Critical ABB Flaw (CVE-2025-9574, CVSS 9.9) Exposes EoL Load Controllers to Unauthenticated Admin Access
Ddos 
Industrial automation giant ABB has disclosed a critical missing authentication vulnerability (CVE-2025-9574) affecting its ALS-mini-S4/S8 IP intelligent load controllers, which are deployed in energy management and load optimization systems. The flaw allows unauthenticated remote attackers to access and modify device configurations via the embedded web interface — potentially disrupting power distribution or energy efficiency operations in industrial facilities.
ABB has confirmed that the affected products reached end-of-support status, meaning no future security patches will be released.
The advisory explains that the flaw resides in the embedded web server of ALS-mini-S4/S8 IP controllers, which lacks access control mechanisms.
“A vulnerability exists in the embedded web server included in the product(s) listed above where the embedded web server lacks access control. An attacker could exploit the vulnerability by merely accessing the wrongly configured ALS-mini-S4/S8 IP controllers in the network.”
This makes it possible for attackers to connect to the web server without any form of authentication, viewing and altering operational parameters remotely.
The issue is tracked as CVE-2025-9574, categorized under CWE-306: Missing Authentication for Critical Function, with a CVSS v3.1 base score of 9.1 and a CVSS v4.0 score of 9.9, indicating critical severity.
“Specifically, an attacker can read and modify product configuration parameters without being authenticated.”
The vulnerability affects all ALS-mini-S4 IP and ALS-mini-S8 IP controllers within the following range:
| Product | Firmware Version | Serial Number Range |
|---|---|---|
| ALS-mini-S4 IP | All versions | 2000–5166 |
| ALS-mini-S8 IP | All versions | 2000–5166 |
ABB emphasized that these products are end-of-life (EoL) and will not receive further security updates or vulnerability fixes. Customers relying on these devices must therefore implement network isolation and workarounds to mitigate the exposure risk.
An attacker with network access could exploit the vulnerability by connecting directly to an exposed ALS-mini controller — either through an improperly configured firewall or via malware within the same operational network.
ABB warns:
“An attacker could exploit the vulnerability by merely accessing the wrongly configured ALS-mini-S4/S8 IP controllers in the network. This would mean that the product is exposed to the public Internet, or the attacker has access to the system network.”
While no exploitation reports have been confirmed to date, ABB acknowledges that the exposure could allow complete device takeover, including unauthorized configuration changes and potential load control manipulation.
To reduce risk, ABB recommends strict network segmentation and firewall enforcement to ensure that ALS-mini devices are isolated from the public Internet and only accessible from whitelisted IP addresses.
Additional recommended controls include:
- Monitoring access attempts via IDS/IPS systems.
- Enabling alerts for connections from non-whitelisted hosts.
- Ensuring all surrounding systems are patched and hardened.
ABB also provides a simple workaround for operators not using the embedded web interface. The company notes, however, that doing so will disable remote configuration, alarm monitoring, and load status visualization, though core load control functions will remain operational.
Related Posts:
- Urgent Action Needed: ABB ASPECT Vulnerabilities Expose Buildings to Cyberattacks
- ABB ASPECT BMS Critical Flaws: RCE and Privilege Escalation Risks
- ABB Door Communication Systems exposed serious flaws
- CVE-2025-53187: Critical RCE in ABB ASPECT BMS with CVSS 9.8, No Prior Authentication
- CVE-2024-51547 (CVSS 9.8): Hard-Coded Credentials in ABB ASPECT
Donate