ABB and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have jointly republished an industrial control systems (ICS) advisory for CVE-2025-3756, a denial-of-service vulnerability in ABB’s implementation of the IEC 61850 Manufacturing Message Specification (MMS) communication stack. The flaw affects selected versions of ABB’s flagship distributed control systems (DCS), including System 800xA and Symphony Plus SD Series, which are widely deployed in power generation, water treatment, and other critical infrastructure sectors. The advisory’s reemergence signals heightened urgency—either due to active exploitation, newly discovered attack vectors, or a renewed push for OT asset owners to apply long-overdue mitigations.

The core issue resides in how ABB’s IEC 61850 stack parses certain malformed MMS protocol packets. An unauthenticated attacker with network access to the target device can send a specially crafted request that triggers a parsing error, causing the communication service to crash. Because MMS is integral to real-time data exchange and control commands between intelligent electronic devices (IEDs) and supervisory systems, a successful DoS attack against this service can sever the link between operators and field equipment. The result: operators lose visibility and control, forcing manual intervention or emergency shutdowns.

ABB’s advisory, initially published privately to customers and now amplified by CISA’s ICSA-25-xxx-01 (the specific ICSA identifier was not disclosed in the excerpt but would appear in the official release), emphasizes that no authentication is required to exploit the flaw. The CVSS v4 score has not been publicly released, but similar MMS stack vulnerabilities have historically scored between 7.5 and 8.6, placing them firmly in the high severity bracket. The ease of exploitation combined with the low complexity makes this an attractive target for threat actors seeking to disrupt operations without needing sophisticated malware.

Affected Systems and Exposure

The advisory calls out two major ABB product lines:

  • System 800xA – A comprehensive DCS used in process automation for chemical plants, oil refineries, and power stations. The affected component is likely the connectivity server or data manager that implements the IEC 61850 client and server functionalities.
  • Symphony Plus SD Series – ABB’s solution for power generation and water/wastewater control. The MMS stack is embedded in the SD Series controllers and communication interfaces.

Other ABB products that share the same communication stack—such as REC670 and RET670 protection relays, or the RTU500 series—may also be vulnerable. ABB has not confirmed the full list in the republished advisory, but asset owners should audit any ABB device with IEC 61850 MMS enabled.

Exposure is not just theoretical. IEC 61850 is the backbone of modern substation automation and is increasingly used in distributed energy resource (DER) integration. Many ABB devices ship with MMS enabled by default, and network boundaries between corporate IT and OT are notoriously porous. A recent SANS OT survey found that 59% of ICS operators still relied on air gaps that were routinely bridged by dual-homed laptops, USB drives, or misconfigured jump hosts. In such environments, an attacker who compromises a Windows engineering workstation or a misconfigured VPN could reach the MMS service with a simple Python script.

Why Republish? The Threat Landscape Shift

Republishing an ICS advisory is unusual. CISA and vendors typically do this when:

  1. Active exploitation is observed – The vulnerability may have moved from proof-of-concept to actual attacks. In 2024, Dragos reported a 50% increase in ICS-targeted ransomware that leveraged protocol flaws to halt operations before demanding payment.
  2. New research changes risk calculus – Security researchers may have published tools or technical analyses that lower the barrier for exploitation. For example, the open-source library libiec61850 has been used to craft custom MMS packets in past assessments.
  3. Missed patches or growing install base – The advisory’s original publication might have been overlooked, and compliance audits or insurance requirements are now pushing organizations to prioritize it.

Whatever the reason, the republishing transforms CVE-2025-3756 from a low-profile vendor notice into a board-level concern. For Windows-centric IT teams that support OT environments, this is a wake-up call to verify that any Windows-based ABB operator stations, engineering tools, or historian servers are not exposing the vulnerable MMS service—or are at least segmented from untrusted networks.

Technical Deep Dive: IEC 61850 and MMS

IEC 61850 is an international standard for the design of electrical substation automation. It defines a layered communication architecture that includes the MMS protocol for client-server data exchange. MMS runs over TCP (typically port 102 or 106) and handles services like reading/writing data objects, file transfers, and reporting. The protocol uses ASN.1 BER encoding, which has a history of parser vulnerabilities due to its complexity.

In ABB’s implementation, the parsing of certain MMS TypeSpecification or ConfirmedServiceRequest messages likely suffers from a lack of bounds checking or an integer overflow. An attacker could send a packet with a length field that mismatches the actual data, causing a heap or stack buffer overflow that crashes the service but does not lead to remote code execution (as the advisory states it is a DoS). However, DoS in OT is not a minor nuisance—it directly impacts the “availability” leg of the CIA triad, which is paramount in safety-critical processes. A collapsed MMS link could delay protective relay commands, mute alarms, or freeze HMI screens during a critical event.

