CVE-2025-15467 ABB CVE debrief

Who should care

Owners and operators of ABB AC500 V3 PM5xxx PLCs, OT/ICS security teams, plant engineers, and patch managers responsible for ABB AC500 V3 firmware deployments—especially systems processing CMS (Auth)EnvelopedData or other untrusted cryptographic messages.

Technical summary

The advisory describes a parser bug in CMS (Auth)EnvelopedData handling for AEAD ciphers such as AES-GCM. The IV from ASN.1 parameters is copied into a fixed-size stack buffer without checking that the IV length fits, creating a stack-based out-of-bounds write. The write occurs before authentication/tag verification, so valid key material is not required to reach the faulty path. The supplied source rates the issue CVSS 3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Defensive priority

Immediate patch priority

Recommended defensive actions

• Upgrade ABB AC500 V3 firmware to version 3.9.0 HF1 as soon as operationally possible.
• Verify which AC500 V3 PM5xxx devices are running firmware 3.9.0 or otherwise exposed to the affected code path.
• If immediate patching is not possible, reduce exposure of systems that accept or process untrusted CMS messages and tighten OT network segmentation.
• Follow ABB’s general security recommendations for keeping the system secure.
• Because the advisory lists no workaround, use compensating controls only as a temporary measure until the fix is deployed.

Evidence notes

The CISA CSAF advisory ICSA-26-132-05 states the vulnerability description, CVSS vector, and that the issue is corrected in ABB AC500 V3 firmware 3.9.0 HF1 with no workaround available. The corpus also includes ABB PSIRT and ABB download references for the fixed firmware, plus the official CVE and NVD records. The CVE was published on 2026-03-12 and modified/republished in the source on 2026-05-12.

Official resources