ABB MV Drives
Plan Patch8.8ICS-CERT ICSA-25-112-04Apr 22, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
ABB MV Drives contain multiple vulnerabilities in the CODESYS Runtime System that could allow an attacker with local network access or valid credentials to gain full access to the drive or cause a denial-of-service condition. The vulnerabilities are related to improper input validation and buffer overflow issues (CWE-119, CWE-20, CWE-787). Affected firmware versions are ACS5000 (LAAAB_4.03.0 through LAAAB_5.06.1), ACS6000 (LAAAA_2.10.0 through LAAAB_5.06.1), and ACS6080 (LAAAA_2.10.0 through LAAAB_5.06.1).
What this means
What could happen
An attacker with credentials or local network access could execute arbitrary commands on the drive, potentially altering motor speed setpoints, stopping production, or corrupting the drive's configuration. A successful exploit could result in complete loss of drive control and require manual intervention to restore operations.
Who's at risk
Manufacturing facilities using ABB MV Drives (ACS5000, ACS6000, ACS6080 series) for motor control in production lines, pumps, compressors, and other critical mechanical equipment. Any facility where these drives control essential processes and where unauthorized users may have local network access or could connect programming workstations.
How it could be exploited
An attacker needs valid credentials to the drive or access to the local network where the drive operates. The attacker can send malformed packets directly to the CODESYS Runtime system on the drive, or use Drive Composer or Drive Automation Builder tools to establish a connection and exploit the buffer overflow or input validation flaws to execute arbitrary code.
Prerequisites
- Valid login credentials to the affected drive
- Network access to the drive's management port (local network or direct connection via Drive Composer/Automation Builder)
- CODESYS online programming feature enabled (enabled by default in affected versions)
- Ability to send or craft malformed packets to the CODESYS communication port
Remotely exploitable over local networkRequires valid credentials or direct network accessLow complexity attack once network access is gainedAffects variable frequency drives in manufacturing environmentsNo authentication required if attacker has network access to the drive
Exploitability
Low exploit probability (EPSS 0.8%)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
ACS5000 Firmware≥ LAAAB 4.03.0|<LAAAB 5.06.1LAAAB_5.07
ACS6000 Firmware≥ LAAAA 2.10.0|<LAAAB 5.06.1LAAAB_5.07
ACS6080 Firmware≥ LAAAA 2.10.0|<LAAAB 5.06.1LAAAB_5.07
Remediation & Mitigation
0/7
Do now
0/3WORKAROUNDIf firmware upgrade cannot be applied immediately, disable CODESYS online IEC programming by default (bit 9 in parameter 96.102 must remain FALSE). Only enable temporarily when needed for debugging in controlled environments.
WORKAROUNDEnable file download restriction by setting bit 2 'Disable file download' to TRUE in parameter 96.102 to prevent unauthorized IEC program updates
HARDENINGEnsure user lock pass code is securely stored and known only to authorized personnel; note that ABB cannot recover a lost pass code
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade ABB MV Drives to firmware LAAAB_5.07 or higher for all affected models (ACS5000, ACS6000, ACS6080)
Long-term hardening
0/3HARDENINGIsolate the drive network from the corporate office network using firewalls and network segmentation; restrict access to the drive's management and CODESYS ports
HARDENINGPrevent unauthorized connection of Drive Composer or Drive Automation Builder software to the drives by enforcing workstation security policies and physical access controls
HARDENINGImplement network monitoring to detect unauthorized connections or malformed packet attempts to the drive
CVEs (15)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/c8706363-31c6-4e40-a910-906ae4c6fe6e