ABB has disclosed multiple vulnerabilities in its AC500 V3 programmable logic controllers (PLCs) that could allow unauthenticated remote attackers to bypass user management and read visualization files (CVE-2025-2595), read and write certificates and cryptographic keys (CVE-2025-41659), or cause a denial-of-service (DoS) via NULL pointer dereference (CVE-2025-41691). The affected versions are AC500 V3 prior to 3.9.0. The vulnerabilities are classified with CVSS v3 scores up to 8.3. The visualization files exposed contain only static data such as text lists or images, not live data. The runtime system vulnerability allows low-privileged attackers to access the PKI folder via CODESYS protocol, compromising cryptographic materials. The DoS issue is triggered by specially crafted communication requests or outdated client login attempts. ABB has released firmware version 3.9.0 to address these issues. CISA recommends minimizing network exposure, using firewalls, and isolating control system networks from business networks. No active exploitation has been reported.

Key facts

• Three vulnerabilities in ABB AC500 V3 PLCs prior to version 3.9.0.
• CVE-2025-2595 allows unauthenticated bypass of user management to read visualization files.
• CVE-2025-41659 enables low-privileged attackers to read/write certificates and keys.
• CVE-2025-41691 causes denial-of-service via NULL pointer dereference.
• ABB released firmware 3.9.0; no active exploitation reported.