April 8, 2026

Vulnerabilities in Outdated SQLite Component in ABB Ability System 800xA Camera Connect

ABB published security advisory 4HZM000604 in March 2026 disclosing fifteen vulnerabilities within the embedded SQLite 3.2.4 library used by ABB Ability System 800xA Camera Connect version 2.0.0.42 and prior. SQLite 3.2.4 is an extreme legacy release — current versions stand at 3.50.2 — and it contains a broad accumulation of security defects disclosed between 2018 and 2025, the most severe of which carry CVSS v3.1 scores of 9.8 Critical. ABB has released an updated version of Camera Connect that replaces the vulnerable SQLite component, and ABB had not received any information indicating exploitation of the affected product at the time the advisory was published.

The two highest-severity vulnerabilities are CVE-2025-3277 and CVE-2025-6965, both rated 9.8 Critical under CVSS v3.1. CVE-2025-3277 is an integer overflow in SQLite's concat_ws() function; the resulting truncated allocation is subsequently written with the original untruncated length, producing an exploitable heap buffer overflow of approximately four gigabytes. CVE-2025-6965 is triggered when the number of aggregate terms in a query exceeds the number of available result columns, producing memory corruption on systems running SQLite prior to 3.50.2. Two additional high-severity vulnerabilities — CVE-2022-35737, with a CVSS v3.1 score of 7.5, and CVE-2023-7104, with a CVSS v3.1 score of 7.3 — contribute an array-bounds overflow through crafted large string arguments and a heap-based buffer overflow in the session extension handler, respectively. The eleven remaining CVEs represent a multi-year accumulation of memory safety, integer handling, and logic defects that were never remediated in the embedded SQLite 3.2.4 component, including CVE-2020-15358, CVE-2020-13632, CVE-2020-13631, CVE-2020-13630, CVE-2020-13435, CVE-2020-13434, CVE-2020-11656, CVE-2020-11655, CVE-2019-19646, CVE-2019-19645, and CVE-2018-20506.

The risk profile for organizations running Camera Connect is shaped by the attack vectors of the most critical CVEs. CVE-2025-3277 and CVE-2025-6965 both carry network attack vectors with no authentication requirement in their CVSS v3.1 assessments, meaning an attacker with IP-level access to the Camera Connect instance can trigger vulnerable code paths without valid credentials. ABB has emphasized that Camera Connect is an operational support tool rather than a safety-critical component, and organizations must ensure no safety-instrumented functions depend on it. Nevertheless, Camera Connect hosts typically reside within or immediately adjacent to the OT network, making exploitation a credible lateral movement vector into the broader industrial environment.

Threats and Vulnerabilities

CVE-2025-3277, with a CVSS v3.1 score of 9.8 Critical and a CVSS v4.0 score of 6.9 High, is a heap buffer overflow in SQLite's concat_ws() string aggregation function present in versions 3.44.0 through 3.49.0. An integer overflow during buffer allocation truncates the reserved size, but the subsequent write operation uses the original full length; a remote, unauthenticated attacker who can supply crafted SQL input may write approximately four gigabytes beyond the allocated region, corrupting adjacent heap structures and creating conditions sufficient for arbitrary code execution on the Camera Connect host. The vulnerability is fixed in SQLite 3.49.1.

CVE-2025-6965, with a CVSS v3.1 score of 9.8 Critical and a CVSS v4.0 score of 7.2 High, affects SQLite versions prior to 3.50.2 and arises when a query's aggregate term count exceeds the number of available result columns. The resulting memory corruption is exploitable by an unauthenticated network attacker, and the flaw was disclosed by Google with a patch available in SQLite 3.50.2.

CVE-2022-35737, with a CVSS v3.1 score of 7.5 High, affects SQLite versions 1.0.12 through 3.39.1 and is triggered through C API calls such as sqlite3_str_vappendf when format specifiers %q, %Q, or %w are used with string arguments containing billions of bytes. A signed integer overflow can cause user-controlled data to be written beyond the bounds of a stack-allocated buffer; on 64-bit systems compiled without stack canaries, this yields potential arbitrary code execution, and in all cases it guarantees denial of service. The vulnerability is fixed in SQLite 3.39.2.

