This morning the DHS ICS-CERT published an update for an advisory published in December for a cross-site scripting vulnerability in the in XZERES 442SR turbine generator operating system (OS). It also published a new advisory for a vulnerability in the ABB Panel Builder 800.
This update corrects the CVE number for the vulnerability. The CVE number published in the original advisory was actually for another cross-site scripting vulnerability in the same equipment that was reported by ICS-CERT in an advisory published in March of last year.
This advisory describes a DLL hijacking vulnerability in the ABB Panel Builder 800. The vulnerability was reported by Ivan Sanchez from Nullcode Team. ABB has produced a new version of the software that mitigates the vulnerability. There is no indication that Sanchez has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that an attacker must get malicious code to a specific directory in the file system and then convince an authorized operator to execute the code. ICS-CERT says that this cannot be exploited remotely.