BACK TO NEWS
CERT Advisories

Critical Vulnerabilities Exposed in ABB AC500 V3 PLC Systems

2 min readSource: INCIBE-CERT

ABB AC500 V3 PLCs face multiple critical vulnerabilities, risking industrial control system integrity. Patch immediately to prevent exploitation.

ABB AC500 V3 PLCs Affected by Multiple Critical Vulnerabilities

Madrid, Spain – February 25, 2026 – Security researchers have identified multiple critical vulnerabilities in ABB’s AC500 V3 programmable logic controllers (PLCs), posing significant risks to industrial control systems (ICS). The flaws, disclosed by Spain’s National Cybersecurity Institute (INCIBE), could allow attackers to compromise system integrity, execute arbitrary code, or disrupt operations in critical infrastructure sectors.

Technical Details

While specific CVE IDs have not been publicly disclosed at this time, the vulnerabilities are reported to affect core components of the AC500 V3 firmware. Potential attack vectors include:

  • Authentication bypass – Enabling unauthorized access to PLC configurations.
  • Remote code execution (RCE) – Allowing attackers to execute malicious commands on affected devices.
  • Denial-of-service (DoS) – Triggering system crashes or operational disruptions.
  • Information disclosure – Exposing sensitive configuration data or credentials.

The vulnerabilities are particularly concerning for sectors reliant on ABB’s AC500 V3 PLCs, including manufacturing, energy, and water treatment facilities. Exploitation could lead to unauthorized control of industrial processes, safety system failures, or cascading operational disruptions.

Impact Analysis

Successful exploitation of these vulnerabilities could result in:

  • Operational downtime – Disruption of critical industrial processes.
  • Safety risks – Compromise of safety instrumented systems (SIS).
  • Data breaches – Exposure of proprietary or sensitive operational data.
  • Compliance violations – Failure to meet industry regulations (e.g., IEC 62443, NIST SP 800-82).

Given the severity of these flaws, organizations using ABB AC500 V3 PLCs are urged to apply patches or mitigations as soon as they become available. INCIBE recommends monitoring official ABB security advisories for updates.

Recommendations

Security teams should take the following steps to mitigate risks:

  1. Isolate affected systems – Segment PLC networks from corporate IT environments to limit exposure.
  2. Monitor for updates – Follow ABB’s official security advisories for patch releases.
  3. Implement network controls – Restrict access to PLCs using firewalls, VPNs, and strict access policies.
  4. Conduct vulnerability assessments – Scan for signs of exploitation or misconfigurations.
  5. Review incident response plans – Ensure readiness for potential ICS security incidents.

INCIBE has classified this alert as high severity, emphasizing the urgency of remediation. Further details, including CVE assignments and patch availability, are expected in ABB’s forthcoming security bulletin.

For more information, refer to the original advisory from INCIBE.

Share

TwitterLinkedIn