ABB’s medium voltage (MV) drives, widely used in industrial automation and critical infrastructure, have been found to contain multiple high-severity vulnerabilities in their CODESYS Runtime System. These security flaws, disclosed in CISA advisory ICSA-25-112-041, could allow remote attackers to gain full control of affected drives or cause denial-of-service conditions. The vulnerabilities impact several product lines including ACS6080, ACS5000, and ACS6000 drives with firmware versions up to LAAAB 5.06.1.
Technical Overview of the Vulnerabilities
The vulnerabilities stem from memory handling and input validation issues in the CODESYS Runtime System, which is embedded in ABB’s MV drives. The most severe vulnerability (CVE-2022-40462) with a CVSS v4 score of 8.7 allows improper memory buffer operations, potentially enabling privilege escalation from user to full system access. Fifteen additional vulnerabilities (CVE-2023-37545 through CVE-2023-37559) involve improper input validation that could lead to denial-of-service conditions, all with CVSS v4 scores of 7.1.
These vulnerabilities are particularly concerning because ABB MV drives are deployed worldwide in critical manufacturing sectors, with power ranges from 250 kW to over 100 MW3. The affected products use advanced control methods like Direct Torque Control (DTC) for industrial applications, making them high-value targets for potential attackers.
Affected Products and Firmware Versions
The vulnerabilities impact specific versions of ABB’s MV drive portfolio:
| Product Line | Affected Firmware Versions | Power Range |
|---|---|---|
| ACS6080 | LAAAA 2.10.0 to LAAAB 5.06.1 | 10-40 MW |
| ACS5000 | LAAAB 4.03.0 to LAAAB 5.06.1 | 250-2300 kW |
| ACS6000 | LAAAA 2.10.0 to LAAAB 5.06.1 | 3-36 MW |
ABB has addressed these issues in firmware version LAAAB 5.07 and higher by disabling IEC online programming communication by default. The company plans additional security enhancements in future updates to the CODESYS RTS library.
Exploitation Requirements and Attack Vectors
Successful exploitation requires authentication to the affected drive, which can be achieved through two primary methods: direct connection via Drive Automation Builder software or network access to the drive’s local network segment. The vulnerabilities are remotely exploitable with low attack complexity, making them accessible to moderately skilled attackers.
Network isolation is particularly important as these drives often control critical industrial processes. ABB’s security advisory4 notes that drives should never be connected to general-purpose networks and recommends physical access controls to prevent unauthorized connections.
Mitigation Strategies and Best Practices
ABB recommends immediate updating to firmware version 5.07 or higher. For situations where immediate updating isn’t feasible, the following workarounds can reduce risk:
- Set bit 2 “Disable file download” to TRUE in parameter 96.102
- Implement network segmentation using firewalls
- Restrict physical access to drive connections
- Monitor for unusual network traffic patterns
CISA recommends additional defensive measures including VPNs for remote access, regular patching of connected systems, and implementation of their ICS security recommended practices5. Organizations should conduct thorough risk assessments before implementing any mitigation strategies.
Security Implications for Industrial Environments
These vulnerabilities highlight the growing security challenges in industrial control systems, particularly in energy-intensive applications where ABB drives are commonly deployed. The affected products are used in mining, water treatment, and oil/gas applications where they contribute to significant energy savings (30-50% on average3), making their uninterrupted operation critical.
The disclosure follows increased scrutiny of industrial control system security, with similar vulnerabilities being discovered across vendors. ABB’s response includes not only patching but also enhanced security features in their newer drive models, such as the ACS 6080 with hybrid SiC-IGBT modules3.
Conclusion
The vulnerabilities in ABB MV drives represent a significant risk to industrial operations worldwide. While no public exploitation has been reported, the combination of high CVSS scores, remote exploitability, and critical deployment environments makes prompt mitigation essential. Organizations using affected drives should prioritize updating to the latest firmware and implementing the recommended security controls.
As industrial systems become increasingly connected, such vulnerabilities underscore the need for robust security practices in operational technology environments. Future firmware updates from ABB are expected to further harden these systems against similar attacks.
References
- “ABB MV Drives Vulnerabilities,” CISA Advisory ICSA-25-112-04, 2025.
- “CVE-2022-4046,” CVE.org, 2022.
- “ABB Medium Voltage AC Drives,” ABB Official Page, 2024.
- “ABB Security Advisory 9AKK108470A9989,” ABB, 2025.
- “ICS Recommended Practices,” CISA, 2024.
- “EU Commission Energy Efficiency Report,” 2023.
- “ABB Product Catalog,” PDF, 2024.
- “ABB Cybersecurity Bulletin,” 2024.
