ABB MV Drives

Plan PatchCVSS 8.8ICS-CERT ICSA-25-112-04Mar 26, 2025

ABBCODESYSEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

ABB MV drives contain multiple buffer overflow and improper input validation vulnerabilities (CWE-119, CWE-20, CWE-787) in the IEC online programming communication interface and CODESYS Runtime System. Exploitation requires either valid login credentials to Drive Automation Builder/Drive Composer or direct network access to send malformed packets to the drive. Successful exploitation could allow an attacker to execute arbitrary code, alter drive parameters (motor speed, torque, direction), or cause a denial-of-service condition. ABB has disabled IEC online programming communication by default in updated firmware versions and plans a CODESYS RTS library update to further harden defenses. Several older drive models (DCS880, DCT880, and certain ACS880 programs) are end-of-life with no fixes planned.

What this means

What could happen

An attacker with network access and valid credentials could execute arbitrary code on ABB MV drives, potentially altering motor speed, torque, or direction of rotation, or causing the drive to stop entirely, disrupting industrial processes.

Who's at risk

Energy and manufacturing operators using ABB MV drives (DCS880, DCT880, ACS880, ACS5000, ACS6000, ACS6080) for motor speed control, variable frequency drive applications, and power conversion. Affects facilities relying on these drives for pump operation, fan control, compressor drive, and other critical motor load management in water treatment, electric generation, and industrial processing.

How it could be exploited

An attacker with access to the local drive network could send malformed packets to exploit buffer overflow or improper input validation vulnerabilities in the IEC online programming communication interface. Alternatively, an attacker could connect programming software (Drive Automation Builder or Drive Composer) to the drive and exploit these vulnerabilities after login to gain full system access.

Prerequisites

Local network access to the drive (UDP/TCP connectivity to drive management ports)
Valid login credentials (either through Drive Automation Builder/Drive Composer software or direct protocol access)
IEC online programming communication enabled (enabled by default on some firmware versions)

remotely exploitable via network accessrequires valid credentials or local network accesslow complexity attack (malformed packet sent directly to drive)affects drive firmware and control programs across multiple ABB product linesno patch available for DCS880 and DCT880 memory units and some ACS880 control programs (end-of-life status)

Exploitability

Unlikely to be exploited — EPSS score 0.9%

Affected products (16)

9 with fix7 EOL

ProductAffected VersionsFix Status

DCS880 memory unit incl. ABB Drive Application Builder license (IEC 61131-3)All versionsNo fix (EOL)

DCS880 memory unit incl. DEMagAll versionsNo fix (EOL)

DCS880 memory unit incl. DCCAll versionsNo fix (EOL)

DCT880 memory unit incl. ABB Drive Application Builder license (IEC 61131-3)All versionsNo fix (EOL)

DCT880 memory unit incl. Power OptimizerAll versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/3

WORKAROUNDDisable IEC online programming communication by default (already disabled in newer firmware; verify in 96.102 User lock functionality that bit 9 'Enable online IEC programming' is set to FALSE)

WORKAROUNDEnable file download protection by setting bit 2 'Disable file download' to TRUE in 96.102 User lock functionality parameter on affected drives where patching cannot be immediately applied

HARDENINGRestrict network access to ABB drives using firewall rules—only permit Drive Automation Builder and Drive Composer connections from designated engineering workstations on the local automation network

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

ACS6080 Firmware

HOTFIXUpdate ACS5000, ACS6000, and ACS6080 firmware to LAAAB v5.07 or higher

All products

HOTFIXUpdate ACS880 Primary Control Program (AINLX) to version 3.47 or later

HOTFIXUpdate ACS880 IGBT Supply Control Program (AISLX) to version 3.43 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: DCS880 memory unit incl. ABB Drive Application Builder license (IEC 61131-3), DCS880 memory unit incl. DEMag, DCS880 memory unit incl. DCC, DCT880 memory unit incl. ABB Drive Application Builder license (IEC 61131-3), DCT880 memory unit incl. Power Optimizer, ACS880 Position Control Program APCLX <= v1.04.0.5, ACS880 Test Bench Control Program ATBLX <= v3.44.0.0. Apply the following compensating controls:

HARDENINGIsolate all ABB MV drives and automation networks behind a firewall and separate them from office/general-purpose networks

CVEs (15)

CVE-2023-37547 CVE-2023-37546 CVE-2023-37556 CVE-2023-37555 CVE-2023-37554 CVE-2023-37553 CVE-2023-37557 CVE-2023-37558 CVE-2023-37552 CVE-2023-37549 CVE-2023-37559 CVE-2022-4046 CVE-2023-37545 CVE-2023-37548 CVE-2023-37550

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c8706363-31c6-4e40-a910-906ae4c6fe6e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.