ABB AC500 V3 PLCs Hit by Multiple Critical Vulnerabilities Allowing Remote Attacks
ABB disclosed three vulnerabilities in AC500 V3 PLCs, including forced browsing, certificate theft, and denial-of-service, with firmware 3.9.0 available to fix them.
ABB has disclosed multiple critical vulnerabilities affecting its AC500 V3 programmable logic controllers (PLCs), widely deployed in critical infrastructure sectors such as chemical, energy, and water and wastewater systems. The flaws, identified as CVE-2025-2595, CVE-2025-41659, and CVE-2025-41691, could allow unauthenticated or low-privileged remote attackers to bypass user management, steal cryptographic keys, or crash the device. ABB has released firmware version 3.9.0 to address all three issues, urging customers to update immediately.
The most severe vulnerability, CVE-2025-41659, carries a CVSS score of 8.3 and allows low-privileged remote attackers to read and write certificates and keys stored in the PKI folder via the CODESYS protocol. This exposes sensitive cryptographic material and could enable attackers to inject unauthorized certificates, undermining trust in encrypted communications. The issue affects systems using the optional CmpOpenSSL component for cryptographic operations.
CVE-2025-2595, with a CVSS score of 5.3, enables an unauthenticated remote attacker to bypass the built-in user management and read visualization files through forced browsing. While the exposed files contain only static data such as text lists and icons—not live system data—the breach of access controls still poses a risk to operational security.
The third vulnerability, CVE-2025-41691, is a NULL pointer dereference in the CmpDevice component that can be triggered by specially crafted communication requests, leading to a denial-of-service (DoS). Unauthenticated attackers can exploit this to crash the PLC, potentially disrupting industrial processes. The issue also affects systems when outdated clients attempt to log in.
ABB has released firmware version 3.9.0 for all AC500 V3 PLC types, available through Automation Builder 2.9.0, which can be downloaded from ABB's website. The company recommends applying the update at the earliest convenience and provides general security recommendations for system hardening. No workarounds are available for these vulnerabilities.
CISA published an advisory (ICSA-26-132-03) highlighting the risks, noting that the affected products are deployed worldwide across critical manufacturing, energy, and water sectors. The vulnerabilities were reported by ABB PSIRT to CISA. Organizations using AC500 V3 PLCs should prioritize patching to prevent potential exploitation that could lead to unauthorized access, data theft, or service disruption.