Back to Intelligence

ABB AC500 V3 Critical RCE (CVSS 9.8) — Detection and Hardening Guide

SA
Security Arsenal Team
May 13, 2026
5 min read

A critical vulnerability has been identified in ABB AC500 V3 PLCs, specifically within the implementation of the Cryptographic Message Syntax (CMS) component. Rated CVSS 9.8, this stack buffer overflow flaw allows unauthenticated remote attackers to execute arbitrary code or trigger a denial-of-service (DoS) condition. Given the deployment of these controllers across Critical Manufacturing, Energy, and Water sectors, this represents a high-risk pathway for adversaries to disrupt physical processes or establish a foothold in OT networks. Defenders must prioritize identifying affected assets immediately and applying the vendor-supplied update before active exploitation attempts begin.

Technical Analysis

  • Affected Products: ABB AC500 V3 (PM5xxx series).
  • Affected Versions:
    • 3.9.0
    • 3.9.0_HF1
  • Vulnerability Type: Stack-based Buffer Overflow (CWE-121) within the Cryptographic Message Syntax (CMS) parsing logic.
  • Vector: Remote, Unauthenticated. The vulnerability is triggered by processing specially crafted messages sent to the targeted device.
  • Impact:
    • Code Execution: The overflow allows an attacker to corrupt the instruction pointer, potentially leading to the execution of malicious shellcode with the privileges of the PLC runtime process.
    • Crash/DoS: Improper payload handling results in a service crash, halting control logic.
  • Exploitation Status: The vulnerability is publicly reported and patched by ABB. While active exploitation in the wild has not been explicitly confirmed at the time of writing, the availability of a fix and the critical CVSS score make reverse-engineering and exploit development highly likely in the short term.

Detection & Response

Detecting exploitation attempts on ICS assets requires a layered approach. Since traditional EDR agents are rarely deployed directly on PLCs, detection relies heavily on monitoring network traffic for anomaly patterns and observing the behavior of associated Engineering Workstations.

SIGMA Rules

The following rules detect potential scanning for the vulnerability (anomalous traffic) and the subsequent crash of the engineering software communicating with the PLC (a common symptom of a PLC crash during exploitation).

YAML
---
title: Potential ABB AC500 V3 CMS Exploitation - Anomalous Traffic
id: 8f2a4b1c-9d3e-4a1f-b5c6-7e8d9f0a1b2c
status: experimental
description: Detects potential exploitation attempts against ABB AC500 V3 by identifying non-standard external traffic to common ICS ports or unexpected packet sizes targeting known PLC subnets.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-05
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    DestinationPort|startswith: 
      - '102' # S7Comm/ISO-TSAP often used or adjacent
      - '2404' # IEC 60870-5-104 common in ABB setups
      - '502'  # Modbus TCP
    Initiated: 'true'
  filter_legit:
    SourceIp|startswith: 
      - '10.'
      - '192.168.'
      - '172.'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate remote maintenance connections from trusted external IPs
level: high
---
title: ABB Automation Builder Crash - Potential PLC Exploitation Side Effect
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects unexpected termination of the ABB Automation Builder engineering tool, which may occur due to communication loss if the connected PLC crashes or resets abruptly during an exploit attempt.
references:
  - https://www.abb.com
author: Security Arsenal
date: 2026/04/06
tags:
  - attack.impact
  - attack.t1499
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\AutomationBuilder.exe'
    CommandLine|contains: 'restart'
  filter_update:
    ParentImage|endswith: '\Installer.exe'
  condition: selection and not filter_update
falsepositives:
  - Manual software restarts by engineers
  - Routine software updates
level: medium

KQL (Microsoft Sentinel)

Use this query to hunt for connection failures or resets to OT assets, which may indicate a crash induced by the buffer overflow.

KQL — Microsoft Sentinel / Defender
let OT_Subnets = dynamic(["10.0.0.0/8", "192.168.1.0/24"]); // Define your specific OT subnets
DeviceNetworkEvents
| where RemoteIP in (OT_Subnets) 
| where ActionType == "ConnectionFailed" or NetworkConnectionStatus == "Failed"
| summarize count() by bin(Timestamp, 5m), RemoteIP, RemotePort, InitiatingProcessAccount
| where count_ > 5 // Threshold for anomalous connection attempts
| project Timestamp, RemoteIP, RemotePort, InitiatingProcessAccount, count_
| sort by Timestamp desc

Velociraptor VQL

This artifact hunts for signs of the engineering tool crashing or restarting on the administrator workstation.

VQL — Velociraptor
-- Hunt for ABB Engineering Tool Crashes or Restarts
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ 'AutomationBuilder'
   OR Exe =~ '.*Control Builder.*'
ORDER BY CreateTime DESC

Remediation Script (Bash)

This script assists in identifying ABB devices on the local network segment by inspecting MAC addresses (ABB OUI prefixes) to help locate vulnerable assets for patching.

Bash / Shell
#!/bin/bash
# ABB AC500 V3 Network Discovery Script
# Helps identify potential ABB devices by MAC OUI for patch verification

echo "Scanning local network for ABB devices (MAC OUI: 00:0E:8C, 88:CC:CC)..."

# Identify the default network interface
INTERFACE=$(ip route | grep default | awk '{print $5}')
NETWORK=$(ip route | grep $INTERFACE | grep -v default | awk '{print $1}' | head -n 1)

if [ -z "$NETWORK" ]; then
  echo "Could not determine local network range."
  exit 1
fi

echo "Scanning Network: $NETWORK"

# Use arp-scan or fallback to ping/arp combo
if command -v arp-scan &> /dev/null; then
  sudo arp-scan --localnet | grep -Ei "00:0E:8C|88:CC:CC"
else
  echo "arp-scan not found. Checking ARP table for known ABB prefixes..."
  ip neigh show | grep -Ei "00:0E:8C|88:CC:CC"
fi

echo "Manual verification required: Confirm model is AC500 V3 PM5xxx and version is 3.9.0 / 3.9.0_HF1."

Remediation

  1. Apply Firmware Update: Immediate installation of the vendor-provided update is mandatory. Update affected AC500 V3 PM5xxx controllers from versions 3.9.0 or 3.9.0_HF1 to the latest patched version specified in the official ABB advisory.
  2. Network Segmentation: Ensure PLCs are placed in isolated VLANs, strictly limiting access to engineering workstations and required HMIs. Block inbound traffic from untrusted networks (e.g., business IT, Internet) to the PLC subnets.
  3. Monitor for Anomalies: Deploy deep packet inspection (DPI) rules for ICS protocols to detect malformed CMS packets or unexpected protocol commands targeting the AC500 series.
  4. Review Access Controls: Audit and restrict remote access solutions (VPN, RDP) that serve as jump hosts to the OT environment.

Vendor Advisory: ABB Security Advisory (via CISA ICSA-26-132-05)

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemics-securityabbcve

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action