PatchSiren cyber security CVE debrief
CVE-2025-41691 ABB CVE debrief
CVE-2025-41691 is a high-severity denial-of-service issue in the ABB AC500 V3 runtime system's CmpDevice component. According to the advisory, unauthenticated attackers can send specially crafted communication requests that trigger a NULL pointer dereference and disrupt availability. The same issue is also described as affecting systems when outdated clients attempt to log in. ABB states the issue is corrected in firmware version 3.9.0 and that no workaround is available.
- Vendor
- ABB
- Product
- AC500 V3
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-24
- Original CVE updated
- 2026-05-12
- Advisory published
- 2026-02-24
- Advisory updated
- 2026-05-12
Who should care
OT/ICS teams responsible for ABB AC500 V3 PLCs, especially environments running firmware earlier than 3.9.0, should treat this as a priority availability issue. Plant operators, control-system engineers, and asset owners should also care if remote or network-accessible communication paths exist, or if outdated clients are still used for authentication or management.
Technical summary
The source advisory describes a vulnerability in the runtime system's CmpDevice component that allows unauthenticated denial-of-service conditions through specially crafted communication requests. The failure mode is a NULL pointer dereference, and the advisory also notes impact when outdated clients attempt to log in. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, consistent with a network-reachable availability impact only. The remediation listed by the vendor is AC500 V3 firmware 3.9.0; no workaround is available.
Defensive priority
High. This is a network-reachable, unauthenticated availability issue in industrial control equipment with no workaround, so exposure should be reduced and patching should be prioritized where operationally feasible.
Recommended defensive actions
- Upgrade ABB AC500 V3 systems to firmware version 3.9.0 as soon as maintenance windows allow.
- Confirm whether the affected devices are reachable over networks that include untrusted or broad-access segments and reduce exposure where possible.
- Review whether any outdated clients are still used to log in to the affected systems and replace or update them.
- Follow the vendor's general security recommendations and CISA industrial control system defensive guidance while planning the remediation.
- Validate the firmware update path through Automation Builder 2.9.0 before deployment and schedule downtime to minimize operational risk.
Evidence notes
CISA's CSAF advisory ICSA-26-132-03, published 2026-02-24 and modified 2026-05-12, states that the runtime system's CmpDevice component can be crashed by unauthenticated specially crafted communication requests causing a NULL pointer dereference. The advisory also notes impact when outdated clients attempt to log in. Remediation is listed as AC500 V3 firmware 3.9.0, and the advisory explicitly says no workaround is available. The supplied CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The source item metadata indicates a low-confidence vendor attribution and marks the vendor field as needing review.
Official resources
-
CVE-2025-41691 CVE record
CVE.org
-
CVE-2025-41691 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Initial public advisory publication date: 2026-02-24. CISA later republished the advisory on 2026-05-12 as an initial republication of ABB PSIRT advisory 3ADR011524; those dates come from the supplied CVE/source timeline and should be used,