Back to Intelligence

CVE-2025-2595, CVE-2025-41659, CVE-2025-41691: ABB AC500 V3 PLCs — Detection and Hardening Guide

SA
Security Arsenal Team
May 14, 2026
7 min read

Defenders managing operational technology (OT) environments need to be on high alert following the release of a CISA advisory (ICSA-26-132-03) detailing multiple severe vulnerabilities in ABB AC500 V3 Programmable Logic Controllers (PLCs). These devices are critical components in industrial automation, particularly within the Chemical sector and other critical infrastructure verticals.

The vulnerabilities—tracked as CVE-2025-2595, CVE-2025-41659, and CVE-2025-41691—present a significant risk. Successful exploitation allows attackers to bypass user management controls to read sensitive visualization files, exfiltrate cryptographic certificates and keys, or crash the device entirely. Given the prevalence of ABB hardware in process automation, this represents a high-priority threat for ICS security teams.

Technical Analysis

Affected Products:

  • ABB AC500 V3 (Firmware versions < 3.9.0 and 3.9.0)

Vulnerability Breakdown:

  • CVE-2025-2595 (Direct Request / Forced Browsing): This vulnerability allows an attacker to bypass the user management mechanism. By exploiting improper access controls on the web visualization interface, an unauthenticated actor can directly request and read visualization files. This could expose sensitive process data, HMI layouts, or operational logic.

  • CVE-2025-41659 (Incorrect Permission Assignment): A critical permission flaw allows for the reading and writing of certificates and private keys. In an ICS context, the compromise of cryptographic assets is catastrophic; it facilitates man-in-the-middle (MitM) attacks, allowing attackers to decrypt engineering traffic, inject malicious commands, or persist within the control network by spoofing legitimate devices.

  • CVE-2025-41691 (NULL Pointer Dereference): This flaw triggers a denial-of-service (DoS) condition. By sending a specifically crafted request, an attacker can crash the PLC. In a chemical or manufacturing environment, the loss of a PLC can lead to unsafe process states, production stoppages, and physical equipment damage.

Exploitation Status: While CISA has not explicitly confirmed active exploitation in the wild at the time of this writing, the technical nature of these vulnerabilities (web-based bypass and DoS) makes them trivial to weaponize once a foothold is gained in the OT network. The presence of "Forced Browsing" indicates simple HTTP manipulation is required to trigger the impact.

Detection & Response

Detecting exploitation of OT protocols requires monitoring at the network level, specifically focusing on the engineering workstation (EWS) traffic and any abnormal HTTP/HTTPS communications directed at PLC IP ranges. Traditional EDR is ineffective on the PLC itself; therefore, we rely on detecting the anomalous web behavior on the wire or at the boundary firewall.

SIGMA Rules

The following rules focus on detecting the "Forced Browsing" behavior associated with CVE-2025-2595 and potential scanning activity leading up to exploitation. These assume you are ingesting firewall, proxy, or Zeek/Bro logs into your SIEM.

YAML
---
title: Potential ABB AC500 V3 Forced Browsing Activity
id: 8a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects potential forced browsing or directory traversal attempts against ABB AC500 V3 web interfaces, indicative of CVE-2025-2595 exploitation attempts.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-03
author: Security Arsenal
date: 2025/02/20
tags:
  - attack.initial_access
  - attack.t1190
  - ics.t0878
logsource:
  category: webserver
  product: http
detection:
  selection:
    c-uri|contains:
      - '/vis'
      - '/webvis'
    sc-status:
      - 200
      - 301
      - 302
  filter_legit:
    cs-useragent|contains:
      - 'ABB'
      - 'Engineering'
  condition: selection and not filter_legit
falsepositives:
  - Legitimate engineering access from authorized workstations
level: high
---
title: ICS Anomaly - High Volume Web Requests to PLC Subnet
id: 9b3c4d5e-6f7a-8b9c-0d1e-2f3a4b5c6d7e
status: experimental
description: Detects a surge in HTTP requests to known ICS subnets which could indicate a DoS attempt (CVE-2025-41691) or scanning.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-03
author: Security Arsenal
date: 2025/02/20
tags:
  - attack.impact
  - attack.t0814
logsource:
  category: firewall
product: paloalto
detection:
  selection:
    dest_ip|cidr:
      - '10.0.0.0/8' # Adjust to match your specific OT ICS subnets
      - '192.168.100.0/24'
    dest_port:
      - 80
      - 443
      - 8080
  timeframe: 1m
  condition: selection | count() > 100
falsepositives:
  - Heavy polling by legitimate HMI or SCADA systems
level: medium

KQL (Microsoft Sentinel)

This KQL query is designed to hunt for suspicious web access to ABB devices. It looks for successful HTTP connections to your OT environment from sources outside the expected engineering workstation subnets.

