EUVD-2025-209425CVSS VectorNVD
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
A vulnerability exists in the command handling of the IEC 61850 communication stack included in the product revisions listed as affected in this CVE. An attacker with access to IEC 61850 networks could exploit the vulnera bility by using a specially crafted 61850 packet, forcing the communication interfaces of the PM 877, CI850 and CI868 modules into fault mode or causing unavailability of the S+ Operations 61850 connectivity, resulting in a denial-of-service situation.
The System 800xA IEC61850 Connect is not affected. Note: This vulnerability does not impact on the overall availability and functionality of the S+ Operations node, only the 61850 communication function.
This issue affects AC800M (System 800xA): from 6.0.0x through 6.0.0303.0, from 6.1.0x through 6.1.0031.0, from 6.1.1x through 6.1.1004.0, from 6.1.1x through 6.1.1202.0, from 6.2.0x through 6.2.0006.0; Symphony Plus SD Series: A_0, A_1, A_2.003, A_3.005, A_4.001, B_0.005; Symphony Plus MR (Melody Rack): from 3.10 through 3.52; S+ Operations: 2.1, 2.2, 2.3, 3.3.
AnalysisAI
Denial-of-service in ABB industrial control system products (AC800M, Symphony Plus SD/MR, S+ Operations) allows attackers on adjacent IEC 61850 networks to crash communication modules via malformed protocol packets. The vulnerability affects critical infrastructure PLCs and SCADA systems widely deployed in power substations and industrial automation. CVSS 7.1 (High) but low EPSS (0.02%) indicates limited attacker interest to date. No public exploit identified at time of analysis, and CISA SSVC a
Technical ContextAI
IEC 61850 is the international standard for electrical substation automation and communication in power systems. The affected ABB products-AC800M controllers (System 800xA DCS platform), Symphony Plus SD/MR (distributed I/O and rack-mount controllers), and S+ Operations (engineering/operator interface)-implement IEC 61850 stacks for GOOSE messaging, MMS protocol services, and substation integration. CWE-1284 (Improper Validation of Specified Quantity in Input) indicates the vulnerability stems from insufficient bounds checking or type validation when parsing IEC 61850 protocol frames. Specifically, PM 877 CPU modules, CI850/CI868 communication interfaces process malformed packets without proper input sanitization, triggering fault states in the communication subsystem. The flaw is confined to the IEC 61850 parsing layer and does not propagate to core controller logic or the broader System 800xA infrastructure.
RemediationAI
Apply vendor-released patches per ABB Security Advisory 7PAA020125 available at https://search.abb.com/library/Download.aspx?DocumentID=7PAA020125&LanguageCode=en&DocumentPartId=&Action=Launch. The advisory provides firmware updates and configuration guidance for affected AC800M, Symphony Plus SD/MR, and S+ Operations product lines. Until patching is complete, implement network-level mitigations: enforce strict segmentation between corporate IT and IEC 61850 OT networks using industrial firewalls or unidirectional gateways, restrict IEC 61850 traffic to authorized devices only via MAC/IP allowlisting on managed switches, deploy intrusion detection systems (IDS) with IEC 61850 protocol parsers to detect malformed packets, and monitor PM 877/CI850/CI868 module status for unexpected fault transitions. Disable IEC 61850 services on modules where the protocol is not operationally required. For S+ Operations nodes, isolate 61850 connectivity to dedicated VLANs with no external routing.
Share
External POC / Exploit Code
Leaving vuln.today