Critical Vulnerability in ABB's IEC 61850 Communication Stack (CVE-2025-3756)
Executive Summary
In April 2026, ABB disclosed a vulnerability (CVE-2025-3756) in the IEC 61850 communication stack used in its System 800xA and Symphony Plus products. An attacker with access to the IEC 61850 network could exploit this flaw by sending specially crafted packets, causing the PM 877, CI850, and CI868 modules to enter a fault state, or rendering the S+ Operations 61850 connectivity unavailable, leading to a denial-of-service condition. The overall functionality of the S+ Operations node remains unaffected; only the IEC 61850 communication function is impacted. Affected versions include AC800M (System 800xA) from 6.0.0x through 6.2.0006.0, Symphony Plus SD Series versions A_0 through B_0.005, Symphony Plus MR versions 3.10 through 3.52, and S+ Operations versions 2.1 through 3.3. (nvd.nist.gov)
This vulnerability underscores the critical importance of securing industrial control systems, especially those utilizing the IEC 61850 protocol. As cyber threats targeting operational technology environments continue to evolve, organizations must prioritize timely patching, network segmentation, and robust access controls to mitigate potential risks.
Why This Matters Now
The disclosure of CVE-2025-3756 highlights the ongoing vulnerabilities in industrial control systems, emphasizing the need for immediate attention to network security and system updates to prevent potential exploitation.
Attack Path Analysis
An attacker gains access to the IEC 61850 network and sends specially crafted packets to exploit a vulnerability in the communication stack, causing denial-of-service conditions in affected ABB devices. The attack does not involve privilege escalation, lateral movement, command and control, or data exfiltration, but results in significant impact by disrupting critical communication functions.
Kill Chain Progression
Initial Compromise
Description
An attacker gains access to the IEC 61850 network and sends specially crafted packets to exploit a vulnerability in the communication stack.
Related CVEs
CVE-2025-3756
CVSS 6.5A vulnerability in the IEC 61850 communication stack allows an attacker with network access to send specially crafted packets, causing denial-of-service conditions in affected ABB products.
Affected Products:
ABB AC800M (System 800xA) – 6.0.0x through 6.0.0303.0, 6.1.0x through 6.1.0031.0, 6.1.1x through 6.1.1004.0, 6.1.1x through 6.1.1202.0, 6.2.0x through 6.2.0006.0
ABB Symphony Plus SD Series – A_0, A_1, A_2.003, A_3.005, A_4.001, B_0.005
ABB Symphony Plus MR (Melody Rack) – 3.10 through 3.52
ABB S+ Operations – 2.1, 2.2, 2.3, 3.3
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Endpoint Denial of Service
Valid Accounts
Network Sniffing
Exploitation for Client Execution
Exploitation of Remote Services
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Boundary Protection
Control ID: SC-7
PCI DSS 4.0 – Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment
Control ID: 1.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Network Segmentation
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Utilities
Critical vulnerability in ABB System 800xA IEC 61850 industrial control systems enables denial-of-service attacks on power grid communication infrastructure requiring manual restarts.
Oil/Energy/Solar/Greentech
Energy facilities using ABB Symphony Plus automation face operational disruption from crafted network packets targeting IEC 61850 communication protocols in process control systems.
Chemicals
Chemical manufacturing plants identified as critical infrastructure sector are vulnerable to communication stack exploits causing controller faults and production interruptions.
Water and Wastewater Systems
Water treatment facilities face denial-of-service risks from IEC 61850 vulnerability affecting SCADA system availability and operational technology network segmentation requirements.
Sources
- ABB System 800xA, Symphony Plus IEC 61850https://www.cisa.gov/news-events/ics-advisories/icsa-26-120-01Verified
- Denial of Service Vulnerabilities in System 800xA, Symphony® Plus IEC 61850 Communication Stackhttps://search.abb.com/library/Download.aspx?DocumentID=7PAA020125&LanguageCode=en&DocumentPartId=&Action=LaunchVerified
- CVE-2025-3756 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-3756Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could limit the attacker's ability to exploit vulnerabilities within the IEC 61850 network by enforcing strict segmentation and controlling east-west traffic, thereby reducing the potential impact on critical communication functions.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the communication stack vulnerability would likely be constrained by limiting unauthorized access to the IEC 61850 network.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to exploit the vulnerability without privilege escalation would likely be constrained by enforcing strict segmentation policies.
Control: East-West Traffic Security
Mitigation: The attacker's ability to target specific devices within the network would likely be constrained by controlling east-west traffic.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to execute the attack directly through network access would likely be constrained by providing comprehensive visibility and control over network activities.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to disrupt device functionality without data exfiltration would likely be constrained by enforcing strict egress policies.
The potential impact on critical communication functions would likely be reduced by limiting unauthorized access and controlling internal traffic.
Impact at a Glance
Affected Business Functions
- Process Control Systems
- SCADA Operations
- Industrial Automation
Estimated downtime: 2 days
Estimated loss: $50,000
No sensitive data exposure reported.
Recommended Actions
Key Takeaways & Next Steps
- • Implement network segmentation to isolate critical systems and limit access to the IEC 61850 network.
- • Deploy intrusion prevention systems to detect and block malicious packets targeting known vulnerabilities.
- • Regularly update and patch systems to address known vulnerabilities in the IEC 61850 communication stack.
- • Conduct regular security assessments to identify and mitigate potential vulnerabilities in the network.
- • Educate personnel on cybersecurity best practices to prevent unauthorized access to critical networks.
