ALS-mini-S4/S8 IP Missing Authentication Vulnerability and its Mitigations

Act Now104TZ00000006007Oct 20, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ABB ALS-mini-S4 IP and ALS-mini-S8 IP controllers contain a missing authentication vulnerability (CWE-306) that allows remote attackers to corrupt heap memory and achieve remote code execution without credentials. Successful exploitation enables the attacker to rewrite device firmware and alter operational behavior. No vendor patch is currently available for any version of these products.

What this means

What could happen

An attacker with network access to the device could remotely execute code on the ALS-mini controller, potentially altering firmware behavior and taking control of automated load-shedding or demand-response operations in your electrical distribution network.

Who's at risk

Electric utilities and distribution automation operators relying on ABB ALS-mini-S4 or ALS-mini-S8 IP network controllers for automated load shedding, demand response, or voltage management. Anyone with these devices exposed to untrusted networks or with weak network boundaries is at risk.

How it could be exploited

An attacker sends a specially crafted network packet to an unauthenticated interface on the ALS-mini device. The packet corrupts heap memory in the device, allowing the attacker to achieve remote code execution and rewrite the device firmware to alter its behavior or disable protections.

Prerequisites

Network-level access to the ALS-mini device on TCP/IP (port not specified in advisory)
No credentials required

Remotely exploitableNo authentication requiredLow complexity attackNo patch availableCVSS 10.0 (critical)Affects operational control systemsFirmware modification capability

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

ALS-mini-s4 IP All VersionsAll versionsNo fix (EOL)

ALS-mini-s8 IP All VersionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGImplement network segmentation and firewall rules to restrict inbound access to ALS-mini-S4/S8 devices to only authorized engineering and control network segments

WORKAROUNDDisable or restrict remote management interfaces on the ALS-mini devices if not actively required for operations

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: ALS-mini-s4 IP All Versions, ALS-mini-s8 IP All Versions. Apply the following compensating controls:

HARDENINGMonitor ABB security advisories regularly for a firmware patch; escalate this vulnerability with ABB support to request a fix timeline

CVEs (1)

CVE-2025-9574

View full ABB PSIRT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ac0f7877-5786-4862-a073-8d62c4d7d17e