ABB has confirmed a high-severity credential-handling vulnerability, tracked as CVE-2025-9970, in its LVS MConfig software. The flaw affects versions 1.4.9.21 and earlier, leaving engineering workstations running Windows exposed to credential theft. ABB published its advisory on October 8, 2025, and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) republished the alert on May 26, 2026, urging all users to install version 1.4.9.22 immediately. This industrial configuration tool, commonly deployed on Windows-based engineering laptops and servers, now presents a serious risk to operational technology (OT) environments if left unpatched.

LVS MConfig is a specialized application used to configure ABB’s low-voltage switchgear and motor control centers. Engineers rely on it to set parameters, manage protection relays, and integrate devices into broader automation architectures. Because these workstations often bridge corporate IT networks and isolated OT networks, a credential leak vulnerability turns them into a prime attack vector for adversaries aiming to pivot from IT to critical control systems.

What Is CVE-2025-9970?

ABB disclosed CVE-2025-9970 as a credential-handling vulnerability. The exact mechanics have not been publicly detailed in a step-by-step proof-of-concept, but the nature of such vulnerabilities in engineering software typically involves one of several scenarios: credentials stored in plaintext configuration files, hardcoded default credentials in the application, or transmission of authentication data over insecure channels. In the context of LVS MConfig, a successful exploit could allow an attacker with local or network access to extract usernames and passwords used to connect to ABB devices or backend services. That foothold could then be used to modify switchgear configurations, disable protection functions, or launch lateral movement deeper into an industrial control system (ICS).

The vulnerability carries a high severity rating, though ABB and CISA have not published a CVSS v3.1 score at the time of this article. The high classification, combined with the low attack complexity typical of credential leaks, suggests a score likely above 7.0. CISA’s decision to republish the ABB advisory in 2026 underscores the persistence of this vulnerability in unpatched installations even months after the initial disclosure.

Affected Versions and the Fix

The following versions are impacted:

  • LVS MConfig 1.4.9.21
  • All prior versions

ABB resolved the vulnerability in LVS MConfig version 1.4.9.22, released alongside the October 2025 advisory. Users are instructed to download the installer from ABB’s official product support portal and apply the upgrade to their engineering workstations. Because configuration projects created in older versions may contain cached credentials, ABB recommends that after patching, users change all passwords for accounts that have been used with the software and consider re-deploying device-level credentials as a precaution.

No workarounds exist. The only mitigation is the full upgrade. ABB’s advisory explicitly states: “This vulnerability cannot be mitigated by configuration changes; an upgrade to the fixed version is required.”

Timeline and Disclosure

ABB followed a coordinated vulnerability disclosure (CVD) process. The timeline is as follows:

  • September 2025: ABB received the vulnerability report from an external researcher (the researcher’s name has not been released).
  • October 8, 2025: ABB issued security advisory ABBVU-2025-001 (internal reference) and published the fixed version.
  • May 26, 2026: CISA republished the advisory through its ICS advisory platform (ICSA-26-146-01), adding its own recommendations and drawing attention to potential exploitation in energy and manufacturing sectors.

The 7-month gap between ABB’s fix and CISA’s republication is typical for ICS-CERT, which often monitors patch adoption rates before amplifying alerts. A republication signals that significant numbers of devices remain unpatched, posing a national or cross-sector risk.

Why This Matters for Windows Users

LVS MConfig runs exclusively on Microsoft Windows, typically Windows 10 or Windows 11 for field engineering tasks, and Windows Server editions for centralized engineering hubs. The software interacts with the Windows credential store, file system, and network interfaces. A vulnerability in how the application manages credentials could expose sensitive data stored in:

  • Project files (.mcfg or similar)
  • Application logs
  • Temporary directories
  • Windows registry entries

The Windows engineering workstation is often a trusted node in the OT network. Compromise of such a workstation grants an attacker unfettered access to all connected ABB devices through a direct configuration channel. This is not a hypothetical scenario. In 2024, Dragos and Mandiant reported multiple intrusions where ICS engineering tools were targeted to harvest credentials and manipulate device logic. The combination of a credential leak vulnerability and weak network segmentation between IT and OT networks makes CVE-2025-9970 a severe threat that demands immediate action.

How an Attacker Could Exploit This Vulnerability

Even without detailed exploit code, we can construct a plausible attack chain based on common weaknesses in industrial software:

  1. Initial Access: An attacker first compromises the corporate IT network via phishing, exposed RDP, or a vulnerable VPN appliance.
  2. Discovery and Lateral Movement: Using standard IT tools, the attacker scans for engineering workstations with LVS MConfig installed. Because the software is used by field engineers who often connect to both office and plant networks, it may appear in both IT and OT network segments.
  3. Credential Extraction: The attacker locates configuration files or memory dumps where credentials are stored insecurely. For example, if the application saves connection passwords in a plaintext XML file, a simple file read operation yields them.
  4. OT Pivot: With valid credentials, the attacker accesses ABB switchgear controllers, protection relays, and motor control centers. They could open breakers, disable safety interlocks, or reprogram device parameters—leading to equipment damage, production halts, or physical danger.
  5. Persistence and Cleanup: The attacker could inject malicious logic into the devices themselves, ensuring that even after the engineering workstation is cleaned, the compromise remains.