KQL — Microsoft Sentinel / Defender
let OT_Subnets = dynamic(["192.168.100.0/24", "10.20.30.0/24"]); // Define your PLC subnets
let Engineering_Workstations = dynamic(["192.168.1.50", "192.168.1.51"]); // Define authorized EWS IPs
DeviceNetworkEvents
| where DestinationPort in (80, 443, 8080)
| where ipv4_is_in_range(DestinationIP, OT_Subnets)
| where not(ipv4_is_in_range(SourceIP, Engineering_Workstations))
| project Timestamp, SourceIP, DestinationIP, DestinationPort, InitiatingProcessFileName, DeviceName
| order by Timestamp desc

Velociraptor VQL

Use this VQL artifact on your Windows Engineering Workstations. While the vulnerability resides on the PLC, the initial attack often pivots through the engineer's laptop. This hunts for processes establishing unusual connections to standard web ports on the local network segment.

VQL — Velociraptor
-- Hunt for processes connecting to PLCs on web ports (Possible Exploit/Recon)
SELECT 
  Timestamp, 
  Pid, 
  Name, 
  CommandLine,
  Exe,
  Username,
  RemoteAddress,
  RemotePort
FROM listen_connections()
WHERE RemotePort IN (80, 443, 8080)
  AND RemoteAddress NOT IN ('127.0.0.1', '::1')
  AND Name NOT IN ('chrome.exe', 'firefox.exe', 'msedge.exe', 'iexplore.exe')
  AND RemoteAddress =~ '192.168' -- Adjust to match your OT network prefix

Remediation Script (PowerShell)

This script is intended for the Security Administrator to run from a management workstation. It performs a network sweep to identify AC500 V3 devices reachable on the network and outputs a CSV report. This allows you to verify which assets exist and confirm their firmware versions against the patch requirements manually or via the ABB Automation Builder software.

PowerShell
# AC500 V3 Discovery Script
# Requires ICMP and basic TCP connectivity to the PLC range.

$Subnet = "192.168.100" # Modify to match your OT environment
$OutputFile = "C:\Temp\ABB_AC500_Scan_Results.csv"

$Results = @()

Write-Host "Scanning Subnet $Subnet.0/24 for ABB AC500 devices..." -ForegroundColor Cyan

1..254 | ForEach-Object {
    $IP = "$Subnet.$_"
    # Ping check
    if (Test-Connection -ComputerName $IP -Count 1 -Quiet) {
        # Check for typical Web/Management ports (ABB often exposes WebVis on 80/443)
        $Port80 = Test-NetConnection -ComputerName $IP -Port 80 -WarningAction SilentlyContinue -InformationLevel Quiet
        $Port443 = Test-NetConnection -ComputerName $IP -Port 443 -WarningAction SilentlyContinue -InformationLevel Quiet
        
        if ($Port80 -or $Port443) {
            Write-Host "[+] Potential ABB Device found at: $IP (Ports 80/443 Open)" -ForegroundColor Yellow
            $Results += [PSCustomObject]@{
                IPAddress     = $IP
                WebPort80Open = $Port80
                WebPort443Open = $Port443
                Status        = "REQUIRES FIRMWARE CHECK"
                Advisory      = "Affected if Version < 3.9.0"
            }
        }
    }
}

if ($Results.Count -gt 0) {
    $Results | Export-Csv -Path $OutputFile -NoTypeInformation
    Write-Host "Scan complete. Results saved to $OutputFile" -ForegroundColor Green
    Write-Host "ACTION REQUIRED: Review firmware versions via Automation Builder for IPs listed above." -ForegroundColor Red
} else {
    Write-Host "No ABB-like devices found on specified subnet." -ForegroundColor Green
}

Remediation

  1. Patch Immediately: ABB has released updates to resolve these vulnerabilities. Upgrade all affected ABB AC500 V3 PLCs to a firmware version strictly greater than 3.9.0. Consult the official ABB advisory or your regional support representative for the specific release file.

  2. Network Segmentation (Defense in Depth):

    • Ensure that the web visualization interfaces (Ports 80/443/TCP) are not accessible from the corporate IT network or the internet.
    • Restrict access to these ports strictly to the IP addresses of the authorized Engineering Workstations (EWS) using firewall rules or ACLs on managed switches.

  3. Verify Configuration: After patching, verify that the "User Management" settings are reset to secure defaults, as exploitation may have altered permissions prior to the update.

  4. CISA Deadline: As these devices fall under Critical Infrastructure sectors, review CISA directives (such as Known Exploited Vulnerabilities Catalog) for specific binding operational instruction (BOI) deadlines regarding patching.

Official Vendor Advisory:

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemabbics-scadacve-2025-2595

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action