Network Segmentation as the First Defense

ABB and CISA both stress that network segmentation is the most effective immediate mitigation. Patching may not be feasible for all devices, especially those running on legacy Windows CE or VxWorks-based controllers that require downtime and extensive regression testing. The advisory likely recommends the following defensive layers:

  • Isolate IEC 61850 traffic – Place all IEDs, bay controllers, and station computers on a dedicated OT network segment (VLAN or physical subnet). This segment should have no direct route to the internet or corporate LAN.
  • Deploy OT-specific firewalls – Use deep packet inspection (DPI) capable firewalls that understand IEC 61850 and can block malformed MMS packets. Tofino, Nozomi, or Fortinet’s OT firewall have rulesets for MMS anomalies.
  • Harden Windows-based HMIs and servers – If the MMS service runs on a Windows machine (e.g., ABB’s System 800xA Connectivity Server on Windows Server), apply host-based firewalls, disable unused ports, and enforce application whitelisting.
  • Monitor OT network traffic – Implement network detection and response (NDR) tools that can alert on abnormal MMS message patterns, such as bursts of malformed packets or unrecognized OID values.

These measures align with the Purdue model for control systems, which enforces strict boundaries between Levels 3 (operations management) and 2 (supervisory control). For smaller utilities that lack the budget for DPI firewalls, even moving MMS onto a separate switch and using simple ACLs can significantly reduce the attack surface.

Windows-Specific Considerations

Many ABB software components run on Microsoft platforms. For instance:

  • 800xA Base and Operate IT clients often run Windows 10/11 LTSC or Windows Server 2022.
  • Symphony Plus Operations also relies on Windows for process windows and trending.
  • Engineering tools like Control Builder M and Fieldbus Builder communicate with controllers over MMS.

If the vulnerable MMS stack exists in these Windows services, then a standard Windows security update won’t fix it—you need ABB’s patch. But the broader attack chain might involve an attacker compromising a Windows domain controller or file server that can then reach the OT network. Thus, IT administrators should apply basic Windows hardening: disable SMBv1, enforce LAPS, remove local admin rights from workstations, and segment Windows OT servers from IT AD domains. Microsoft’s Defender for IoT can also monitor for MMS anomalies and integrate with Sentinel for cross-domain detection.

Patching and Long-Term Remediation

ABB has made patches available through its support channels. Asset owners on valid maintenance agreements should be able to download updates that address the parsing flaw. The patch likely involves replacing the MMS PDU parser in the affected binaries. However, validation must include:

  • Testing in a non-production environment to ensure the patch does not break existing MMS integrations.
  • Staggered rollouts, starting with secondary IEDs or less critical subsystems.
  • Fallback plans in case the patch causes communication errors, which might be as disruptive as the DoS itself.

For devices that cannot be patched (e.g., due to hardware constraints or vendor end-of-life), compensating controls are the only option. That includes the network segmentation measures above and possibly disabling MMS if it is not essential. Some utilities run parallel DNP3 or Modbus links for monitoring and only use IEC 61850 for advanced functions like GOOSE messaging; if MMS is not required, turning it off is the surest defense.

The Bigger Picture: OT Vulnerability Management

CVE-2025-3756 is not an isolated event. It joins a growing list of protocol-level vulnerabilities in ICS gear. In 2024, Claroty discovered CVE-2024-2362, a heap overflow in Siemens SIPROTEC 5 devices’ IEC 61850 stack, which had a CVSS 9.8. The year before, Forescout’s OT:ICEFALL report documented 56 vulnerabilities across 10 ICS vendors, many in proprietary protocol stacks. The common thread: these stacks are often ported from decades-old codebases written in C/C++ with minimal fuzzing, lacking modern exploit mitigations like ASLR and stack canaries.

For the Windows community, this serves as a reminder that the familiar patch-management cadence for Windows Server and desktops does not apply to OT assets. Those devices may run real-time operating systems or stripped-down Linux kernels that cannot be easily updated. Consequently, the responsibility shifts to network architecture—exactly what ABB and CISA are emphasizing with this advisory.

Steps for Asset Owners

  1. Identify affected ABB devices – Use network scanning tools (with care in OT environments) to locate devices listening on TCP ports 102 and 106. ABB’s Asset Vision or other network management tools can also help.
  2. Review ABB’s advisory – Contact ABB support for the specific patch and implementation guidance. The CISA advisory will provide the official list of affected model numbers.
  3. Isolate MMS traffic – Move all IEC 61850 devices to a dedicated VLAN and restrict access to only necessary clients. Apply ACLs at the boundary.
  4. Deploy OT IDS – Even open-source solutions like Zeek with the IEC 61850 parser can detect malformed packets.
  5. Test patches in a staging area – If possible, replicate a small-scale substation setup to verify the patch under load.
  6. Update incident response plans – Ensure that operators know the symptoms of an MMS DoS and have procedures to fail over to manual control.

Republishing an advisory is a signal that the risk has crossed a threshold. For ABB’s System 800xA and Symphony Plus SD users, CVE-2025-3756 is no longer a back-page announcement—it is an operational imperative. With OT network segmentation as the first tangible step, Windows and industrial cybersecurity teams have a clear, actionable path to reduce exposure while patching cycles catch up. The days when protocol bugs stayed hidden in vendor bulletin archives are over; the adversaries are listening, and so must the defenders.