Cleartext Memory Exposure in ABB LVS MConfig: ICS Advisory Detection and Hardening

Introduction

Security Arsenal is tracking a significant vulnerability impacting ABB’s LVS MConfig software, a critical component used across the Energy, Water and Wastewater, and Transportation sectors. The vulnerability, tracked in CISA Advisory ICSA-26-146-06, involves the cleartext storage of sensitive information in memory. This flaw allows an attacker with adjacent network access to dump the process memory of the application and retrieve credentials, potentially leading to lateral movement within the Operational Technology (OT) environment. Given the high CVSS score of 7.4 and the critical nature of the affected infrastructure, immediate identification and patching are required.

Technical Analysis

Vulnerability: Cleartext Storage of Sensitive Information in Memory Affected Product: ABB LVS MConfig Affected Versions: LVS <= 1.4.9.21 CVSS Score: 7.4 (High)

Attack Mechanics: The application functions as a configuration tool but fails to adequately protect sensitive data (likely passwords or cryptographic keys) when loaded into RAM. Under normal operations, this data resides in the heap or stack of the MConfig.exe process in cleartext.

Exploitation Requirements:

Access: The attacker must have access to the local network where the MConfig software is hosted.
Capabilities: The attacker must be able to interact with the underlying host operating system to read the memory of the MConfig process. This typically involves a secondary mechanism (such as code execution or utilizing a tool like Procdump) to dump the process memory.
Impact: Once the memory dump is acquired, the attacker can strings the dump to recover exposed credentials.

Exploitation Status: As of the advisory release, this is an internally discovered vulnerability. While there is no confirmation of active exploitation in the wild, the simplicity of memory dumping makes this a high-risk target for sophisticated actors targeting ICS environments.

Detection & Response

Detecting this specific vulnerability relies on identifying suspicious interactions with the MConfig process (attempts to read memory) and verifying the presence of vulnerable versions across your environment.

Sigma Rules

The following rules detect potential attempts to dump the memory of the MConfig application or interactions with debugging tools often used to harvest credentials from memory.

YAML

---
title: Potential Credential Dumping Targeting ABB MConfig
id: 8a2b4c1d-5e6f-4a3b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects attempts to dump process memory or access debugging handles on ABB LVS MConfig, indicative of credential harvesting attempts related to cleartext storage vulnerabilities.
references:
 - https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-06
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.credential_access
 - attack.t1003.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_target:
    CommandLine|contains:
      - 'MConfig'
      - 'ABB LVS'
  selection_hacktool:
    Image|endswith:
      - '\procdump.exe'
      - '\rundll32.exe'
      - '\taskmgr.exe'
    CommandLine|contains:
      - 'ma'
      - 'mini'
      - 'dump'
  filter_legit:
    ParentImage|contains:
      - '\Program Files\'
  condition: selection_target and selection_hacktool
falsepositives:
  - Legitimate system debugging by authorized personnel
level: high
---
title: ABB MConfig Vulnerable Version Detected
id: 9b3c5d2e-6f7a-5b4c-9d0e-1f2a3b4c5d6e
status: experimental
description: Identifies the execution of ABB LVS MConfig versions known to be vulnerable (<= 1.4.9.21) based on file metadata logs or product version events.
references:
 - https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-06
author: Security Arsenal
date: 2026/04/06
tags:
 - attack.initial_access
 - attack.t1190
logsource:
  category: file_event
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - 'MConfig.exe'
    ProductVersion|contains:
      - '1.4.9'
      - '1.4.8'
      - '1.4.7'
      - '1.4.6'
      - '1.4.5'
      - '1.4.4'
      - '1.4.3'
      - '1.4.2'
      - '1.4.1'
      - '1.4.0'
  condition: selection
falsepositives:
  - Legacy systems authorized for operation with compensating controls
level: critical

KQL (Microsoft Sentinel)

This query hunts for processes requesting specific access rights (like PROCESS_VM_READ) on the MConfig process, which is required to read memory contents.

KQL — Microsoft Sentinel / Defender

DeviceProcessEvents
| where InitiatingProcessFileName in~ ("procdump.exe", "taskmgr.exe", "procexp64.exe", "procexp.exe", "rundll32.exe")
| where TargetProcessFileName has @"MConfig"
| where ProcessCommandLine has_any ("dump", "-ma", "MiniDump")
| project Timestamp, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, TargetProcessFileName, TargetProcessId

Velociraptor VQL

Use this artifact to locate the MConfig executable on endpoints and parse its version information to confirm if it is a vulnerable release.

VQL — Velociraptor

-- Hunt for ABB LVS MConfig versions
SELECT FullPath, 
       Size, 
       Mtime AS ModifiedTime, 
       parse_string(data=Description, regex="ProductVersion:\s*(?P<Version>[0-9.]+)").Version AS ProductVersion
FROM glob(globs="C:/Program Files/**/MConfig.exe")
WHERE ProductVersion <= "1.4.9.21"

Remediation Script (PowerShell)

Run this script on Windows engineering workstations or servers where ABB software is hosted to identify instances of the vulnerable software.

PowerShell

# Check for vulnerable ABB LVS MConfig versions
$VulnerableThreshold = [version]"1.4.9.21"
$ProcessesToCheck = @("MConfig.exe", "ABB.LVS.MConfig.exe")

Write-Host "[+] Scanning for ABB LVS MConfig installations..."

foreach ($ProcessName in $ProcessesToCheck) {
    # Check running processes
    $RunningProcess = Get-Process -Name $ProcessName -ErrorAction SilentlyContinue
    if ($RunningProcess) {
        $Path = $RunningProcess.Path
        if (Test-Path $Path) {
            $FileInfo = Get-Item $Path
            $FileVersion = $FileInfo.VersionInfo.FileVersion
            
            if ($FileVersion -le $VulnerableThreshold) {
                Write-Host "[!] VULNERABLE FOUND: $Path" -ForegroundColor Red
                Write-Host "    Version: $FileVersion (Vulnerable)"
            } else {
                Write-Host "[+] OK: $Path is version $FileVersion" -ForegroundColor Green
            }
        }
    }

    # Check Common Install Paths (fallback)
    $Paths = @("C:\Program Files\*\*", "C:\Program Files (x86)\*\*")
    foreach ($BasePath in $Paths) {
        $Files = Get-ChildItem -Path $BasePath -Filter "MConfig.exe" -Recurse -ErrorAction SilentlyContinue
        foreach ($File in $Files) {
            $Ver = $File.VersionInfo.FileVersion
            if ($Ver -le $VulnerableThreshold) {
                Write-Host "[!] VULNERABLE FILE ON DISK: $($File.FullName)" -ForegroundColor Red
                Write-Host "    Version: $Ver"
            }
        }
    }
}

Remediation

Patch Immediately: ABB strongly advises updating to the latest software version. Access the official ABB support portal or your regional ABB support contact to obtain the patch for versions newer than 1.4.9.21.
Network Segmentation: Since exploitation requires local network access, ensure that the engineering workstations running MConfig are isolated from the broader ICS network and strictly segmented from the IT network via a DMZ or Jump Host.
Access Control: Limit administrative access to the hosts running MConfig. Ensure that only authorized OT personnel can log in to these systems.
Official Advisory: Review the full details at CISA ICSA-26-146-06.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub