AC500 V3 Multiple vulnerabilities

Plan PatchCVSS 8.33adr011524Feb 24, 2026

ABB

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

AC500 V3 controllers before version 3.9.0 contain three vulnerabilities: user management bypass (CVE-2025-2595) allowing unauthorized administrative access, certificate/key read/write (CVE-2025-41659) enabling credential theft or injection, and denial-of-service (CVE-2025-41691) causing loss of operational control. These vulnerabilities require low privileges (authenticated user) and low complexity to exploit over the network.

What this means

What could happen

An attacker with network access and user credentials could bypass access controls to gain administrative privileges on the controller, read or modify security certificates and encryption keys, or trigger a crash that stops industrial processes. This directly compromises the confidentiality, integrity, and availability of PLC operations.

Who's at risk

Water utilities and electric utilities operating ABB AC500 V3 programmable logic controllers for process automation, water treatment skid control, or distribution system management should update immediately. This affects any facility using AC500 V3 for pump stations, filtration, SCADA front-end applications, or other automation tasks where the PLC has network connectivity.

How it could be exploited

An attacker with a valid user account on the network can authenticate to the AC500 V3 controller and exploit the user management bypass to escalate to administrative access. With admin privileges, the attacker can read visualization files containing process logic or credentials, read/write certificates to impersonate the device, or trigger the DoS condition to halt operations.

Prerequisites

Valid user account credentials for AC500 V3 network access
Network connectivity to the AC500 V3 controller on its management port
AC500 V3 firmware version before 3.9.0

Remotely exploitableRequires valid user account (low privilege bypass possible)Low attack complexityAffects confidentiality, integrity, and availabilityHigh CVSS score (8.3)Actively developed by ABB (patch available)

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Affected products (1)

ProductAffected VersionsFix Status

AC500 V3 <3.9.0<3.9.03.9.0

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AC500 V3 controller firmware to version 3.9.0 or later using Automation Builder 2.9.0

CVEs (3)

CVE-2025-2595 CVE-2025-41659 CVE-2025-41691

View full ABB PSIRT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/69d8a1dd-5657-42c6-81d2-b0b0e568ca75

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.