ABB has disclosed a local code-execution flaw in its Advant Master industrial control engineering software, but what makes CVE-2025-13162 unusually sticky isn't the vulnerability itself—it's the release-media chaos that causes an older, vulnerable version to reappear in supposedly newer packages. The supplier shipped corrected software in two separate release lines, only to withdraw both because the installer and management tools reported the wrong version number. The result: administrators can't trust what their own systems tell them about whether the flaw is present.

The vulnerability, rated Medium with a CVSS 3.1 score of 4.4, was originally published by ABB on June 23 and republished by CISA on July 14. It allows anyone who has already gained local access and low privileges to drop a malicious DLL into an unprotected application directory, then trick the Online Builder tool into loading it. No remote exploitation is possible under the documented conditions, but the update confusion means many industrial sites may believe they're patched when they aren't.

The Flaw Reintroduced by Release Media Chaos

The core problem is an uncontrolled search path element—CWE-427—in the Online Builder component that ships with both Control Builder A and the 800xA for Advant Master extension. Online Builder is the configuration and programming tool for Advant Master controllers. When launched, it doesn't adequately restrict where it looks for DLLs, so Windows might load a malicious library from the same directory as the application rather than the trusted system location.

ABB fixed the issue in Control Builder A 1.4/5 and in two 800xA branches: 6.1.1-5 and 6.2.0-3. But the road to those safe baselines is littered with withdrawn packages that either reintroduced the flaw or lied about their identity.

Here's the twisted timeline:
- 800xA for Advant Master 6.1.1-2 did not contain the vulnerability. But when 6.1.1-3 shipped, an older, unpatched Online Builder version was inadvertently included in the release media. So the vulnerability came back.
- Next came 6.1.1-4, which once again excised the vulnerable code. However, ABB pulled it from distribution because the System Installer and System Configuration Console still identified it as the vulnerable 6.1.1-3.
- The 6.2.0 branch repeated the same mistake. Version 6.2.0-2 contained the corrected Online Builder, but the tools reported it as 6.2.0-1—the vulnerable release. That version, too, was withdrawn.

As a result, every installation running 6.1.1-2, 6.1.1-3, or 6.1.1-4 must go to 6.1.1-5. Sites on 6.2.0-1 or 6.2.0-2 must go to 6.2.0-3. Control Builder A users below version 1.4/5 have the simplest path: upgrade to 1.4/5 or later.

Why Version Numbers Won't Save You

The most dangerous trap is an asset-management assumption: that a higher version number, or a version string displayed by ABB's own tools, equals a secure installation. In this case, 6.1.1-4 and 6.2.0-2 reportedly included the fix, but the tools identified them as vulnerable releases. So a scan based solely on version strings could flag a patched system as vulnerable—or, conversely, an administrator might trust a self-reported version and skip an upgrade, unaware that the underlying Online Builder files are the older, dangerous ones.

ABB's advisory is the only authority here. If you can't verify into which directory the Online Builder DLLs were actually installed and whether those DLLs match the fixed release, the safe bet is to treat all machines in the affected version ranges as compromised until you move to the designated clean baselines.

What This Means for Control System Operators

The local-access requirement limits the risk dramatically compared to a remote code-execution bug. An attacker would already need credentials on the engineering workstation, or physical access to the machine with a USB stick. But in many plants, that scenario isn't far-fetched. Engineering workstations are often shared, temporary maintenance laptops get plugged in, and third-party contractors may receive temporary local accounts. Removable media is still a staple of industrial environments.

If an attacker does place a malicious DLL and an authorized user launches Online Builder, the code runs with the same privileges as that user—potentially modifying controller configurations, altering batch parameters, or installing a persistent backdoor. ABB notes that functional safety is not directly compromised, meaning the logic intended to prevent physical harm isn't the target. But the integrity of the engineering system is squarely in the crosshairs. Unauthorized changes to controller logic can cause operational disruption, even if a safety layer ultimately prevents a catastrophic outcome.

The CVSS vector (AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N) underscores the nuance: high integrity impact but no confidentiality or availability loss. For a configuration tool, that's exactly what you fear—someone tampering with what you're about to push to production controllers.

The Timeline of a Recurring Vulnerability

The weakness wasn't discovered by an external researcher. ABB's internal security team found it during its own verification process. The company disclosed it on June 23, 2026, with CISA amplifying the advisory on July 14. No public exploitation has been reported, and the vulnerability wasn't known before ABB's announcement.

What makes the timeline notable is the silent re-introduction. Version 6.1.1-2 was a safe release, but then 6.1.1-3 undid that work. The subsequent withdrawal of -4 and -2 packages shows ABB recognized the version-reporting defect, but by then the flawed media had already trickled into the supply chain. This is the kind of release-management misstep that erodes the trust plant operators place in vendor patch pipelines.

Your Upgrade and Mitigation Checklist

ABB's recommended actions are clear, but execution demands a thorough inventory. Here's what to do right now:

  1. Identify every node with Control Builder A or 800xA for Advant Master. Don't rely on asset databases alone; walk the floor if you must. Any workstation, laptop, or server that touches these tools is in scope.

  2. Ignore the version string from System Installer or SCC. Instead, check the actual installed files if you can. If not, upgrade anyway.

  3. Upgrade to the fixed baselines:
    - Control Builder A: version 1.4/5 or later.
    - 800xA for Advant Master 6.x series: 6.1.1-5 or later for any previously affected 6.1.1 release.
    - 800xA for Advant Master 6.2.0 series: 6.2.0-3 or later.

  4. If an upgrade can't be done immediately, contact ABB Support for a workaround. Don't attempt to manually restrict the application directory or DLL locations—ABB has not validated such settings and they may break the engineering tools.

  5. Apply interim defenses: limit who can log on, enforce strong and regularly changed passwords, disable or tightly manage USB ports and removable media. ABB specifically recommends that computers accessible to regular users have removable-media ports disabled or restricted to intended device types.

  6. Implement network segmentation as per CISA guidance: keep control system devices off the internet, isolate operational networks from business networks, and require VPN for remote access—though remember that this won't stop a local attacker who already has a foothold.

Looking Ahead: Trusting Your Tools

CVE-2025-13162 won't be the last DLL search-path issue in industrial software, but the versioning fiasco is a hard-learned lesson for asset owners. A vendor's own tools can mislead you about what's installed, and a seemingly newer release can carry older, vulnerable code. The only reliable strategy is to anchor every security decision on the vendor's advisory and official media, then verify—don't assume.

ABB says it has no evidence of exploitation. But given the widespread deployment of Advant Master controllers in critical manufacturing, the window for patch verification is now. The confusion around versions 6.1.1-4 and 6.2.0-2 means many organizations may have shelved these releases, unaware that they were actually fixed. For those that installed them, the ambiguity remains. Moving to the clean-baseline versions—6.1.1-5 and 6.2.0-3—eliminates both the vulnerability and the trust issue in one shot.