ABB Low Voltage DC Drives and Power Controllers CODESYS RTS
Plan Patch8.8ICS-CERT ICSA-25-093-04Apr 3, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
ABB DCS880 and DCT880 memory units with CODESYS runtime contain buffer overflow and input validation vulnerabilities (CWE-20, CWE-787, CWE-119) in fieldbus communication handling. Successful exploitation allows attackers to trigger denial-of-service conditions or execute arbitrary code on the drive or power controller via the fieldbus interface. No patches are available from ABB for any affected product versions.
What this means
What could happen
An attacker with network access to the fieldbus interfaces on an ABB drive or power controller could cause the device to stop responding (denial of service) or inject malicious commands that alter drive behavior or process control parameters.
Who's at risk
Energy utilities and manufacturing plants using ABB DCS880 or DCT880 low-voltage DC drives and power controllers with CODESYS runtime systems are affected. This includes facilities using these drives with ABB Drive Application Builder, DEMag, DCC, or Power Optimizer software. Any plant relying on these drives for motor control, pump operation, or conveyor systems is at risk.
How it could be exploited
An attacker connects to the fieldbus network (such as CANopen or Modbus) that communicates with the ABB DC drive or power controller. They send a specially crafted message that exploits a buffer overflow or input validation flaw to either crash the device or execute arbitrary code on the memory unit, disrupting drive control.
Prerequisites
- Network connectivity to the fieldbus interface (CANopen, Modbus, or similar protocol)
- Drive or power controller must be in an exploitable configuration (specific workarounds may not be applied)
- Low privilege or unauthenticated access to fieldbus network (typical for industrial fieldbus protocols)
remotely exploitablelow complexityno patch availableaffects drive control systemsfieldbus interface exposure
Exploitability
Low exploit probability (EPSS 0.8%)
Affected products (5)
5 EOL
ProductAffected VersionsFix Status
DCS880 memory unit incl. ABB Drive Application Builder license (IEC 61131-3)All versionsNo fix (EOL)
DCT880 memory unit incl. ABB Drive Application Builder license (IEC 61131-3)All versionsNo fix (EOL)
DCS880 memory unit incl. DEMagAll versionsNo fix (EOL)
DCS880 memory unit incl. DCCAll versionsNo fix (EOL)
DCT880 memory unit incl. Power OptimizerAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDApply ABB-recommended mitigations from the ABB security advisory workarounds section immediately if the drive is in an exploitable configuration
HARDENINGRestrict network access to fieldbus interfaces; only allow authorized engineering workstations and control systems to connect
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor fieldbus traffic for unexpected or malformed messages that could indicate exploitation attempts
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: DCS880 memory unit incl. ABB Drive Application Builder license (IEC 61131-3), DCT880 memory unit incl. ABB Drive Application Builder license (IEC 61131-3), DCS880 memory unit incl. DEMag, DCS880 memory unit incl. DCC, DCT880 memory unit incl. Power Optimizer. Apply the following compensating controls:
HARDENINGIsolate automation networks with DCS880/DCT880 drives behind firewalls and separate from office/general-purpose networks
HARDENINGImplement physical access controls to prevent unauthorized personnel from connecting devices to the fieldbus network
CVEs (15)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/56b4af7c-2a7a-4d14-b0be-25c343c1d1d6