CVE-2025-15467: ABB AC500 V3 Stack Buffer Overflow to RCE

Critical Vulnerability in ABB AC500 V3 PLCs (CVE-2025-15467)

Runtime Rebel is issuing an urgent advisory regarding a critical vulnerability, identified as CVE-2025-15467, affecting ABB AC500 V3 PM5xxx Programmable Logic Controllers (PLCs). This flaw, a stack buffer overflow, has a CVSS v3 score of 9.8 (Critical) and could enable an unauthenticated remote attacker to cause a denial-of-service (DDoS) condition, system crash, or potentially achieve RCE. Given the deployment of these PLCs in critical infrastructure sectors such as Chemical, Critical Manufacturing, Energy, and Water and Wastewater, the potential impact is severe and requires immediate attention from asset owners and operators.

According to CISA ICSA-26-132-05, the vulnerability has been publicly disclosed, although ABB had not received reports of active exploitation at the time the advisory was issued.

Technical Details: How Attackers Exploit CVE-2025-15467

The vulnerability, a CWE-787 Out-of-bounds Write, stems from how ABB AC500 V3 PM5xxx Firmware Version 3.9.0 handles Cryptographic Message Syntax (CMS) structures. Specifically, when parsing CMS (Auth)EnvelopedData structures that utilize Authenticated Encryption with Associated Data (AEAD) ciphers like AES-GCM, the Initialization Vector (IV) encoded within the ASN.1 parameters is copied into a fixed-size stack buffer. The critical flaw lies in the lack of verification for the IV’s length before this copy operation.

An attacker can craft a malicious CMS message containing an oversized IV. When this message is processed by an affected ABB AC500 V3 PLC, it triggers a stack-based out-of-bounds write. A key aspect of this vulnerability, which elevates its severity, is that the overflow occurs prior to any authentication or tag verification. This means an attacker does not need valid key material or credentials to trigger the flaw, making it easily exploitable from a network perspective.

While the direct exploitability to full RCE can depend on specific platform and toolchain mitigations in place, the underlying stack-based write primitive represents a severe risk due to the lack of authentication required. The CVSS v3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, reflecting network access, low attack complexity, no privileges required, no user interaction, and high impact to confidentiality, integrity, and availability.

Actionable Recommendations: Patch ABB AC500 V3 Firmware Immediately

Organizations operating ABB AC500 V3 PM5xxx PLCs must prioritize remediation to mitigate the severe risks posed by CVE-2025-15467. The primary and most effective remediation is to apply the vendor-provided firmware update.

• Firmware Upgrade: Immediately upgrade affected ABB AC500 V3 PM5xxx PLCs from Firmware Version 3.9.0 to Firmware Version 3.9.0 HF1 or later. This corrected version is available for download from the ABB library.

Mitigating ABB AC500 V3 Stack Overflow Risks

Beyond patching, implementing a robust defense-in-depth strategy is crucial for Industrial Control Systems (ICS) environments. Consider the following recommended practices to minimize exploitation risk and secure operational technology (OT) assets:

• Network Segmentation: Isolate control system networks and remote devices from business networks. Deploy firewalls to restrict traffic, ensuring that only essential ports are exposed. Control system devices should not be directly accessible from the internet.
• Secure Remote Access: If remote access is indispensable, utilize secure methods such as Virtual Private Networks (VPNs). Ensure VPNs are updated to the latest available versions and configured with strong authentication mechanisms. Remember that a VPN’s security is intrinsically linked to the security posture of its connected devices.
• Impact Analysis and Risk Assessment: Before deploying any defensive measures, conduct a thorough impact analysis and risk assessment specific to your operational environment.
• Proactive Defense: Implement recommended cybersecurity strategies for the proactive defense of ICS assets, following guidance from organizations like CISA. This includes, but is not limited to, regularly reviewing network logs for unusual activity and employing intrusion detection systems within the OT network segments.
• Incident Reporting: Organizations observing suspected malicious activity related to this or other vulnerabilities should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. Proactive reporting helps the broader cybersecurity community understand evolving TTPs and strengthen collective defenses.