CISA Warns of Buffer Over-Read in ABB AC500 V2 PLCs Affecting Critical Infrastructure
CISA published an advisory for CVE-2025-7745, a buffer over-read vulnerability in ABB AC500 V2 programmable logic controllers that could leak sensitive Modbus data to unauthenticated attackers.
CISA has issued an advisory (ICSA-26-146-02) warning of a buffer over-read vulnerability in ABB AC500 V2 programmable logic controllers (PLCs), tracked as CVE-2025-7745. The flaw affects firmware versions up to and including 2.5.2 and allows an unauthenticated attacker to send unsupported Modbus function codes to the device, causing fragments of previous Modbus telegrams to be appended to the response. This could leak sensitive data that was previously transmitted by the PLC.
The vulnerability was discovered and reported by Reid Wightman, a researcher at Dragos, and carries a CVSS v3.1 base score of 5.8 (medium severity). The affected products are deployed across critical infrastructure sectors worldwide, including critical manufacturing, energy, and water and wastewater systems. ABB, headquartered in Switzerland, has confirmed that the issue is fixed in firmware version 2.5.3, which was released in 2016.
ABB recommends that users do not use the Modbus server for sending any sensitive data, as fragments might be accessible even after the initial response is sent. Additionally, only supported Modbus function codes should be used, as invalid responses to unsupported function codes could negatively affect the requesting Modbus client. The underlying weakness is classified as CWE-126 (Buffer Over-read).
CISA advises organizations to minimize network exposure for all control system devices and ensure they are not accessible from the internet. Control system networks should be located behind firewalls and isolated from business networks. When remote access is required, more secure methods such as VPNs should be used, though organizations must recognize that VPNs may have vulnerabilities and should be kept updated.
This advisory is a republication of ABB PSIRT advisory 3ADR011432, converted from the vendor's Common Security Advisory Framework (CSAF) format. CISA notes that it is providing the information "as-is" for informational purposes and does not endorse any commercial product or service.
Organizations using ABB AC500 V2 PLCs should verify their firmware version and update to version 2.5.3 or later if they have not already done so. Given the long-standing availability of the fix, the advisory serves as a reminder that many industrial control systems may still be running outdated firmware, leaving critical infrastructure exposed to data leakage attacks.