Description
The affected versions of S+ Operations (version 2.1 SP1 and earlier) used an approach for user authentication which relies on validation at the client node (client-side authentication). This is not as secure as having the server validate a client application before allowing a connection. Therefore, if the network communication or endpoints for these applications are not protected, unauthorized actors can bypass authentication and make unauthorized connections to the server application.
References (1)
Core 1
Core References
Mitigation, Vendor Advisory x_refsource_misc
https://search.abb.com/library/Download.aspx?DocumentID=2PAA123980&LanguageCode=en&DocumentPartId=&Action=Launch
Scores
CVSS v3
9.8
EPSS
0.0141
EPSS Percentile
69.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-669
CWE-305
CWE-602
Status
published
Products (9)
abb/symphony_\+_historian
3.0
abb/symphony_\+_historian
3.1
abb/symphony_\+_operations
1.1
abb/symphony_\+_operations
2.0
abb/symphony_\+_operations
2.1 sp1 (2 CPE variants)
abb/symphony_\+_operations
3.0
abb/symphony_\+_operations
3.1
abb/symphony_\+_operations
3.2
abb/symphony_\+_operations
3.3
Published
Dec 22, 2020
Tracked Since
Feb 18, 2026