ACCORDING to ABB PSIRT and republished by CISA, ABB Ability Symphony Plus Engineering contains vulnerabilities in PostgreSQL version 13.11 and earlier, potentially allowing an attacker who gains access to a site’s S+ client/server network to execute arbitrary code. The advisory lists affected product versions as ABB Ability Symphony Plus Engineering 2.2, 2.3, 2.3 RU1, RU2, RU3, 2.4, 2.4 SP1, and 2.4 SP2.
CVSS scores are presented as 8.8 (HIGH) for some vulnerabilities and 7.5 (HIGH) for others, with separate entries for CVE-2023-5869, CVE-2023-39417, CVE-2024-7348, and CVE-2024-0985. ABB recommends upgrading to S+ Engineering 2.4 SP2 RU1 (re‑leased December 2024) or later; if upgrading is not possible, they provide mitigations and note that no workarounds are available for some issues.
The advisory was released on 30 April 2026, highlighting that exploitation would require access to the S+ client/server network, and it emphasises reducing network exposure and following ABB’s security practices to help prevent external access.