CISA Warns of Cleartext Password Exposure in ABB LVS MConfig Software
CISA issued an advisory for CVE-2025-9970, a high-severity cleartext storage vulnerability in ABB LVS MConfig that could allow local attackers to extract plaintext passwords from memory dumps.
CISA has published an advisory warning of a cleartext storage of sensitive information vulnerability in ABB LVS MConfig, a parameterizing software used for low-voltage switchgear components. Tracked as CVE-2025-9970 and carrying a CVSS score of 7.4, the flaw affects all versions of MConfig up to and including 1.4.9.21. An attacker with physical or local network access to the host machine can export a memory dump of the application during runtime, potentially exposing plaintext passwords stored in memory.
The vulnerability stems from a code defect that fails to clear authentication-related memory after a successful login. If an attacker gains access to the host machine — for example, by compromising the operating system or having physical proximity — they can trigger a memory dump and extract user credentials. With those credentials and access to the switch room where the components are installed, the attacker could modify device settings, potentially compromising the correct operation of motor controllers, feeder controllers, temperature monitoring solutions, and protocol converters.
ABB has released version 1.4.9.22 to address the issue. The update implements two key fixes: it clears any authentication-related memory data after a successful login, and it hashes passwords using SHA-256 instead of storing them in plaintext. ABB strongly advises all customers to update to the latest version immediately. For organizations that cannot upgrade immediately, ABB recommends implementing the defensive measures outlined in the product instruction manual, including restricting physical access to host machines and following general security recommendations.
The affected product is deployed worldwide across multiple critical infrastructure sectors, including Chemical, Critical Manufacturing, Energy, Food and Agriculture, Transportation Systems, and Water and Wastewater Systems. ABB, headquartered in Switzerland, reported the vulnerability internally and coordinated with CISA on the advisory. The vulnerability was internally discovered by ABB PSIRT, and no evidence of active exploitation in the wild has been reported at this time.
While the vulnerability requires local access to exploit, CISA notes that the consequences of successful exploitation are significant. An attacker who obtains user credentials could modify switchgear component settings, potentially disrupting industrial processes or causing equipment damage. The advisory highlights that MConfig runs on Windows 11 or later, and the components are physically installed in low-voltage switchgear located in switch rooms that require authorized access.
This advisory is part of a broader pattern of CISA warnings targeting ABB products. Earlier this year, CISA warned of a buffer over-read vulnerability in ABB AC500 V2 PLCs (CVE-2025-7745) and a missing authentication vulnerability in ABB Ability Zenon (CVE-2025-8754). The repeated advisories underscore the importance of securing industrial control system software against credential exposure and memory handling flaws, especially in environments where physical access to host machines cannot be fully guaranteed.