Low Voltage DC Drives and Power Controllers CODESYS RTS Vulnerabilities

Plan Patch8.89akk108470a9494Mar 26, 2025

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

CODESYS Runtime System vulnerabilities in ABB LV DC drives and power controllers (DCS880 and DCT880 series) cause memory corruption and out-of-bound memory access. These issues could allow attackers to trigger denial-of-service conditions or execute arbitrary code over fieldbus interfaces. Exploitation requires an IEC 61131-3 license present on the memory unit.

What this means

What could happen

An attacker with fieldbus network access could crash DC drives or power controllers, halting equipment operation, or execute code to alter process commands and control parameters. This directly impacts power distribution and drive operation in industrial DC systems.

Who's at risk

Operators of ABB DCS880 and DCT880 series low-voltage DC drives and power controllers in power distribution, manufacturing, and industrial motor control applications are affected. Any facility using these drives with the ABB Drive Application Builder, DEMag, DCC, or Power Optimizer features is at risk.

How it could be exploited

An attacker reaches the fieldbus network (e.g., PROFIBUS, CANopen, or EtherCAT depending on drive model) and sends specially crafted IEC 61131-3 commands that trigger memory corruption in the CODESYS Runtime System. If an IEC 61131-3 license is installed on the target drive's memory unit, the malformed commands cause out-of-bounds memory writes, leading to code execution or crash.

Prerequisites

Fieldbus network access to the DC drive or power controller (e.g., PROFIBUS, CANopen, EtherCAT)
IEC 61131-3 programming license must be installed on the target memory unit

remotely exploitableno patch availableaffects industrial process equipmentrequires fieldbus network access but not authenticationlow complexity if attacker reaches fieldbus

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

DCS880 memory unit incl. ABB Drive Application Builder license (IEC 61131-3)All versionsNo fix (EOL)

DCS880 memory unit incl. DEMagAll versionsNo fix (EOL)

DCS880 memory unit incl. DCCAll versionsNo fix (EOL)

DCT880 memory unit incl. ABB Drive Application Builder license (IEC 61131-3)All versionsNo fix (EOL)

DCT880 memory unit incl. Power OptimizerAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

DCS880 memory unit incl. ABB Drive Application Builder license (IEC 61131-3)

HARDENINGDisable IEC 61131-3 programming capabilities on memory units if not required for operations

All products

WORKAROUNDContact ABB support to determine if a workaround or firmware update is available for your specific DCS880 or DCT880 model and application

HARDENINGRestrict fieldbus network access to DC drives and power controllers using industrial switches or firewalls; allow only authorized engineering workstations to communicate with these devices

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: DCS880 memory unit incl. ABB Drive Application Builder license (IEC 61131-3), DCS880 memory unit incl. DEMag, DCS880 memory unit incl. DCC, DCT880 memory unit incl. ABB Drive Application Builder license (IEC 61131-3), DCT880 memory unit incl. Power Optimizer. Apply the following compensating controls:

HARDENINGSegment DC drive fieldbus networks from other plant networks to limit lateral movement if a drive is compromised

HARDENINGMonitor fieldbus traffic for unusual command patterns or unauthorized configuration attempts

CVEs (15)

CVE-2023-37556 CVE-2023-37555 CVE-2023-37554 CVE-2023-37553 CVE-2022-4046 CVE-2023-37559 CVE-2023-37558 CVE-2023-37557 CVE-2023-37552 CVE-2023-37550 CVE-2023-37549 CVE-2023-37548 CVE-2023-37547 CVE-2023-37546 CVE-2023-37545

View full ABB PSIRT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a6a30ba6-f248-4de2-9315-e05c5237abf2