AC500 V3 Multiple vulnerabilities

Plan Patch8.83adr011377Jan 7, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

AC500 V3 firmware versions below 3.8.0 contain multiple vulnerabilities allowing authenticated attackers to execute shell commands (CVE-2023-6357), read sensitive files (CVE-2024-12429), execute arbitrary commands (CVE-2024-12430), crash the PLC (CVE-2024-5000), or crash the web server (CVE-2024-8175 - unauthenticated). These vulnerabilities affect all PM5xxx controller models. The fix is available in firmware version 3.8.0, which is included in Automation Builder 2.8.0 and later.

What this means

What could happen

An attacker with engineering credentials could execute arbitrary commands on the PLC, read sensitive files, or crash the system, disrupting manufacturing automation and process control. An unauthenticated attacker could crash the PLC's web server, causing loss of remote monitoring and control.

Who's at risk

Manufacturing facilities using ABB AC500 V3 PLC controllers (PM5xxx series) should prioritize this update. Any facility relying on these controllers for process automation, motion control, or machine coordination is affected. Engineering teams and operations staff managing these systems need to plan firmware updates during maintenance windows.

How it could be exploited

An attacker on the network with valid engineering workstation credentials can authenticate to the AC500 V3 controller and call shell functions or execute arbitrary commands. Alternatively, an attacker can reach the PLC's web server over the network and send malformed requests to crash it without credentials, causing temporary loss of remote access.

Prerequisites

Network access to the AC500 V3 controller (typically port 502 or web interface port)
Valid engineering credentials for authenticated exploitation (shell execution, file read)
No credentials required for denial-of-service attacks against the web server

remotely exploitablelow complexity attackauthentication required for most impactsaffects manufacturing PLCsmultiple code execution pathwaysweb server denial-of-service does not require authentication

Exploitability

Moderate exploit probability (EPSS 1.2%)

Affected products (1)

ProductAffected VersionsFix Status

AC500 V3 products (PM5xxx) < 3.8.0<3.8.03.8.0

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict network access to the AC500 V3 controller to authorized engineering workstations only (port 502, web interface, and any other control ports) using firewalls or network segmentation

HARDENINGEnforce strong, unique engineering credentials and disable default credentials on all AC500 V3 controllers

WORKAROUNDDisable the web server on the AC500 V3 if remote web access is not required for operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AC500 V3 firmware to version 3.8.0 or later using Automation Builder 2.8.0 or newer

CVEs (5)

CVE-2023-6357 CVE-2024-5000 CVE-2024-8175 CVE-2024-12429 CVE-2024-12430

View full ABB PSIRT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/615b3197-3e4c-459e-a3b6-a563434852eb