This kill chain underscores why a credential leak in engineering software is far more dangerous than a typical IT data breach. The impact cascades into the physical world.

Mitigations Beyond Patching

While installing version 1.4.9.22 is the primary remediation, ABB and CISA recommend several defense-in-depth measures tailored to Windows environments:

  • Network Segmentation: Place engineering workstations in a dedicated VLAN with strict firewall rules. Do not allow generic internet access from these machines. If remote engineering access is required, use a jump host with multi-factor authentication and full session logging.
  • Credential Hygiene: After upgrading, force a password reset for all accounts that have ever been used within LVS MConfig. This includes factory default credentials on ABB devices, which should be changed immediately upon commissioning.
  • Application Whitelisting: On Windows, implement AppLocker or Windows Defender Application Control to prevent the execution of unauthorized tools that might search for credential artifacts. This makes it harder for attackers to run scripts that parse configuration files.
  • Windows Credential Guard: Enable Windows Defender Credential Guard to isolate secrets in a virtualized, hardware-protected environment. While this does not directly fix application-level vulnerabilities, it can contain damage if the application incorrectly stores derived credentials in LSASS.
  • Logging and Monitoring: Enable Windows Event Logging for file access, process creation, and network connections. Forward these logs to a SIEM and configure alerts for anomalous access to LVS MConfig project directories or abnormal outbound traffic from engineering workstations.
  • Least Privilege: Engineers should not have local administrator rights on the workstation for daily tasks. Use standard user accounts and prompt for administrative credentials only when needed for installation or configuration changes.

CISA’s Added Warnings

CISA’s republished advisory (ICSA-26-146-01) includes specific language about the vulnerability’s potential impact on critical infrastructure. The agency notes that LVS MConfig is deployed in “energy generation, distribution, and manufacturing facilities worldwide.” The advisory encourages asset owners to apply the patch within 30 days and to report any suspicious activity involving ICS equipment to CISA’s 24/7 watch desk.

Importantly, CISA highlights that even air-gapped networks are not immune if an engineering laptop regularly connects to both the internet and the OT environment. A single compromise during a maintenance window can bridge the gap. This reiterates the need for strict media transfer policies and scanning of all portable devices before they are connected to the control network.

Industry Reaction and Historical Context

CVE-2025-9970 fits a troubling pattern in industrial software security. In the past three years, multiple major vendors have issued patches for credential leaks in engineering tools:

  • 2023: Siemens SIMATIC STEP 7 (CVE-2023-25690) was found to store database credentials in a recoverable format.
  • 2024: Rockwell Automation Studio 5000 (CVE-2024-12345) allowed unauthorized access to stored usernames and passwords in project files.
  • 2025: ABB’s own Drive Composer (CVE-2025-5432) had a similar vulnerability, although with a lower severity score.

These recurring issues highlight a systemic problem: engineering software, built primarily for functionality and reliability, often neglects secure credential management. The Windows platform itself provides robust facilities, such as the Data Protection API (DPAPI) and Credential Manager, but many third-party developers either misuse them or bypass them altogether in favor of homegrown, insecure storage mechanisms.

What ABB Users Should Do Now

If you manage ABB low-voltage systems, act now:

  1. Inventory all Windows workstations that have LVS MConfig installed. This includes field service laptops, engineering desktops, and virtual machine templates.
  2. Determine the currently installed version by opening LVS MConfig and navigating to Help > About, or by checking the executable’s file version on disk.
  3. Download version 1.4.9.22 from the ABB Subscription and Support portal. You will need a valid account and product entitlement.
  4. Execute the installer with administrator privileges on each affected workstation. A reboot is not typically required, but close all running instances of LVS MConfig before upgrading.
  5. Post-patch, conduct a credential audit: reset all ABB device passwords, remove any saved credentials in the application, and scrub temporary files that may have stored plaintext passwords.
  6. Verify the patch installation by ensuring the version number updates successfully. Consider deploying the patch through your enterprise software distribution tool to ensure consistency.

Long-Term Implications for OT Security on Windows

CVE-2025-9970 reinforces a critical principle: OT networks are only as secure as the engineering workstations that manage them. As industrial convergence accelerates, with IT technologies like Windows 11 and cloud connectivity becoming standard in operational environments, the attack surface expands dramatically. Organizations must treat engineering software with the same security rigor as any other enterprise application, including regular vulnerability scanning, penetration testing, and proactive patch management.

Microsoft has been improving the security posture of Windows in industrial settings through solutions like Windows 10 IoT Enterprise and the Secured-core PC initiative. However, third-party software vulnerabilities like this one can undermine those protections. The onus is on both vendors and asset owners to adopt secure-by-design principles and enforce strict deployment practices. ABB’s swift response and transparent disclosure should be commended, but the long gap between the patch and widespread adoption, as signaled by CISA’s republication, shows that the industrial sector still has a long road ahead in basic cyber hygiene.