CVE-2024-12429 is a CWE-22 path traversal vulnerability affecting ABB AC500 V3 programmable logic controllers (PLCs), specifically the PM5xxx product line with firmware versions earlier than 3.8.0. The vulnerability allows an attacker who has successfully authenticated to the device to manipulate file path inputs improperly validated by the system, enabling unauthorized read access to files outside the intended restricted directories. This can include sensitive system-wide files and configuration data critical to the PLC's operation and security. The flaw stems from insufficient validation or sanitization of pathname parameters, permitting directory traversal sequences (e.g., '../') to access arbitrary files. The attack vector requires an authenticated user but no elevated privileges, and user interaction is necessary to initiate the exploit. The CVSS 4.0 score of 5.1 reflects a medium severity, with partial impact on confidentiality (high), no impact on integrity or availability, and a low attack complexity. No public exploits have been reported yet, but the vulnerability poses a risk to industrial environments where these PLCs are deployed, potentially exposing operational data that could facilitate further attacks or disruption. The lack of available patches at the time of reporting necessitates immediate attention to firmware updates once released and implementation of compensating controls.

For European organizations, especially those in critical infrastructure sectors such as manufacturing, energy, and utilities that deploy ABB AC500 V3 PLCs, this vulnerability can lead to unauthorized disclosure of sensitive configuration and operational data. Exposure of such information could facilitate further targeted attacks, including sabotage or espionage, impacting industrial processes and safety. While the vulnerability does not directly allow system control or denial of service, the confidentiality breach can undermine trust in system integrity and potentially lead to operational disruptions if attackers leverage the disclosed information. Given the widespread use of ABB industrial controllers in Europe, the impact could be significant in sectors reliant on automated control systems. Additionally, regulatory compliance frameworks such as NIS2 may require prompt remediation and reporting, increasing the operational and legal risks for affected organizations.

Organizations should immediately identify all ABB AC500 V3 (PM5xxx) devices running firmware versions earlier than 3.8.0. Until a patch is available, restrict network access to these devices by implementing strict segmentation and firewall rules to limit authenticated access only to trusted personnel and systems. Employ strong authentication mechanisms and monitor access logs for unusual activity. Disable or restrict remote access where possible. Once ABB releases a firmware update addressing CVE-2024-12429, prioritize timely deployment of the patch across all affected devices. Additionally, conduct regular security audits of PLC configurations and implement anomaly detection to identify potential exploitation attempts. Training operational technology (OT) staff on this vulnerability and its risks will improve incident response readiness. Consider deploying intrusion detection systems tailored for industrial control networks to detect suspicious path traversal attempts.