CVE-2019-10995 in CP651
Summary
by MITRE
ABB CP651 HMI products revision BSP UN30 v1.76 and prior implement hidden administrative accounts that are used during the provisioning phase of the HMI interface.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/21/2024
The vulnerability identified as CVE-2019-10995 affects ABB CP651 Human Machine Interface products running BSP UN30 v1.76 and earlier versions. This issue represents a critical security flaw that undermines the integrity of industrial control systems by introducing persistent administrative access points that remain concealed from normal operational procedures. The vulnerability specifically targets the provisioning phase of the HMI interface, which is a critical stage in the deployment and configuration of industrial automation systems where initial setup and administrative access are typically established.
The technical flaw manifests through the implementation of hidden administrative accounts that are automatically created and maintained within the system during the provisioning process. These accounts operate outside the normal user access controls and authentication mechanisms, creating a backdoor that persists even after the initial provisioning phase has completed. The accounts remain active and functional throughout the operational lifecycle of the HMI system, providing unauthorized access to administrative functions and system configurations. This design flaw directly violates fundamental security principles of least privilege and defense in depth, as it creates persistent access points that are not visible to security monitoring systems or standard administrative procedures.
The operational impact of this vulnerability is severe for industrial environments that rely on ABB CP651 HMI systems for critical infrastructure control. Attackers who discover or exploit these hidden accounts can gain full administrative privileges to modify system configurations, access sensitive operational data, disable security controls, and potentially disrupt industrial processes. The persistent nature of these accounts means that even if the system is rebooted or reconfigured, the backdoor access remains available, creating a long-term security risk that can persist for years without detection. This vulnerability particularly affects critical infrastructure sectors including power generation, water treatment, manufacturing, and other industrial control environments where system integrity and security are paramount.
Security professionals should recognize this vulnerability as a classic example of insecure default configuration and privilege escalation through hidden administrative interfaces. The flaw aligns with CWE-798, which addresses the use of hard-coded credentials, and CWE-259, which covers the use of weak or hard-coded passwords. From an adversarial perspective, this vulnerability maps directly to ATT&CK technique T1078.004, which involves legitimate credentials used to establish backdoor access. Organizations should implement immediate mitigations including firmware updates to the latest BSP versions, comprehensive security audits to identify and disable hidden accounts, network segmentation to limit access to these systems, and enhanced monitoring of administrative access logs. The vulnerability underscores the importance of secure configuration management and the need for thorough security testing during the provisioning phase of industrial control systems to prevent the introduction of persistent backdoors that can compromise entire industrial networks.