Executive Summary
CVE-2023-7104 is a buffer overflow in the SQLite library bundled inside ABB B&R Automation Studio, reachable when the engineering tool parses an attacker-influenced database file and triggering memory corruption that can lead to remote code execution. The physical criticality is the host itself: Automation Studio is the engineering workstation that compiles and downloads logic to B&R PLCs and motion controllers, so a compromise sits one hop away from the code running on the line.
Technical Exposure Breakdown
The vulnerable component is SQLite, specifically the session extension that handles changeset and patchset records. The defect is a heap buffer overflow reachable when SQLite reads a maliciously sized record from a crafted database file. ABB B&R inherited this through dependency inclusion, which is the most common path for third-party flaws to reach an OT product without the vendor writing a single line of defective code.
The attack vector here is file based, not network listener based. An operator or integrator opens a project file, imports a configuration database, or loads a shared library artifact that carries the malformed SQLite payload. That distinction matters. This is not a daemon waiting on an open port. It is a workstation parsing untrusted content, which means the realistic delivery mechanisms are supply chain artifacts, shared project repositories, USB transfer of project files between sites, and email or download of vendor or integrator deliverables.
The 7.3 CVSS rating reflects that exploitation requires user interaction and local file handling rather than unauthenticated remote access. Do not read that as low priority. In OT, the engineering workstation is the crown jewel because it holds the trust relationship with controllers. Code execution on that host gives an attacker the ability to alter logic before download, harvest project files containing tag maps and process logic, and stage a position for lateral movement into the control network.
OT Impact and Compliance Risk
The break is not on the PLC directly. It is on the human machine boundary where logic is authored. If an adversary executes on the Automation Studio host, the downstream physical risk is malicious or corrupted logic reaching B&R controllers that drive motion, safety interlocks, and process sequencing. That is a path to unsafe machine states and to silent process drift that may not surface until product is out of spec or a guard fails to actuate.
For IEC 62443, this maps to violations of zone and conduit assumptions if engineering workstations are not segmented from general IT and from the control network. It also pressures the SR 3.4 software and information integrity requirement, since the integrity of authored logic is now in question. For NERC CIP environments, an Automation Studio host inside an Electronic Security Perimeter falls under CIP-007 patch management and CIP-010 configuration change controls, and a third-party component flaw of this type must be tracked through the documented vulnerability assessment process. Water and wastewater operators under AWIA 2018 should treat the engineering workstation as a named asset in the risk and resilience assessment. Pipeline operators under TSA SD-02C should confirm this host is inventoried, segmented, and covered by the access control and patch provisions of their cybersecurity implementation plan.
Compensating Controls
Vendor remediation replaces the outdated SQLite library, and that update should be staged through your change control window. Until then, treat the engineering workstation as a contaminated trust boundary and apply layered controls.
- Enforce application allowlisting on Automation Studio hosts so that no unexpected child process spawns from the engineering tool. SQLite memory corruption that leads to code execution is far less useful if the resulting payload cannot launch.
- Quarantine and validate inbound project files and configuration databases. Establish a one-way ingestion point where files from integrators and other sites are checksummed against an expected source before they touch a production engineering host.
- Strip network reachability from the engineering workstation to anything beyond the controllers it manages. No general internet, no email client, no browsing on that host.
- For network monitoring, a Suricata concept here is file-transport focused rather than exploit-signature focused. Alert on SQLite database file magic bytes and changeset structures moving over SMB, HTTP, or FTP into engineering subnets where such transfers are not part of normal operations. Pair that with file extraction and offline scanning rather than inline blocking, since this is passive detection.
Do not run active scanners against the connected B&R controllers to confirm exposure. Active scanning can brick industrial components, and the exposure here is on the workstation file path, not on a probeable controller service. Validate through asset inventory and software bill of materials, not through traffic injection.
BreachSpider Intel
BreachSpider tracks third-party component exposure across 175,000+ OT products and correlates dependency flaws like CVE-2023-7104 to the engineering hosts in your environment, with monitoring available at BreachSpider.