A critical stack buffer overflow vulnerability in ABB’s AC500 V3 programmable logic controllers has been assigned CVE-2025-15467, prompting the vendor to release a hotfix firmware version 3.9.0 HF1. ABB privately disclosed the flaw on March 12, 2026, and the Cybersecurity and Infrastructure Security Agency republished the advisory on May 12, 2026, underscoring the risk to industrial operations worldwide.

Root Cause: Cryptographic Message Syntax Parsing Flaw

The vulnerability resides in the firmware’s parser for Cryptographic Message Syntax data. CMS is a standard for digitally signing, encrypting, and authenticating messages, and it plays a crucial role in secure communications between PLCs and engineering workstations. By sending a specially crafted CMS packet, an attacker can overflow a fixed-size stack buffer, overwriting adjacent memory and potentially gaining remote code execution on the controller.

ABB confirmed that all firmware versions prior to 3.9.0 HF1 are affected. The hotfix introduces bounds checking on the CMS input buffer to prevent overflows. Because the vulnerability triggers before authentication, an attacker only needs network access to the PLC’s management interface to exploit it.

Attack Surface and Impact

In typical deployments, AC500 V3 PLCs sit on operational technology networks, often accessible from Windows-based SCADA and engineering stations. An attacker who compromises a jump host or plants a rogue device on the OT LAN can target the vulnerability to disrupt physical processes, manipulate I/O, or pivot deeper into the control system.

Unlike IT servers, PLCs rarely receive signature updates or frequent patches, making firmware-level flaws especially dangerous. A successful exploit could lead to production downtime, safety incidents, or environmental damage in sectors such as manufacturing, energy, and water treatment.

CISA Advisory and Industry Response

CISA’s advisory reinforces the need for critical infrastructure owners to apply the firmware update immediately. It also recommends generic ICS hardening measures: network segmentation, disabling unused protocols, and monitoring controller logs for anomalous CMS traffic.

Several security researchers noted that stack overflows remain a plague in embedded systems because of pervasive C/C++ usage and limited memory protection. The AC500 V3 is built on the ABB Common Automation Platform, which powers many automation components; however, ABB stated that no other product lines are affected.

Patching Realities

Deploying firmware updates on PLCs is not as straightforward as clicking “update” on a Windows workstation. OT personnel must carefully plan a maintenance window because firmware flashing requires the controller to halt production. ABB’s Automation Builder software (which runs on Windows) must be used to download the new firmware, and the process typically involves stopping the running program, loading the firmware, and then performing a cold restart.

Because of these operational hurdles, many plants will deploy temporary mitigations first. CISA and ABB strongly recommend network-level protections—such as firewalls and unidirectional gateways—to block untrusted devices from reaching the CMS service.

Windows Workstation Considerations

Although the PLC itself is the vulnerable endpoint, Windows engineers can still play a dual role: as the platform for patching and as a potential attack vector. Automation Builder, installed on Windows 10 or 11, provides the IDE for managing AC500 projects. If an attacker compromises the engineering laptop, they could craft CMS exploits directly. Conversely, if the PLC is exploited, it could be used as a pivot to attack the Windows host, especially if the laptop is permanently connected.

Organizations should apply all Windows and Automation Builder updates, restrict administrative access, and use application whitelisting. Multi-factor authentication on jump servers adds another layer of defense.

Long-term Outlook

The CVE-2025-15467 incident highlights an ongoing tension in industrial cybersecurity: embedded devices that run complex protocol stacks are increasingly targeted, yet patching them remains operationally costly. ABB’s swift release of a hotfix is commendable, but the window between disclosure and mass deployment will likely be measured in months, not days.

For Windows-environments that interface with AC500 V3 controllers, this is a call to audit OT network segmentation and ensure that critical assets are not directly exposed to IT networks. Until every PLC is patched, the next critical vulnerability could weaponize the same CMS parsing pathway.