ABB ACS880 Drives Containing CODESYS RTS

Plan PatchCVSS 8.8ICS-CERT ICSA-25-093-03Apr 3, 2025

ABBCODESYSManufacturing

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

ABB ACS880 variable frequency drives contain multiple vulnerabilities in the embedded CODESYS Runtime System (CWE-20, CWE-787, CWE-119). These are input validation and buffer overflow flaws in the IEC online programming interface. An authenticated attacker with network access could achieve remote code execution on the drive or cause denial of service. The Primary Control Program (AINLX, YINLX), IGBT Supply Control Program (AISLX, ALHLX, YISLX, YLHLX) variants are patched in specified later versions. However, the Position Control Program (APCLX) and Test Bench Control Program (ATBLX) variants have no vendor fix available. Mitigation for unpatched drives includes disabling file download via parameter 196.102 bit 2 and restricting network access to the programming interface.

What this means

What could happen

An attacker with authenticated access to the ACS880 drive's IEC programming interface could execute arbitrary code or cause the drive to stop responding, potentially halting motor/drive operations in manufacturing equipment. Unpatched Position and Test Bench control variants cannot be fixed and remain at risk indefinitely.

Who's at risk

This affects manufacturing facilities using ABB ACS880 variable frequency drives (VFDs) for motor control. Primary concern is any facility relying on ACS880 drives for continuous production motor operation, particularly where the drives control critical or safety-related machinery. Position Control and Test Bench variants cannot be patched and require permanent mitigation. Facilities in discrete manufacturing, food and beverage, pumping stations, and process automation are most at risk.

How it could be exploited

An attacker with network access to the ACS880 drive and valid engineering credentials can send malformed input to the IEC online programming communication port (enabled by default in older firmware). This triggers a buffer overflow or input validation flaw in the embedded CODESYS Runtime System, allowing code execution or denial of service without further interaction.

Prerequisites

Network access to the ACS880 drive's IEC programming communication port (typically port 11740)
Valid engineering workstation credentials or ability to authenticate to the drive
Older firmware versions (Primary variants < v3.47/v1.30, IGBT Supply variants < v3.43/v1.30)
IEC online programming communication enabled (default in affected versions)

Remotely exploitable over the networkRequires authentication (engineering credentials)Low complexity exploitationTwo product variants (APCLX, ATBLX) have no patch planned and will remain vulnerableBuffer overflow and input validation flaws allow arbitrary code executionDefault configuration enables the vulnerable IEC communication channel

Exploitability

Unlikely to be exploited — EPSS score 0.9%

Affected products (8)

6 with fix2 EOL

ProductAffected VersionsFix Status

ACS880 Primary Control Program AINLX < v3.47<AINLX v3.47>=AINLX_v3.47

ACS880 Primary Control Program YINLX < v1.30<YINLX v1.30>=AINLX_v3.47

ACS880 IGBT Supply Control Program AISLX < v3.43<AISLX v3.43>=AISLX_v3.43

ACS880 IGBT Supply Control Program ALHLX < v3.43<ALHLX v3.43>=AISLX_v3.43

ACS880 IGBT Supply Control Program YISLX < v1.30<YISLX v1.30>=AISLX_v3.43

ACS880 IGBT Supply Control Program YLHLX < v1.30<YLHLX v1.30>=AISLX_v3.43

ACS880 Position Control Program APCLX <= v1.04.0.5≤ APCLX v1.04.0.5No fix (EOL)

ACS880 Test Bench Control Program ATBLX <= v3.44.0.0≤ ATBLX v3.44.0.0No fix (EOL)

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDFor drives where firmware update is not immediately feasible, disable file download by setting parameter 196.102 bit 2, and disable IEC online programming communication until firmware can be applied

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ACS880 Primary Control Program AINLX to firmware version v3.47 or later

HOTFIXUpdate ACS880 Primary Control Program YINLX to firmware version v1.30 or later

HOTFIXUpdate ACS880 IGBT Supply Control Program AISLX to firmware version v3.43 or later

HOTFIXUpdate ACS880 IGBT Supply Control Program ALHLX to firmware version v3.43 or later

HOTFIXUpdate ACS880 IGBT Supply Control Program YISLX to firmware version v1.30 or later

HOTFIXUpdate ACS880 IGBT Supply Control Program YLHLX to firmware version v1.30 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: ACS880 Position Control Program APCLX <= v1.04.0.5, ACS880 Test Bench Control Program ATBLX <= v3.44.0.0. Apply the following compensating controls:

HARDENINGRestrict network access to the ACS880 drive's IEC programming port to only authorized engineering workstations on your automation network

CVEs (15)

CVE-2023-37548 CVE-2022-4046 CVE-2023-37545 CVE-2023-37546 CVE-2023-37547 CVE-2023-37549 CVE-2023-37550 CVE-2023-37552 CVE-2023-37553 CVE-2023-37554 CVE-2023-37555 CVE-2023-37556 CVE-2023-37557 CVE-2023-37558 CVE-2023-37559

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c008ccd1-f324-4644-8e45-86a258293ded

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.