ABB AC500 V3 Multiple Vulnerabilities

Summary

ABB disclosed three severe vulnerabilities in AC500 V3 PLCs affecting chemical, manufacturing, energy, and water sectors globally. CVE-2025-2595 allows unauthenticated forced-browsing to read visualization files; CVE-2025-41659 permits low-privileged attackers to read/write certificates and keys via CODESYS protocol; CVE-2025-41691 causes DoS via NULL pointer dereference. All are fixed in firmware version 3.9.0.

Full text

ICS Advisory ABB AC500 V3 Multiple Vulnerabilities Release DateMay 12, 2026 Alert CodeICSA-26-132-03 Related topics: Industrial Control System Vulnerabilities, Industrial Control Systems View CSAF Summary ABB became aware of severe vulnerability in the products versions listed as affected in the advisory. An update is available that resolves these vulnerabilities. An attacker who successfully exploited these vulnerabilities could bypass the user management and read visualization files (CVE-2025-2595), read and write certificates and keys (CVE-2025-41659) or cause a denial-of-service (DoS) (CVE-2025-41691). The following versions of ABB AC500 V3 Multiple Vulnerabilities are affected: AC500 V3 <3.9.0, 3.9.0 CVSS Vendor Equipment Vulnerabilities v3 8.3 ABB ABB AC500 V3 Multiple Vulnerabilities Direct Request ('Forced Browsing'), Incorrect Permission Assignment for Critical Resource, NULL Pointer Dereference Background Critical Infrastructure Sectors: Chemical, Critical Manufacturing, Energy, Water and Wastewater Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-2595 The visualization allows users to create browser-based visualizations for monitoring and controlling industrial processes. Access to these visualizations can be restricted using the built-in user management. However, an unauthenticated remote attacker can bypass the user management and read visualization files by means of forced browsing. The exposed files, accessible via a web browser, contain only static visualization data such as text lists, icons or images, but no live data from the controlled system. View CVE Details Affected Products ABB AC500 V3 Multiple Vulnerabilities Vendor:ABB Product Version:ABB AC500 V3 <3.9.0 Product Status:fixed, known_affected Remediations Vendor fixThe problem is corrected in the following product versions: - AC500 V3 firmware version 3.9.0 ABB recommends that customers apply the update at earliest convenience. This firmware version is released for all AC500 V3 PLC types and available from Automation Builder 2.9.0. Automation Builder 2.9.0 is available for download from the related download site. https://www.abb.com/global/en/areas/motion/digital-tools/automation-builder/software-download MitigationRefer to section “General security recommendations” for further advise on how to keep your system secure. WorkaroundNo workarounds are available Relevant CWE: CWE-425 Direct Request ('Forced Browsing') Metrics CVSS Version Base Score Base Severity Vector String 3.1 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C CVE-2025-41659 A vulnerability in the runtime system allows low-privileged remote attackers to access the PKI folder via CODESYS protocol, enabling them to read and write certificates and keys. This exposes sensitive cryptographic data and allows unauthorized certificates to be trusted. However, all services remain available, only certificate based encryption and signing features are concerned. The issue affects systems using the optional CmpOpenSSL component for cryptographic operations. View CVE Details Affected Products ABB AC500 V3 Multiple Vulnerabilities Vendor:ABB Product Version:ABB AC500 V3 <3.9.0 Product Status:fixed, known_affected Remediations Vendor fixThe problem is corrected in the following product versions: - AC500 V3 firmware version 3.9.0 ABB recommends that customers apply the update at earliest convenience. This firmware version is released for all AC500 V3 PLC types and available from Automation Builder 2.9.0. Automation Builder 2.9.0 is available for download from the related download site. https://www.abb.com/global/en/areas/motion/digital-tools/automation-builder/software-download MitigationRefer to section “General security recommendations” for further advise on how to keep your system secure. WorkaroundNo workarounds are available Relevant CWE: CWE-732 Incorrect Permission Assignment for Critical Resource Metrics CVSS Version Base Score Base Severity Vector String 3.1 8.3 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L/E:F/RL:O/RC:C CVE-2025-41691 A vulnerability in the runtime system's CmpDevice component allows unauthenticated attackers to cause a denial-of-service (DoS) via specially crafted communication requests. The issue is triggered by a NULL pointer dereference and also affects systems when outdated clients attempt to log in. View CVE Details Affected Products ABB AC500 V3 Multiple Vulnerabilities Vendor:ABB Product Version:ABB AC500 V3 <3.9.0 Product Status:fixed, known_affected Remediations Vendor fixThe problem is corrected in the following product versions: - AC500 V3 firmware version 3.9.0 ABB recommends that customers apply the update at earliest convenience. This firmware version is released for all AC500 V3 PLC types and available from Automation Builder 2.9.0. Automation Builder 2.9.0 is available for download from the related download site. https://www.abb.com/global/en/areas/motion/digital-tools/automation-builder/software-download MitigationRefer to section “General security recommendations” for further advise on how to keep your system secure. WorkaroundNo workarounds are available Relevant CWE: CWE-476 NULL Pointer Dereference Metrics CVSS Version Base Score Base Severity Vector String 3.1 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C Acknowledgments ABB PSIRT reported these vulnerabilities to CISA. Notice The information in this document is subject to change without notice, and should not be construed as a commitment by ABB. ABB provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall ABB or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if ABB or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from ABB, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Frequently Asked Questions What causes the vulnerability? - Refer to section “Vulnerability severity and details“. What is AC500 V3? - The AC500 V3 is a scalable range of Programmable Logic Controller (PLC). It provides solutions for small, medium and high-end applications. The AC500 V3 platform offers different performance levels and is the ideal choice for high availability, extreme environments, condition monitoring, motion control or safety solutions. It offers interoperability and compatibility in hardware and software from compact PLCs up to high end and safety PLCs. What might an attacker use the vulnerability to do? - An attacker who successfully exploited these vulnerabilities could bypass the user management and read visualization files (CVE-2025-2595), read and write certificates and keys (CVE-2025-41659) or cause a denial-of-service (DoS) (CVE-2025-41691). How could an attacker exploit the vulnerability? - Refer to section “Vulnerability severity and details“. Could the vulnerability be exploited remotely? - Yes, an attacker who has network access to an affected system node could exploit the vulnerabilities. Recommended practices include that process control systems are physically protected, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed. When this security advisory was issued, had this vulnerability been publicly disclosed? - Yes, the vulnerabilities have been publicly disclosed. When this security

Indicators of Compromise

• cve — CVE-2025-2595
• cve — CVE-2025-41659
• cve — CVE-2025-41691

Entities