclists.org/fulldisclosure/2019/Jun/38	third party advisory mailing list
http://packetstormsecurity.com/files/153397/ABB-HMI-Hardcoded-Credentials.html	third party advisory vdb entry
https://www.darkmatter.ae/xen1thlabs/abb-hmi-hardcoded-credentials-vulnerability-xl-19-009/	patch third party advisory exploit
http://www.securityfocus.com/bid/108922	third party advisory vdb entry

Frequently Asked Questions

What is the severity of CVE-2019-7225?: CVE-2019-7225 has been scored as a high severity vulnerability.
How to fix CVE-2019-7225?: To fix CVE-2019-7225, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2019-7225 being actively exploited in the wild?: It is possible that CVE-2019-7225 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.

Description

Category

CWE-798 – Use of Hard-coded Credentials

References

Frequently Asked Questions