CISA has published an advisory on an authentication bypass using an alternate path or channel vulnerability in ABB Power Generation Information Manager (PGIM) and Plant Connect. All versions of both products are affected. Successful exploitation of this vulnerability could allow a remote attacker to bypass authentication and extract credentials from the device. ABB reports PGIM will transition to a limited support phase in January, 2020, and Plant Connect is already obsolete. Users are advised to upgrade to Symphony Plus Historian, which is not affected by this vulnerability. Both ABB and CISA recommends a series of additional measures to mitigate the vulnerability. Read the advisory at WaterISAC.