ABB AC500 PLC Webserver CoDeSys Vulnerability
Act NowICS-CERT ICSA-12-320-01Aug 19, 2012
Summary
ABB AC500 PLC webserver based on CODESYS contains a stack-based buffer overflow vulnerability (CWE-121). The affected firmware versions V2.1.3 include multiple PM-series Ethernet modules for AC500 programmable logic controllers. No patch is currently available from the vendor.
What this means
What could happen
An attacker with network access to the PLC webserver could trigger a buffer overflow and execute arbitrary code on the PLC, potentially stopping production, corrupting control logic, or enabling unauthorized process modifications.
Who's at risk
Manufacturing operations using ABB AC500 PLCs with PM-series Ethernet modules (PM573-ETH, PM583-ETH, PM590-ETH, PM591-ETH, PM592-ETH, PM554-T-ETH, PM564-T-ETH, PM564-R-ETH, PM564-R-ETH-AC) running firmware V2.1.3. This includes discrete manufacturing, process control, packaging lines, and industrial automation systems relying on these controllers.
How it could be exploited
An attacker sends a specially crafted HTTP request to the webserver running on the PLC's Ethernet port (typically port 80 or 443). The malicious input overflows a stack buffer in the CODESYS runtime, allowing code injection. The attacker gains command execution with PLC privileges.
Prerequisites
- Network access to the PLC's Ethernet port (port 80/443 or other HTTP service port)
- The PLC webserver module must be active and accessible from the attacker's network segment
remotely exploitableno authentication requiredhigh EPSS score (81.9%)no patch availableaffects safety-critical systems (PLC controls)
Exploitability
High exploit probability (EPSS 81.9%)
Affected products (9)
9 EOL
ProductAffected VersionsFix Status
1SAP130 300 R0271 PM573-ETH: firmware__V2.1.3firmware V2.1.3No fix (EOL)
1SAP140 300 R0271 PM583-ETH: firmware__V2.1.3firmware V2.1.3No fix (EOL)
1SAP150 000 R0271 PM590-ETH: firmware__V2.1.3firmware V2.1.3No fix (EOL)
1SAP150 100 R0271 PM591-ETH: firmware__V2.1.3firmware V2.1.3No fix (EOL)
1SAP150 200 R0271 PM592-ETH: firmware__V2.1.3firmware V2.1.3No fix (EOL)
1TNE968 900 R0110 PM554-T-ETH: firmware__V2.1.3firmware V2.1.3No fix (EOL)
1TNE968 900 R1110 PM564-T-ETH: firmware__V2.1.3firmware V2.1.3No fix (EOL)
1TNE968 900 R1210 PM564-R-ETH: firmware__V2.1.3firmware V2.1.3No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGSegment the PLC network from untrusted networks using firewalls or air-gapping. Restrict HTTP/HTTPS access to the webserver port to only authorized engineering workstations.
WORKAROUNDDisable the CODESYS webserver module if not actively used for remote monitoring or diagnostics.
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor network traffic to the PLC for suspicious HTTP requests or buffer-overflow payloads. Alert on unexpected connections to the webserver port.
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: 1SAP130 300 R0271 PM573-ETH: firmware__V2.1.3, 1SAP140 300 R0271 PM583-ETH: firmware__V2.1.3, 1SAP150 000 R0271 PM590-ETH: firmware__V2.1.3, 1SAP150 100 R0271 PM591-ETH: firmware__V2.1.3, 1SAP150 200 R0271 PM592-ETH: firmware__V2.1.3, 1TNE968 900 R0110 PM554-T-ETH: firmware__V2.1.3, 1TNE968 900 R1110 PM564-T-ETH: firmware__V2.1.3, 1TNE968 900 R1210 PM564-R-ETH: firmware__V2.1.3, 1TNE968 900 R1211 PM564-R-ETH-AC: firmware__V2.1.3. Apply the following compensating controls:
HARDENINGEvaluate migration to newer ABB AC500 firmware or PLC models with available security patches when design and maintenance windows permit.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/040687e9-ca06-457c-80a5-27053c29c860