ALS-mini-S4/S8 IP Missing Authentication Vulnerability and its Mitigations

Plan PatchCVSS 104TZ00000006007Oct 20, 2025

ABB

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ABB ALS-mini-S4/S8 IP devices lack authentication on network services. An attacker can exploit this to achieve remote code execution and modify device firmware, taking complete control of the device.

What this means

What could happen

An attacker can remotely take control of your ALS-mini traffic signal controllers without any credentials, execute arbitrary commands, and permanently modify their firmware to maintain persistence or alter traffic signal timing.

Who's at risk

Traffic engineers and signal operations staff responsible for ALS-mini-S4 and ALS-mini-S8 adaptive signal controllers. These devices manage traffic signal timing in municipalities; compromise could disrupt traffic flow and create safety hazards at controlled intersections.

How it could be exploited

An attacker connects to the ALS-mini device over the network on an unauthenticated service port. They send specially crafted requests to trigger a memory corruption vulnerability, gaining the ability to write arbitrary code and flash new firmware to the device.

Prerequisites

Network access to the ALS-mini device's management/service port
No credentials required

remotely exploitableno authentication requiredlow complexityhigh CVSS (10.0)no patch availableaffects public safety systems

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

ALS-mini-s4 IP All VersionsAll versionsNo fix (EOL)

ALS-mini-s8 IP All VersionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDRestrict network access to ALS-mini-S4/S8 management ports using firewall rules; allow only authorized engineering workstations and administrative networks

HARDENINGIsolate ALS-mini devices on a separate network segment or VLAN if possible; prevent direct access from untrusted networks or the internet

WORKAROUNDDisable or restrict remote management access to ALS-mini devices if not actively required for operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for unauthorized configuration changes and firmware modifications on ALS-mini devices; establish a baseline of known-good firmware versions and audit logs

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: ALS-mini-s4 IP All Versions, ALS-mini-s8 IP All Versions. Apply the following compensating controls:

HARDENINGContact ABB to assess whether a firmware update or replacement may become available, and request guidance on long-term mitigation options

CVEs (1)

CVE-2025-9574

View full ABB PSIRT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ac0f7877-5786-4862-a073-8d62c4d7d17e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.