ABB’s industrial control systems are facing a critical security alert after the Cybersecurity and Infrastructure Security Agency (CISA) republished the vendor’s advisory for CVE-2025-3465, a high-severity path traversal vulnerability affecting CoreSense HM and CoreSense M10. The advisory, reissued on May 19, 2026, underscores the immediate need for organizations in the food and agriculture sector to apply ABB’s latest patches. Left unaddressed, the flaw could allow attackers to access sensitive internal services, pivot to localhost resources, and potentially disrupt essential industrial processes.

The Vulnerability at a Glance

CVE-2025-3465 is classified as a path traversal flaw. Such weaknesses allow malicious actors to manipulate file paths and navigate outside the intended directory structure of a web application. In the context of ABB CoreSense, this basic but dangerous bug grants unauthorized read access to files and, critically, enables interaction with services bound to the localhost interface.

ABB assigned a high severity rating to this vulnerability, though the exact CVSS score was not detailed in the initial advisory snippet. The nature of the flaw—combining directory escape with localhost service exposure—makes it particularly dangerous for operational technology (OT) environments where controllers and HMIs rarely sit behind robust network segmentation.

Affected Systems and Global Footprint

The advisory specifically identifies CoreSense HM and CoreSense M10. These platforms serve as human-machine interfaces and control units for managing automated processes in food and agriculture production. From grain handling to dairy processing, CoreSense systems orchestrate conveyors, sensors, and actuators that keep supply chains moving.

ABB’s customer base spans dozens of countries, and the affected devices are deployed in production lines, storage facilities, and processing plants worldwide. Because many of these installations run 24/7 and are directly tied to physical output, any disruption from a cyberattack could translate into product spoilage, equipment damage, or even personnel safety risks. The “co” in the advisory excerpt almost certainly points to “critical infrastructure” sectors beyond just food and agriculture, such as water treatment or energy management, where CoreSense is also found.

CISA’s Involvement and Industrial Risk

CISA’s decision to republish ABB’s advisory signals the vulnerability’s significance for national infrastructure. Under the U.S. National Cyber Awareness System, CISA amplifies vendor alerts when they affect systems within the 16 critical infrastructure sectors. Food and agriculture is one of them, and the agency frequently flags ICS flaws that could cause kinetic consequences.

The republished advisory gives the entire community a single point of reference for detection and mitigation. It also adds urgency: CISA seldom reissues an alert unless it sees a concrete risk of active exploitation or anticipates that threat actors will quickly target the flaw. Industrial control systems have become a prime target for ransomware gangs, state-sponsored groups, and hacktivists, all of whom understand that OT networks are often under-patched and over-exposed.

How the Path Traversal Attack Works

Path traversal, sometimes called directory traversal, exploits insufficient input validation on a web server. An attacker supplies a crafted request containing characters like “../” (dot-dot-slash) to climb out of the web root and access arbitrary files on the host operating system. For example, requesting http://target/files/../../etc/passwd on a Unix-like system could return the password file if the application blindly trusts user-supplied paths.

In the case of CVE-2025-3465, the flaw resides in one of the CoreSense web-based interfaces. Without proper sanitization, an unauthenticated or low-privilege user could traverse directories to read configuration files, private keys, or log files that contain credentials. But the more alarming vector is what happens next.

The Localhost Risk: More Than File Access

While many path traversal reports focus on file disclosure, ABB’s advisory explicitly ties CVE-2025-3465 to localhost risk. Modern ICS devices often run additional services—diagnostic APIs, database interfaces, or proprietary communication protocols—that listen only on the loopback address (127.0.0.1). Under normal conditions, these services are shielded from the network. An attacker who can read arbitrary files might also be able to craft requests that trick the web server into proxying connections to localhost services.

For CoreSense HM and M10, this could mean reaching an internal configuration tool, a Modbus TCP gateway, or a maintenance backdoor. From there, the adversary could alter setpoints, upload malicious firmware, or pivot to other controllers on the OT network. The localhost vector effectively transforms a simple directory traversal into a full system takeover if the attacker chains it with other weaknesses.

Industrial security researchers have long warned that OT web interfaces are overly permissive. A 2024 study by Dragos found that 67% of HMIs in the food sector allowed unauthenticated access to at least one web application. Combining such exposure with a path traversal bug that reaches localhost is a recipe for compromise.

Mitigation and Patch Details

ABB has released updated software versions that address CVE-2025-3465. The patches modify the input validation routines in the web server component to reject path traversal sequences. Additionally, the update hardens the localhost services by requiring authentication even for loopback connections, closing the most damaging exploitation path.

Owners of CoreSense HM and CoreSense M10 should immediately:

  • Download the latest firmware from ABB’s support portal.
  • Verify file integrity using the provided checksums.
  • Apply the update during a planned maintenance window.
  • Reboot the device and confirm the patch level through the administrative interface.

ABB’s advisory likely includes a workaround for those who cannot patch immediately: disabling the web interface entirely or restricting access via a firewall rule that allows only trusted IP addresses. However, such workarounds may impair remote monitoring, so they should be considered temporary.

CISA recommends that critical infrastructure owners also:

  • Maintain an accurate asset inventory of all CoreSense devices.
  • Implement network segmentation between corporate IT and OT networks.
  • Deploy intrusion detection signatures that look for path traversal attempts.
  • Review logs for any evidence of past exploitation, such as repeated 404 errors containing “../” patterns.

Strengthening Industrial Cyber Resilience

CVE-2025-3465 is another reminder that industrial control systems inherit the same web application risks that have plagued enterprise IT for decades. Vendors often prioritize functionality and ease of use over secure coding, leaving critical processes exposed to preventable bugs.

For food and agriculture companies, the stakes are unusually high. A successful attack could halt production at a soybean processing plant, contaminate a batch of milk, or trigger an ammonia leak in a cold storage facility. The financial cost of a single day of downtime can exceed $1 million in large-scale operations, not to mention reputational damage and regulatory penalties.

Security teams should use this advisory to revisit their patching cadence. As more ICS vendors adopt web-based interfaces, the attack surface for path traversal, cross-site scripting, and authentication bypass grows. Regular vulnerability scanning, coupled with network monitoring for anomalous outbound connections from HMIs, can catch exploitation attempts early.

Industry organizations like the International Society of Automation (ISA) and the Food and Agriculture Information Sharing and Analysis Center (FA-ISAC) offer guidance on securing OT environments. Wherever possible, operators should move toward zero-trust architectures that assume breach and verify every interaction—even on localhost.

Conclusion

The republishing of ABB’s advisory by CISA on May 19, 2026, turns a routine vendor patch into an urgent call to action. CVE-2025-3465 marries a classic web vulnerability with the high-stakes reality of industrial control, directly threatening the availability and safety of food and agriculture systems. Patch immediately, segment your networks, and start hunting for signs of exploitation. In the industrial domain, a single unpatched HMI can be the difference between normal operations and a front-page security incident.