CVE-2023-7104, with a CVSS v3.1 score of 7.3 High per NIST assessment, is a heap-based buffer overflow in the sessionReadRecord function within SQLite's session extension (ext/session/sqlite3session.c), affecting versions up to 3.43.0. Exploitation requires triggering the session extension with crafted input, producing memory corruption that may result in denial of service or code execution. This vulnerability was patched in SQLite 3.43.2. The remaining eleven CVEs — spanning 2018 through 2020 — represent an additional layer of memory safety risk in the embedded SQLite 3.2.4 component. All are resolved by the same remediation action: updating Camera Connect to the version specified in ABB advisory 4HZM000604, which replaces the embedded SQLite library with a supported, current release.

Client Impact

ABB Ability System 800xA Camera Connect provides video monitoring of operational processes and equipment within industrial environments. Successful exploitation of CVE-2025-3277 or CVE-2025-6965 could yield remote code execution on the Camera Connect host, providing an unauthenticated attacker with a foothold in or adjacent to the OT network. Even where Camera Connect does not interface directly with safety systems, a compromised host may hold engineering credentials, share network segments with PLCs, HMIs, or historian servers, and provide a platform for further reconnaissance or lateral movement into operational systems. The absence of a prior patch for the SQLite 3.2.4 component means the full set of fifteen CVEs has existed in deployed environments for an extended period.

From a compliance perspective, operating software with multiple Critical-severity CVEs carrying unauthenticated network attack vectors may produce mandatory findings under IEC 62443 vulnerability management requirements, NERC CIP CIP-007-6, or internal patch management policies that define remediation deadlines for Critical and High severities. Organizations subject to mandatory incident reporting obligations under CISA or sector-specific regulation should assess whether the presence of Camera Connect 2.0.0.42 in their environment constitutes a reportable condition and document their remediation timeline accordingly.

Mitigations

ABB has released an updated version of Camera Connect that replaces the embedded SQLite 3.2.4 component. Organizations should take the following actions to remediate exposure and reduce risk while patching is staged:

1. Update ABB Ability System 800xA Camera Connect to the version specified in security advisory 4HZM000604, which resolves all fifteen documented CVEs by replacing the vulnerable SQLite library with a current release.

2. Restrict network access to Camera Connect using host-based or network firewall rules, permitting only authorized engineering workstations to reach the Camera Connect service over TCP; eliminate any direct internet or untrusted network exposure.

3. Verify that no safety management systems, safety-instrumented functions, or high-consequence automated processes have operational dependencies on Camera Connect, in accordance with ABB's advisory guidance.

4. Monitor Camera Connect hosts for anomalous process activity, unexpected outbound connections, or privilege escalation events that could indicate exploitation activity while the patch is pending deployment.

5. Apply least privilege to the service account under which Camera Connect operates, limiting the impact of any successful compromise to the minimum necessary system permissions.

Organizations that cannot immediately apply the patch should treat Camera Connect as high-risk, limit its network exposure to the greatest extent practical, and prioritize remediation in the next available maintenance window.

1898 & Co. Response

1898 & Co. maintains continuous monitoring of security disclosures affecting industrial control system products and embedded third-party components, including embedded library vulnerabilities in ABB System 800xA ecosystem products. Our threat intelligence and OT security practices reviewed advisory 4HZM000604 at the time of publication and can assist organizations in identifying Camera Connect installations across their 800xA environments, validating installed version status, and coordinating patch deployment within planned or emergency maintenance windows.

Our ICS security engineers have direct experience with ABB System 800xA architecture and can provide network segmentation review and firewall rule development to limit Camera Connect's attack surface while remediation is in progress. 1898 & Co. also offers embedded component vulnerability management services — including software bill of materials analysis — to help organizations proactively identify outdated third-party libraries in OT software before they result in published advisories.

As the OT security landscape increasingly involves third-party component supply chain risk, 1898 & Co. is positioned to help clients develop and maintain a systematic approach to component-level vulnerability awareness across their entire installed base of industrial automation and control systems.