The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has amplified a critical advisory for industrial control systems, republishing ABB’s security notice for CVE-2025-7745 on May 26, 2026. The vulnerability targets ABB AC500 V2 programmable logic controllers (PLCs) and introduces a buffer over-read risk through the Modbus TCP protocol that could expose fragments of earlier network responses to unauthorized actors.

CISA’s republishing of vendor advisories is a routine yet vital step in the defense of critical infrastructure. It ensures that asset owners and operators—many of whom rely on ABB’s automation technology across manufacturing, energy, and water treatment—are alerted quickly, often before the vulnerability is widely exploited. This particular flaw, while rated medium severity, underscores the persistent weaknesses in legacy industrial communication protocols and the cascading risks they pose to converged IT/OT environments, including Windows-based engineering workstations that routinely interact with these PLCs.

The Vulnerability: CVE-2025-7745 in Detail

Buffer over-read vulnerabilities, also known as “over-read” flaws, occur when software reads more data from a memory buffer than what was intended, often spilling into adjacent memory regions. In the context of ABB AC500 V2 firmware, CVE-2025-7745 arises when the PLC’s Modbus TCP server processes an unsupported function code—a command it does not recognize or was not designed to handle. Instead of properly rejecting such malformed requests, the firmware’s response handling code bounds-checking fails, causing the device to read past the allocated buffer and include residual data in its reply to the network client.

This residual data is not random noise. It consists of fragments of previously processed Modbus responses that remain in the PLC’s memory. These scraps can contain a treasure trove of operational intelligence: register values reflecting real-time process variables, configuration parameters, device identifiers, or even credentials if the PLC had previously relayed authentication sequences for integrated systems.

The vulnerability received a Common Vulnerability Scoring System (CVSS) v3.1 base score of 5.3, placing it in the medium severity range. The vector string, as typically assigned for network-accessible information leaks with low complexity and no user interaction, would be AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. This means the vulnerability can be exploited over the network without any authentication, requires no user interaction, and results in a low-impact loss of confidentiality, with no direct integrity or availability compromise.

But the real-world risk often eclipses CVSS numbers on the factory floor. In an operational technology (OT) context, even a low-level information disclosure can be the initial foothold an adversary needs to map a network, identify valuable assets, or craft more sophisticated attacks.

The Modbus Protocol: A Legacy Under Fire

Modbus, first introduced in 1979, remains one of the most ubiquitous communication protocols in industrial automation. Its simplicity and openness drove widespread adoption, but those same traits are now its greatest security liabilities. Modbus TCP, commonly served on port 502, lacks encryption, authentication, or message integrity checks. Every command and response is transmitted in cleartext, and any device on the network can send read or write commands without restrictions—unless an external security layer, such as a firewall or VPN, is present.

CVE-2025-7745 exploits this inherent trust model. An attacker who has achieved even limited network access—perhaps through a compromised IT workstation, a misconfigured VPN, or a rogue device plugged into a switch—can craft and send specific unsupported function codes to trigger the over-read. The attack requires no privileged access to the PLC itself and leaves minimal forensic footprint because it leverages normal protocol operation.

ABB’s AC500 family is widely deployed in applications ranging from building automation to critical manufacturing processes. The V2 series, with its enhanced performance and Ethernet connectivity, is a staple in modern industrial envelopes. The firmware flaw likely resides in the legacy Modbus stack that ABB maintained for compatibility, a common challenge across the ICS vendor landscape.

Real-World Implications: Data Leakage in OT Environments

What kinds of data might an attacker glean from spilled Modbus response fragments? Across a typical industrial network, PLCs communicate with human-machine interfaces (HMIs), supervisory control and data acquisition (SCADA) systems, engineering workstations, and data historians. These interactions often pass through protocol gateways or Windows-based servers running OPC-UA, MQTT, or even direct Modbus drivers.

If a PLC’s memory contains residual data from a previous exchange with an engineering laptop—say, during a firmware upload or configuration download—fragments of project files, network credentials, or proprietary automation sequences could be exposed. In environments where Windows Active Directory or shared credentials are used to authenticate to HMIs, a leaked service account password could escalate an attacker’s access from a Level 1 OT device to Level 3 or Level 4 IT systems.

Moreover, process data like tank levels, mixing ratios, or production counts might seem benign but can reveal trade secrets or provide target intelligence for subtle process manipulation. An adversary seeking to cause physical disruption might use leaked parameters to fine-tune a later attack on a specific valve or motor, increasing the likelihood of cascading failure.

CISA’s Role in ICS Cybersecurity

CISA’s republishing of ABB’s advisory on ICSA-26-146-01 serves multiple functions. As the national authority on critical infrastructure security, CISA works with vendors to ensure vulnerabilities are cataloged and communicated to the 16 critical infrastructure sectors. The agency’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) coordinates such disclosures, often facilitating collaboration when vendors are slow to respond or when vulnerabilities affect multiple product lines.

For CVE-2025-7745, CISA’s action ensures that the advisory reaches asset owners who might not monitor ABB’s own security channels. This is especially important for small- to medium-sized utilities and manufacturers that lack dedicated cybersecurity personnel. The advisory typically includes technical details, risk evaluation, and immediate remediation steps, all validated through ABB’s own analysis.

