Danfoss AK-SM 8xxA Series (Update A)

Plan Patch8.2ICS-CERT ICSA-25-140-03May 20, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

Three vulnerabilities (CVE-2025-41450, CVE-2025-41451, CVE-2025-41452) in Danfoss AK-SM 8xxA Series controllers allow remote attackers to bypass authentication and execute arbitrary code. CVE-2025-41450 is fixed in release R4.2; CVE-2025-41451 and CVE-2025-41452 are fixed in release R4.3.1. No patches are available for firmware versions below these releases. Attack complexity is high, and no public exploitation has been reported.

What this means

What could happen

An attacker could bypass authentication and run arbitrary code on the AK-SM controller, potentially altering process parameters, stopping operations, or corrupting device configuration in critical infrastructure applications like HVAC, refrigeration, or energy management systems.

Who's at risk

Danfoss AK-SM 8xxA Series controllers used in HVAC systems, refrigeration units, energy management, and process control in critical infrastructure. Any organization running firmware below R4.2 or R4.3.1 is affected.

How it could be exploited

An attacker with network access to the AK-SM device initiates a connection and exploits authentication bypass vulnerabilities (CVE-2025-41450/41451/41452) to execute arbitrary commands without valid credentials. The attack requires user interaction or specific conditions (high attack complexity), but once successful, grants full code execution on the controller.

Prerequisites

Network access to the AK-SM device port
User interaction or specific device state/configuration (high attack complexity per CVSS)
No valid credentials required

Remotely exploitableAuthentication bypass possibleNo patch available for older firmware branchesAffects critical control systemsHigh CVSS score (8.2)

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

AK-SM 8xxA Series: <R4.2<R4.2R4.2

AK-SM 8xxA Series: <4.3.1<4.3.1R4.2

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to AK-SM devices: do not expose to the Internet and isolate from business networks using firewalls

HARDENINGIf remote access is required, use a VPN with current patches and strong authentication

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade AK-SM 8xxA Series to release R4.2 or later (addresses CVE-2025-41450)

HOTFIXUpgrade AK-SM 8xxA Series to release R4.3.1 or later (addresses CVE-2025-41451 and CVE-2025-41452)

Long-term hardening

0/1

HARDENINGPerform impact analysis and risk assessment before implementing network isolation changes to avoid disrupting critical processes

CVEs (3)

CVE-2025-41450 CVE-2025-41451 CVE-2025-41452

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b3a8d88f-7453-4e28-92fc-b8f465c407f6