ABB ACS880 +N8010 Drives CODESYS RTS Vulnerabilities
Plan Patch8.89akk108470a9491Mar 26, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Multiple out-of-bounds memory vulnerabilities in the CODESYS Runtime System used by ABB ACS880 drive firmware can lead to denial-of-service or arbitrary code execution if an attacker with engineering credentials reaches the IEC online programming interface. Affected firmware versions include AINLX <3.47, YINLX <1.30, AISLX <3.43, ALHLX <3.43, YISLX <1.30, YLHLX <1.30, APCLX <=1.04.0.5, and ATBLX <=3.44.0.0. In patched versions, IEC online programming is disabled by default to prevent remote exploitation.
What this means
What could happen
An attacker with valid engineering credentials could exploit memory vulnerabilities in the CODESYS runtime to execute arbitrary code on the ACS880 drive, potentially altering motor speed setpoints, stopping the drive entirely, or causing equipment damage.
Who's at risk
Facilities operating ABB ACS880 variable frequency drives (motor control) used in pumping systems, fan drives, compressors, or conveyor systems. Specifically affects organizations using AINLX, YINLX, AISLX, ALHLX, YISLX, YLHLX, APCLX, or ATBLX firmware programs with CODESYS runtime integration.
How it could be exploited
An attacker must authenticate to the drive's IEC online programming interface (which listens on port 2455 by default) using valid CODESYS engineering credentials. Once authenticated, the attacker sends a specially crafted packet to trigger an out-of-bounds memory write, leading to arbitrary code execution or a crash.
Prerequisites
- Network access to port 2455 (CODESYS runtime programming port) on the ACS880 drive
- Valid CODESYS engineering workstation credentials or password
- IEC online programming enabled (default in older firmware)
Remotely exploitableRequires valid credentialsLow complexity attackOut-of-bounds memory accessAffects motor drive control systemsNo fix available for APCLX and ATBLX programs
Exploitability
Low exploit probability (EPSS 0.8%)
Affected products (8)
6 with fix2 EOL
ProductAffected VersionsFix Status
ACS880 Primary Control Program AINLX < v3.47AINLX < v3.47AINLX >=v3.47
ACS880 Primary Control Program YINLX < v1.30YINLX < v1.30AINLX >=v3.47
ACS880 IGBT Supply Control Program AISLX < v3.43AISLX < v3.43AISLX >= v3.43
ACS880 IGBT Supply Control Program ALHLX < v3.43ALHLX < v3.43AISLX >= v3.43
ACS880 IGBT Supply Control Program YISLX < v1.30YISLX < v1.30AISLX >= v3.43
ACS880 IGBT Supply Control Program YLHLX < v1.30YLHLX < v1.30AISLX >= v3.43
ACS880 Position Control Program APCLX <= v1.04.0.5APCLX ≤ v1.04.0.5No fix (EOL)
ACS880 Test Bench Control Program ATBLX <= v3.44.0.0ATBLX ≤ v3.44.0.0No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDDisable IEC online programming communication on ACS880 drives if remote engineering access is not required
HARDENINGRestrict network access to port 2455 on ACS880 drives using firewall rules; allow only from trusted engineering workstations
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate ACS880 Primary Control Program firmware to AINLX version 3.47 or later
HOTFIXUpdate ACS880 IGBT Supply Control Program firmware to AISLX version 3.43 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: ACS880 Position Control Program APCLX <= v1.04.0.5, ACS880 Test Bench Control Program ATBLX <= v3.44.0.0. Apply the following compensating controls:
HARDENINGFor Position Control and Test Bench programs with no available fix: implement strict firewall rules and disable IEC online programming if possible
CVEs (15)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/24eb7cdb-3f47-4d6d-84db-2886fb730796