Executive Summary
In February 2026, ABB disclosed multiple vulnerabilities in its AC500 V3 programmable logic controllers (PLCs), specifically affecting firmware versions prior to 3.9.0. The identified vulnerabilities include CVE-2025-2595, which allows unauthenticated remote attackers to bypass user management and access visualization files; CVE-2025-41659, enabling low-privileged remote attackers to read and write certificates and keys via the CODESYS protocol; and CVE-2025-41691, permitting unauthenticated attackers to cause a denial-of-service (DoS) condition through specially crafted communication requests. These vulnerabilities pose significant risks to industrial control systems, potentially leading to unauthorized access, data manipulation, and service disruptions.
The relevance of this incident is underscored by the increasing frequency of cyberattacks targeting industrial control systems, highlighting the critical need for robust security measures in operational technology environments. Organizations utilizing ABB's AC500 V3 PLCs are urged to apply the recommended firmware updates promptly to mitigate these vulnerabilities and safeguard their infrastructure against potential exploits.
Why This Matters Now
The disclosure of these vulnerabilities in ABB's AC500 V3 PLCs highlights the urgent need for organizations to update their systems to prevent potential cyberattacks that could exploit these weaknesses, leading to unauthorized access and operational disruptions.
Attack Path Analysis
An unauthenticated attacker exploited a forced browsing vulnerability to access static visualization files, then leveraged low-privileged access to read and write cryptographic keys, facilitating unauthorized certificate manipulation. Subsequently, the attacker moved laterally within the network, potentially compromising additional systems. They established command and control channels to maintain persistent access and exfiltrated sensitive data. Finally, the attacker executed a denial-of-service attack, disrupting system availability.
Kill Chain Progression
Initial Compromise
Description
An unauthenticated attacker exploited a forced browsing vulnerability (CVE-2025-2595) to access static visualization files.
Related CVEs
CVE-2025-2595
CVSS 5.3An unauthenticated remote attacker can bypass user management and read visualization files via forced browsing.
Affected Products:
ABB AC500 V3 – <3.9.0
Exploit Status:
no public exploitCVE-2025-41659
CVSS 8.3Low-privileged remote attackers can access the PKI folder via CODESYS protocol, enabling them to read and write certificates and keys.
Affected Products:
ABB AC500 V3 – <3.9.0
Exploit Status:
no public exploitCVE-2025-41691
CVSS 7.5Unauthenticated attackers can cause a denial-of-service via specially crafted communication requests, triggering a NULL pointer dereference.
Affected Products:
ABB AC500 V3 – <3.9.0
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Valid Accounts
Application Layer Protocol
Endpoint Denial of Service
Unsecured Credentials
Indicator Removal on Host
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Limit access to system components and cardholder data to only those individuals whose job requires such access.
Control ID: 7.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Industrial Automation
ABB AC500 V3 PLC vulnerabilities enable authentication bypass, certificate manipulation, and denial-of-service attacks targeting critical industrial control systems worldwide.
Utilities
Water, wastewater, and energy infrastructure face severe risks from exploitable PLC vulnerabilities allowing unauthorized access and operational disruption capabilities.
Chemicals
Chemical manufacturing processes relying on ABB AC500 V3 controllers vulnerable to remote attacks compromising safety systems and production operations.
Oil/Energy/Solar/Greentech
Energy sector operations using affected PLCs susceptible to forced browsing attacks, cryptographic compromise, and system availability disruption through remote exploitation.
Sources
- ABB AC500 V3 Multiple Vulnerabilitieshttps://www.cisa.gov/news-events/ics-advisories/icsa-26-132-03Verified
- ABB AC500 V3 - Multiple vulnerabilitieshttps://library.e.abb.com/public/63e27a0599cf40e884a70246692bc652/3ADR011524%20AC500%20V3%20-%20Multiple%20vulnerabilities.pdfVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit vulnerabilities, escalate privileges, move laterally, establish command and control channels, exfiltrate data, and disrupt system availability by enforcing strict segmentation and access controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the forced browsing vulnerability may have been constrained, reducing unauthorized access to sensitive files.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and manipulate certificates could have been limited, reducing the risk of unauthorized access.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network could have been constrained, reducing the risk of further system compromise.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels could have been limited, reducing persistent access.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data could have been constrained, reducing data loss.
The attacker's ability to disrupt system availability could have been limited, reducing operational impact.
Impact at a Glance
Affected Business Functions
- Industrial Process Control
- System Monitoring
Estimated downtime: 2 days
Estimated loss: $50,000
Potential exposure of static visualization data and cryptographic keys.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict unauthorized access and lateral movement within the network.
- • Deploy East-West Traffic Security controls to monitor and prevent unauthorized internal communications.
- • Utilize Encrypted Traffic (HPE) to secure data in transit and prevent interception or manipulation.
- • Establish Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
