Executive Summary

CVE-2022-35737 is an integer overflow in the SQLite library bundled inside ABB B&R Automation Studio that can corrupt heap memory when oversized string inputs are passed into vulnerable query bindings. The criticality is not the SQLite bug in isolation but its location: the engineering workstation that programs and commissions B&R PLCs and motion controllers sits in the path of every logic download and project deployment.

Technical Exposure Breakdown

The root flaw lives in SQLite versions 1.0.12 through 3.39.1 when compiled with 64-bit integer support. An array indexed by a 32-bit signed integer can overflow when a string longer than 2GB is supplied to specific API paths, including sqlite3_str_vappendf and the printf-style routines that drive query formatting. The result is out-of-bounds writes that, depending on memory layout, lead to denial of service or remote code execution. The base CVSS score is 7.5, but that figure was calculated for SQLite as a generic library, not for a tool that holds the keys to a control environment.

In Automation Studio the SQLite component is a third-party dependency, not a feature operators interact with directly. That is precisely why it is dangerous. The vulnerable code path is reachable only if an attacker can influence the string data that the application passes into SQLite. In an OT context the realistic vectors are project files, configuration imports, library packages, and any externally sourced artifact that the engineering tool parses into its internal database. A weaponized project file delivered through a contractor laptop, a shared engineering repository, or a removable drive becomes the delivery mechanism.

ABB reports no observed successful exploitation during testing of the affected B&R products. That statement should be read carefully. It means the specific 2GB input precondition was not trivially triggered in their test harness. It does not mean the dependency is absent or that a determined adversary cannot construct an input chain that reaches the flawed code. The honest engineering position is that the exposure exists and the third-party component must be replaced.

OT Impact and Compliance Risk

The physical consequence is indirect but severe. Compromise of an engineering workstation does not directly trip a relay or open a valve. It gives an attacker the platform from which trusted logic is authored and pushed to field devices. From a poisoned Automation Studio host, malicious logic can be downloaded to B&R controllers under the identity and credentials of a legitimate engineer. That is a supply-chain path into the control layer, and it bypasses most network segmentation because the engineering host is already authorized to talk to the PLCs.

Under IEC 62443 the engineering workstation is a high-trust asset in the conduit between zones, and an unpatched library here undermines the integrity assumptions of the entire zone-and-conduit model. For NERC CIP regulated entities the host is frequently a Cyber Asset within an Electronic Security Perimeter, so an unmitigated third-party component carries CIP-007 patch management and CIP-010 baseline implications. Pipeline operators under TSA SD-02C must account for this asset in their critical cyber system inventory and remediation timelines. Water utilities working under AWIA 2018 risk assessments should classify engineering hosts as critical, because a corrupted programming station is a direct path to treatment process logic.

Compensating Controls

Replace the bundled SQLite component through ABB's update where the maintenance window allows, but do not treat that as the only action. Engineering workstations should never be scanned with active vulnerability tools mid-operation, because aggressive probing can destabilize the tool's database and the field connections it maintains. Treat these hosts as fragile.

BreachSpider Intel

BreachSpider continuously tracks third-party component exposure across 175,000+ OT products and correlates dependency-level CVEs to the engineering and control assets that carry them, so monitor your B&R fleet through BreachSpider for replacement status and active exploitation signals.