ASKI Energy ALS-Mini-S8 and ALS-Mini-S4
Act Now10ICS-CERT ICSA-25-296-02Oct 23, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A missing access control vulnerability (CWE-306) in ASKI Energy ALS-Mini-S4 and ALS-Mini-S8 devices allows remote, unauthenticated attackers to gain full control of affected units. The vulnerability exists in all versions of affected serial number ranges (2000–5166). ASKI (now owned by ABB) discontinued these products in 2022 and has stated there are no plans to release a security patch. The embedded web server provides access to load monitoring, alarm management, remote configuration, and device control functions—all of which become compromised if the vulnerability is exploited.
What this means
What could happen
An attacker with network access to these devices could gain complete control and modify operational parameters, potentially disrupting energy delivery or affecting critical grid operations. Since these are end-of-life products with no patch available, organizations must rely entirely on network isolation and monitoring.
Who's at risk
Energy utilities and power distribution operators using ASKI Energy ALS-Mini-S4 or ALS-Mini-S8 devices (manufactured before 2022 with serial numbers 2000–5166) for power monitoring, control, or remote configuration. Organizations should audit all such devices in their energy management and SCADA systems.
How it could be exploited
An attacker on the network can reach the embedded web server on the ALS-Mini-S8 or S4 device without authentication and exploit a missing access control vulnerability to execute arbitrary actions. This could include changing process setpoints, stopping the device, or disabling monitoring functions.
Prerequisites
- Network reachability to the device's embedded web server (HTTP/HTTPS port)
- Device must have serial number between 2000 and 5166
- No authentication credentials required
remotely exploitableno authentication requiredlow complexityno patch availableend-of-life productaffects critical infrastructure
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
ALS-mini-s4 IP (serial number from 2000 to 5166): vers:all/*All versionsNo fix (EOL)
ALS-mini-s8 IP (serial number from 2000 to 5166): vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/3WORKAROUNDPhysically disconnect the ethernet port if the embedded web server is not required for operations
HARDENINGImplement firewall rules to block all network traffic to the device except from explicitly whitelisted engineering workstations or control system IPs
HARDENINGConfigure IDS/IPS and firewall alerts for any access attempts from non-whitelisted sources to the device
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGRoute all traffic to the device through a secure proxy that enforces authentication and activity logging
HOTFIXUpdate all surrounding SCADA, HMI, and control system software to current versions to reduce lateral movement vectors
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: ALS-mini-s4 IP (serial number from 2000 to 5166): vers:all/*, ALS-mini-s8 IP (serial number from 2000 to 5166): vers:all/*. Apply the following compensating controls:
HARDENINGEnsure the device is not accessible from the corporate network, DMZ, or internet; isolate to a dedicated control system network behind a firewall
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8de3219c-e8aa-40b5-be31-5b0096cd14ef