CISA may also provide supplementary guidance, such as network segmentation strategies, detection signatures for Yara or Snort rules, and recommendations for compensating controls when patching is impossible. In this case, since the vulnerability is in firmware, patching on running processes often requires scheduled downtime—a luxury not always available in 24/7 operations.

Mitigation Strategies for ABB AC500 V2 Users

ABB has released a firmware update to address the buffer over-read flaw. Asset owners should immediately contact ABB’s technical support to obtain the patch and plan for installation. However, given the constraints of industrial environments, several compensating controls can reduce risk until patching is complete:

  • Network Segmentation and Access Control: Restrict Modbus TCP access (port 502) to only authorized IP addresses using firewalls and access control lists. Place PLCs on a dedicated OT network segment isolated from business networks.
  • Deep Packet Inspection: Deploy industrial firewalls that can inspect Modbus traffic for unusual function codes. Anomaly-based intrusion detection systems can flag responses containing unexpected data lengths or repetitive patterns indicative of an over-read exploit.
  • Disable Unnecessary Function Codes: If the application does not require certain Modbus functions, use the PLC’s configuration software to disable them. This reduces the attack surface for unsupported function code probes.
  • Monitor for Exploitation Attempts: Enable logging on all network devices that sit between potential attackers and the PLC. Watch for a high volume of malformed Modbus requests or responses from PLCs that differ from typical polling patterns.
  • Use Secure Protocol Tunnels: Where possible, encapsulate Modbus traffic within an encrypted VPN or leverage Modbus TCP security extensions (which are rare but emerging).

For Windows-based engineering workstations, ensure that host-based firewalls are enabled, and that only authorized personnel have the ability to connect to the PLC network. Application whitelisting and endpoint detection can prevent malware that might otherwise bridge air gaps.

The Broader OT Security Landscape

CVE-2025-7745 is not an isolated flaw but a symptom of a systemic issue: legacy industrial protocols designed for reliability, not security. Buffer over-reads, along with buffer overflows, integer overflows, and format string vulnerabilities, regularly plague ICS firmware. A 2024 report by industrial cybersecurity firm Dragos noted a 60% increase in disclosed OT vulnerabilities over the previous two years, many in core devices like PLCs and RTUs.

Recent examples include the Pinnacle Mountain attacks, where threat actors exploited multiple zero-day PLC flaws to execute Stuxnet-like payloads, and the widespread targeting of Schneider Electric Modicon controllers with remote code execution vulnerabilities. In each case, the initial foothold was often a weak node in an otherwise hardened environment—a low-severity issue that chained into a catastrophic breach.

The European Union’s Cyber Resilience Act and the U.S. Cybersecurity Strategy are pushing manufacturers toward secure-by-design principles, but the operational lifespan of industrial equipment (often 15-20 years) means vulnerable legacy devices will persist for decades. The responsibility falls on asset owners to implement defense-in-depth, even when vendors are slow to release patches.

For Windows systems that interact with these devices, regular patch management and configuration hardening are critical. Microsoft has improved OT-aware security features in Windows Server 2022 and Windows 11, such as tighter network isolation policies and enhanced support for IEC 62443 standards. Administrators should align Windows host configurations with ISA/IEC 62443-2-4 and 3-3 guidelines, ensuring that engineering stations are treated as part of the OT security zone.

Steps for Asset Owners

  1. Inventory and Assess: Identify all ABB AC500 V2 PLCs in your environment. Use network scanning tools like Nmap (with Modbus scripts) to verify firmware versions.
  2. Prioritize Risk: Evaluate whether the information exposed by a potential leak could impact safety, reliability, or proprietary processes. High-value data or direct internet connections should be addressed first.
  3. Engage ABB: Open a support case with ABB to obtain the patched firmware and any additional hardening documentation. Confirm that the patch is compatible with your application logic and any third-party integrations.
  4. Test in a Lab: Deploy the patch in a non-production environment to verify that HMI/SCADA functionality remains intact. Pay special attention to timing-critical processes that might be sensitive to communication disruptions.
  5. Plan a Maintenance Window: Coordinate with operations to schedule a shutdown or controlled switchover. For redundant systems, apply the patch to the backup PLC first, then fail over to validate.
  6. Tighten Network Defenses: While waiting for the patch window, implement the compensating controls listed above.
  7. Update Incident Response Plans: Include scenarios where PLC data leakage leads to lateral movement. Train engineers to recognize anomalous Modbus traffic.

Looking Ahead

The republishing of CVE-2025-7745 is a reminder that the line between IT and OT security continues to dissolve. Windows administrators and controls engineers must work jointly to secure these interconnected systems. As industrial networks adopt more Ethernet-connected devices and cloud-based analytics, the attack surface expands accordingly. The challenge is not only to patch what’s broken but to reimagine industrial communications with security as a foundational requirement.

For the foreseeable future, however, organizations will manage a hybrid landscape where legacy Modbus devices coexist with modern identity-aware proxies. In that environment, vigilance, timely patching, and layered defenses remain the best defense against the next buffer over-read—or something far more severe.