Critical Stack Buffer Overflow in ABB AC500 V3 PLCs Allows Remote Code Execution
CISA has disclosed a critical stack buffer overflow vulnerability in ABB AC500 V3 programmable logic controllers that can be exploited remotely without authentication, potentially leading to remote code execution.
CISA has issued an advisory warning of a critical stack buffer overflow vulnerability, tracked as CVE-2025-15467, affecting ABB AC500 V3 programmable logic controllers (PLCs). The flaw, which carries a CVSS score of 9.8, resides in the firmware's handling of Cryptographic Message Syntax (CMS) structures and can be exploited by an unauthenticated attacker with network access to trigger remote code execution or denial-of-service conditions.
The vulnerability lies in how the AC500 V3 firmware (version 3.9.0) parses CMS (Auth)EnvelopedData structures that use authenticated encryption with associated data (AEAD) ciphers such as AES-GCM. When processing these messages, the firmware copies the initialization vector (IV) encoded in the ASN.1 parameters into a fixed-size stack buffer without verifying that the IV length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs.
Because the overflow occurs prior to authentication, no valid key material is required to trigger the exploit. While the exploitability for remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The vulnerability is classified under CWE-787 (Out-of-bounds Write) and affects all AC500 V3 PM5xxx PLC models running firmware version 3.9.0.
ABB has released firmware version 3.9.0 HF1 to address the issue. The update is available for download from the ABB library. ABB recommends that customers apply the update at their earliest convenience. No workarounds are available, though ABB advises following general security recommendations such as isolating control system networks from the internet and using firewalls.
The AC500 V3 is a scalable range of PLCs used in small, medium, and high-end industrial applications, including high availability, extreme environments, condition monitoring, motion control, and safety solutions. The affected products are deployed worldwide across critical infrastructure sectors including Chemical, Critical Manufacturing, Energy, and Water and Wastewater systems. ABB is headquartered in Switzerland.
According to the advisory, the vulnerability has been publicly disclosed, but ABB has not received any reports indicating active exploitation at the time of the advisory's release. CISA recommends that users take defensive measures to minimize exploitation risk, including minimizing network exposure for all control system devices and ensuring they are not accessible from the internet. When remote access is required, more secure methods such as VPNs should be used.
This advisory highlights the ongoing risks facing industrial control systems, where critical vulnerabilities in widely deployed PLCs can have severe consequences for operational technology environments. Organizations using ABB AC500 V3 PLCs should prioritize applying the firmware update to mitigate the risk of remote compromise.