CVE-2025-3395 is a high-severity vulnerability affecting ABB Automation Builder versions up to and including 2.8.0. The vulnerability involves incorrect permission assignment for critical resources (CWE-732) combined with cleartext storage of sensitive information (CWE-312). Specifically, Automation Builder improperly sets permissions on critical resources, potentially allowing unauthorized users with limited privileges to access or modify sensitive components or data. Additionally, sensitive information is stored in cleartext, increasing the risk of exposure if an attacker gains access to the system or files. The CVSS 4.0 base score of 8.4 reflects the significant impact on confidentiality and integrity, with a local attack vector (AV:L), low attack complexity (AC:L), no authentication required (AT:N), and low privileges needed (PR:L). There is no user interaction required (UI:N), but the vulnerability affects confidentiality and integrity to a high degree (VC:H, VI:H). The vulnerability does not impact availability (VA:N). The scope is unchanged (S:N), and there are no known exploits in the wild at the time of publication. The vulnerability was reserved on April 7, 2025, and published on April 30, 2025. ABB Automation Builder is a software suite used for programming, configuring, and commissioning ABB industrial automation devices, including PLCs and control systems, which are critical components in industrial control systems (ICS) and operational technology (OT) environments. Exploitation of this vulnerability could allow an attacker with limited local access to escalate privileges, access sensitive configuration data, or manipulate automation logic, potentially leading to operational disruptions or safety risks in industrial environments.

For European organizations, especially those operating in industrial sectors such as manufacturing, energy, utilities, and critical infrastructure, this vulnerability poses a significant risk. ABB Automation Builder is widely used across Europe in industrial automation and control systems. Exploitation could lead to unauthorized disclosure of sensitive configuration data, intellectual property theft, or unauthorized modification of control logic, which may cause production downtime, safety incidents, or compromised system integrity. Given the critical role of automation in sectors like energy grids, water treatment, and manufacturing plants, the vulnerability could have cascading effects on operational continuity and safety. Furthermore, the cleartext storage of sensitive information increases the risk of credential or key exposure, facilitating further attacks. The local attack vector means that attackers would need some level of access to the affected system, which could be achieved via insider threats, compromised user accounts, or lateral movement after initial network compromise. The high impact on confidentiality and integrity underscores the potential for serious operational and reputational damage to European organizations relying on ABB Automation Builder.

1. Immediate application of any available patches or updates from ABB once released is critical, even though no patch links are currently provided. 2. Restrict local access to systems running Automation Builder to trusted personnel only, enforcing strict access controls and monitoring. 3. Implement network segmentation to isolate engineering workstations and automation programming environments from general IT networks and internet access to reduce the risk of lateral movement. 4. Conduct thorough audits of file system permissions and correct any improper permission assignments on critical resources related to Automation Builder installations. 5. Encrypt sensitive files and configuration data at rest using OS-level or third-party encryption tools to mitigate risks from cleartext storage until official fixes are available. 6. Employ endpoint detection and response (EDR) solutions to detect suspicious local privilege escalation attempts or unauthorized access to Automation Builder resources. 7. Train staff on the risks of local privilege escalation and the importance of safeguarding credentials and limiting software installation privileges. 8. Monitor logs for unusual access patterns or modifications to automation project files or configurations. 9. Consider implementing multi-factor authentication (MFA) for access to systems running Automation Builder to reduce risk from compromised credentials. 10. Establish incident response plans specifically addressing potential ICS/OT compromise scenarios involving ABB Automation Builder.