ASKI Energy ALS-Mini-S8 and ALS-Mini-S4

Plan PatchCVSS 10ICS-CERT ICSA-25-296-02Oct 23, 2025

Energy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The ASKI Energy ALS-Mini-S4 and ALS-Mini-S8 IP devices (serial numbers 2000–5166, all firmware versions) contain an authentication bypass vulnerability (CWE-306, CVSS 10.0) in the embedded web server. An unauthenticated attacker with network access can gain full control of the device and modify load monitoring, alarms, and remote configuration settings. The affected products reached end-of-life in 2022 and ABB (parent company) will not release security patches.

What this means

What could happen

An attacker with network access to these devices could gain full control and alter energy management operations, including load monitoring, alarms, and remote configuration settings. Since the products are end-of-life with no vendor patches available, this vulnerability cannot be remediated through software updates.

Who's at risk

Energy utilities and industrial facilities using ASKI Energy ALS-Mini-S4 or ALS-Mini-S8 IP load management devices (specifically serial numbers 2000–5166) should implement immediate network isolation measures. These devices manage load monitoring, alarms, and remote configuration in power distribution environments.

How it could be exploited

An attacker with network access to the device can exploit a missing authentication mechanism (CWE-306) to access the embedded web server without credentials. Once authenticated, the attacker can reconfigure control parameters, disable alarms, or modify load monitoring settings, directly affecting energy system operations.

Prerequisites

Network access to the embedded web server (port typically 80/443)
Device connected to a network accessible from attacker's position
No additional authentication or valid credentials required

remotely exploitableno authentication requiredlow complexityno patch availableaffects critical energy operationsall versions affectedend-of-life product

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

ALS-mini-s4 IP (serial number from 2000 to 5166): vers:all/*All versionsNo fix (EOL)

ALS-mini-s8 IP (serial number from 2000 to 5166): vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGDo not expose these devices to the public internet or untrusted networks

HARDENINGPlace the device behind a firewall and configure strict firewall rules to allow network access only from whitelisted IP addresses used by authorized control engineers

WORKAROUNDIf the embedded web server is not actively used, physically disconnect the ethernet port to eliminate the attack surface

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGRoute all remote access traffic through a secure proxy or VPN that enforces authentication and logging

HARDENINGEnable and monitor firewall, IDS, or IPS alerts for any access attempts from non-whitelisted IP addresses to this device

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: ALS-mini-s4 IP (serial number from 2000 to 5166): vers:all/*, ALS-mini-s8 IP (serial number from 2000 to 5166): vers:all/*. Apply the following compensating controls:

HARDENINGPlan replacement or upgrade of these end-of-life devices with supported products that receive security updates

CVEs (1)

CVE-2025-9574

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8de3219c-e8aa-40b5-be31-5b0096cd14ef

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.