CISA advisory ICSA-26-135-04 covers CVE-2026-5817, a critical unauthenticated remote code execution vulnerability in ABB’s AC500 PLC series. The flaw resides in the Modbus TCP server component and can be triggered by sending a malformed Modbus TCP packet to the default Modbus port (TCP 502). Successful exploitation allows an attacker to execute arbitrary code on the PLC’s real-time operating system, with the potential to modify ladder logic, disrupt process control, or use the PLC as a pivot point into the OT network segment.
The ABB AC500 in Industrial Environments
The AC500 is ABB’s mid-to-upper-range PLC platform, deployed widely across European manufacturing, pulp and paper production, water and wastewater treatment, renewable energy control, and food and beverage processing. AC500 units handle closed-loop process control, motor drive coordination, safety interlocking (in non-SIL-rated configurations), and communication with SCADA systems via Modbus TCP, PROFIBUS, EtherNet/IP, and IEC 61850.
Its Modbus TCP implementation is a common integration point: many SCADA historians, HMI systems, and third-party devices use Modbus TCP to read process values from AC500 PLCs. This makes TCP 502 a common open port on AC500 devices across industrial networks — and the vector for this vulnerability.
Vulnerability Detail
CVE-2026-5817 — Modbus TCP Server Stack Overflow (CVSS 9.8)
A stack-based buffer overflow exists in the AC500’s Modbus TCP server when processing certain function code requests with oversized data fields. An attacker who can send a crafted Modbus TCP packet to TCP port 502 on the PLC can trigger the overflow. The overflow condition overwrites the stack in a way that allows control of the instruction pointer, enabling arbitrary code execution.
No authentication is required to reach TCP 502 in a standard AC500 configuration — Modbus TCP does not include authentication by design, and the AC500 does not enforce access controls on Modbus connections by default.
Affected firmware versions: AC500 V3 firmware prior to 3.0.4.0, AC500 V2 firmware prior to 2.8.6.0. Legacy AC500 V1 devices are end-of-life and will not receive a patch.
ABB has published a firmware update addressing the vulnerability. CISA rates the flaw CVSS 9.8 and notes that exploitation does not require user interaction.
Exploitation Context
The Modbus TCP protocol has no built-in authentication mechanism. It was designed for closed, trusted networks — a design assumption that no longer holds in environments where PLCs are reachable from shared OT networks, remote access infrastructure, or (in misconfigured deployments) corporate IT segments or the internet.
For an attacker already inside an OT network segment — whether through a compromised IT system, a phished engineering workstation credential, or a compromised vendor remote access account — a Modbus-based RCE in a PLC requires only a packet to TCP 502. The attacker does not need PLC engineering credentials, does not need to know the PLC’s project structure, and does not need a vendor tool.
Remediation
Firmware update to AC500 V3 firmware 3.0.4.0 or V2 firmware 2.8.6.0. ABB has made firmware available through its secure download portal.
Access control at the network layer — restrict TCP 502 access using the OT network firewall or managed switch ACLs to permit only legitimate Modbus master devices (historians, HMIs, SCADA servers) to initiate connections. This does not remediate the vulnerability but eliminates direct exploitation from unauthorised sources.
Audit Modbus TCP exposure — identify all AC500 devices on the network and confirm they are not reachable from corporate IT networks, jump hosts, or the internet. Shodan and similar tools regularly index Modbus-exposed PLCs; verify your devices are not among them.
AC500 V1 EoL devices — devices running AC500 V1 firmware will not receive a patch. ABB recommends hardware replacement or, where not immediately feasible, stringent network isolation and enhanced monitoring as compensating controls.
Change freeze post-patch — following firmware updates, perform a full functional verification of PLC-controlled processes before returning to production. PLC firmware updates can in rare cases affect ladder logic execution or communication timing.
References
- CISA Advisory ICSA-26-135-04: https://www.cisa.gov/ics-advisories
- ABB Product Security Advisory: https://search.abb.com/library/Download.aspx
- ICS-CERT Modbus TCP security guidance: https://www.cisa.gov/ics