AC500 V3 Stack buffer overflow in Cryptographic Message Syntax

Act NowCVSS 9.83adr011536Mar 12, 2026

ABB

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ABB AC500 V3 programmable logic controllers contain a stack buffer overflow vulnerability in Cryptographic Message Syntax (CMS) message processing. An attacker with network access can send a specially crafted CMS message to trigger the overflow, causing a denial-of-service condition or potentially remote code execution on the controller. Affected versions include AC500 V3 PM5xxx firmware version 3.9.0 and earlier.

What this means

What could happen

An attacker could exploit a stack buffer overflow in AC500 V3 firmware to crash the programmable logic controller, causing a denial-of-service condition that interrupts process control and automation. In the worst case, the attacker could achieve remote code execution and directly manipulate industrial processes.

Who's at risk

AC500 V3 programmable logic controllers (PLCs) used in municipal and industrial automation systems for process control. This affects water treatment plants, power distribution automation, and any facility using ABB AC500 V3 controllers for critical process control or safety functions.

How it could be exploited

An attacker with network access to the AC500 V3 controller can send a specially crafted message containing a stack buffer overflow in the Cryptographic Message Syntax (CMS) processing code. No authentication is required. If successful, the overflow allows the attacker to overwrite the stack and execute arbitrary code on the PLC, potentially altering process setpoints, disabling safety interlocks, or halting operations entirely.

Prerequisites

Network access to AC500 V3 controller on port used for CMS communications
No credentials or prior authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)potential remote code executionaffects safety-critical automation systems

Exploitability

Likely to be exploited — EPSS score 48.7%

Public Proof-of-Concept (PoC) on GitHub (4 repositories)

Affected products (1)

ProductAffected VersionsFix Status

AC500 V3 PM5xxx3.9.03.9.0 HF1

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict network access to AC500 V3 controllers to only authorized engineering workstations and control systems; block direct internet-facing access

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AC500 V3 firmware to version 3.9.0 HF1 or later from the ABB library

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate AC500 V3 controllers on a dedicated industrial network with strict ingress/egress rules

CVEs (1)

CVE-2025-15467

View full ABB PSIRT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dbb7bc96-b764-4ffd-a7f6-9117513899ad

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.