Vulnerability CVE-2019-7225

Published: 2019-06-27

The ABB HMI components implement hidden administrative accounts that are used during the provisioning phase of the HMI interface. These credentials allow the provisioning tool "Panel Builder 600" to flash a new interface and Tags (MODBUS coils) mapping to the HMI. These credentials are the idal123 password for the IdalMaster account, and the exor password for the exor account. These credentials are used over both HTTP(S) and FTP. There is no option to disable or change these undocumented credentials. An attacker can use these credentials to login to ABB HMI to read/write HMI configuration files and also to reset the device. This affects ABB CP635 HMI, CP600 HMIClient, Panel Builder 600, IDAL FTP server, IDAL HTTP server, and multiple other HMI components.

See advisories in our WLB2 database:
ABB HMI Hardcoded Credentials



Vendor: ABB
Product: Cp635-web firmware 
Version: 1.76;
Product: Cp620-web firmware 
Version: 1.76;
Product: Cp665 firmware 
Version: 1.76;
Product: Cp651-web firmware 
Version: 1.76;
Product: Cp630-web firmware 
Version: 1.76;
Product: Cp676 firmware 
Version: 1.76;
Product: Cp661-web firmware 
Version: 1.76;
Product: Cp635-b firmware 
Version: 1.76;
Product: Cp665-web firmware 
Version: 1.76;
Product: Cp635 firmware 
Version: 1.76;
Product: Cp620 firmware 
Version: 1.76;
Product: Cp676-web firmware 
Version: 1.76;
Product: Cp651 firmware 
Version: 1.76;
Product: Cp630 firmware 
Version: 1.76;
Product: Cp661 firmware 
Version: 1.76;

CVSS2 => (AV:A/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
Exploit range
Attack complexity
Adjacent network
No required
Confidentiality impact
Integrity impact
Availability impact


Related CVE
ABB, Phoenix Contact, Schneider Electric, Siemens, WAGO - Programmable Logic Controllers, multiple versions. Researchers have found some controllers are susceptible to a denial-of-service attack due to a flood of network packets.
The TextEditor 2.0 in ABB CP400 Panel Builder versions and earlier contain a vulnerability in the file parser of the Text Editor wherein the application doesn't properly prevent the insertion of specially crafted files which could allow arbi...
The product CMS-770 (Software Versions 1.7.1 and prior)is vulnerable that an attacker can read sensitive configuration files by bypassing the user authentication mechanism.
The product M2M ETHERNET (FW Versions 2.22 and prior, ETH-FW Versions 1.01 and prior) is vulnerable in that an attacker can upload a malicious language file by bypassing the user authentication mechanism.
Pluto Safety PLC Gateway Ethernet devices in ABB GATE-E1 and GATE-E2 all versions allows an unauthenticated attacker using the administrative web interface to insert an HTML/Javascript payload into any of the device properties, which may allow an att...
Pluto Safety PLC Gateway Ethernet devices ABB GATE-E1 and GATE-E2 all versions do not allow authentication to be configured on administrative telnet or web interfaces, which could enable various effects vectors, including conducting device resets, re...
ABB eSOMS version 6.0.2 may allow unauthorized access to the system when LDAP is set to allow anonymous authentication, and specific key values within the eSOMS web.config file are present. Both conditions are required to exploit this vulnerability.
ABB Panel Builder 800 all versions has an improper input validation vulnerability which may allow an attacker to insert and run arbitrary code on a computer where the affected product is used.

Copyright 2019,


Back to Top