Executive Summary
In July 2025, a buffer over-read vulnerability, identified as CVE-2025-7745, was discovered in ABB's AC500 V2 programmable logic controllers (PLCs), affecting versions up to and including 2.5.2. This flaw could allow unauthorized access to fragments of previously transmitted Modbus telegrams, potentially exposing sensitive information. The vulnerability was reported by Reid Wightman of Dragos, Inc., and ABB released firmware version 2.5.3 to address the issue.
The incident underscores the critical importance of timely patch management in industrial control systems (ICS). As cyber threats targeting ICS environments continue to evolve, organizations must remain vigilant in updating and securing their operational technology to prevent potential exploitation of such vulnerabilities.
Why This Matters Now
The discovery of CVE-2025-7745 highlights the ongoing risks in industrial control systems, emphasizing the need for proactive security measures and regular updates to mitigate potential threats.
Attack Path Analysis
An attacker exploits a buffer over-read vulnerability in ABB AC500 V2 PLCs via the Modbus TCP interface, leading to unauthorized access to sensitive data. The attacker then escalates privileges by leveraging the exposed data to gain deeper access into the control system. Utilizing the compromised PLC, the attacker moves laterally to other devices within the industrial network. Establishing command and control, the attacker maintains persistent access to the network. Sensitive data is exfiltrated from the industrial control system to an external server. Finally, the attacker disrupts operations by sending malicious commands to the PLCs, causing system malfunctions.
Kill Chain Progression
Initial Compromise
Description
An attacker exploits a buffer over-read vulnerability in ABB AC500 V2 PLCs via the Modbus TCP interface, leading to unauthorized access to sensitive data.
Related CVEs
CVE-2025-7745
CVSS 5.8A buffer over-read vulnerability in ABB AC500 V2 allows an attacker to access fragments of previous Modbus telegrams, potentially exposing sensitive information.
Affected Products:
ABB AC500 V2 – <=2.5.2
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Network Sniffing
Application Layer Protocol
Exploitation for Client Execution
Exploitation of Remote Services
Endpoint Denial of Service
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Cryptographic Key Establishment and Management
Control ID: SC-12
PCI DSS 4.0 – Protect Stored Account Data
Control ID: 3.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Data Protection
Control ID: 3.1
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
ABB AC500 V2 PLCs controlling critical energy infrastructure vulnerable to Modbus data exposure, enabling attackers to access sensitive operational telegrams and compromise system integrity.
Utilities
Water and wastewater systems using affected ABB controllers face buffer over-read vulnerabilities allowing unauthorized access to previous Modbus communications and operational data fragments.
Industrial Automation
Manufacturing facilities with ABB AC500 V2 systems exposed to CVE-2025-7745 exploits through unsupported Modbus function codes, revealing fragments of sensitive control system communications.
Chemical
Chemical processing plants relying on vulnerable ABB PLCs risk exposure of critical manufacturing data through Modbus server exploitation, potentially compromising safety and operational security.
Sources
- ABB AC500 V2https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-02Verified
- ABB AC500 V2 Vulnerability Advisoryhttps://search.abb.com/library/Download.aspx?DocumentID=3ADR011432&LanguageCode=en&DocumentPartId=&Action=LaunchVerified
- NVD Entry for CVE-2025-7745https://nvd.nist.gov/vuln/detail/CVE-2025-7745Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and controlled egress policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access to the PLC may be constrained by CNSF's identity-based policies, which could limit unauthorized connections to critical systems.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could be limited by Zero Trust Segmentation, which may restrict access to sensitive control systems based on strict identity verification.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement within the network may be constrained by East-West Traffic Security, which could enforce strict segmentation between workloads.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels may be limited by Multicloud Visibility & Control, which could monitor and manage network traffic across environments.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts may be constrained by Egress Security & Policy Enforcement, which could control and monitor outbound traffic to prevent unauthorized data transfers.
The attacker's ability to disrupt operations may be limited by the reduced blast radius resulting from strict segmentation and access controls, which could contain the impact to a single workload.
Impact at a Glance
Affected Business Functions
- Industrial Process Control
- SCADA Operations
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of fragments of previous Modbus telegrams, which may contain sensitive operational data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Encrypted Traffic (HPE) to secure data in transit and prevent unauthorized access.
- • Deploy East-West Traffic Security to monitor and control lateral movement within the network.
- • Utilize Zero Trust Segmentation to enforce least privilege access and limit the attack surface.
- • Establish Multicloud Visibility & Control to detect and respond to anomalous activities across environments.
- • Apply Egress Security & Policy Enforcement to prevent unauthorized data exfiltration and command and control communications.
