ABB AC500 V3 Stack Buffer Overflow in Cryptographic Message Syntax

p a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-132-05.json" strong View CSAF /strong /a /p h2 Summary /h2 p strong ABB became aware of vulnerability in the products versions listed as affected in the advisory. An update is available that resolves publicly reported vulnerability. An attacker who successfully exploited these vulnerabilities could cause a crash, denial-of-service (DoS), or potentially remote code execution. /strong /p p The following versions of ABB AC500 V3 Stack Buffer Overflow in Cryptographic Message Syntax are affected: /p ul li AC500 V3 PM5xxx 3.9.0, 3.9.0_HF1 /li /ul div class="csaf-table" table class="tablesaw tablesaw-stack" data-tablesaw-mode="stack" data-tablesaw-minimap thead tr th role="columnheader" data-tablesaw-priority="persist" CVSS /th th role="columnheader" Vendor /th th role="columnheader" Equipment /th th role="columnheader" Vulnerabilities /th /tr /thead tbody tr td v3 9.8 /td td ABB /td td ABB AC500 V3 Stack Buffer Overflow in Cryptographic Message Syntax /td td Out-of-bounds Write /td /tr /tbody /table /div h3 Background /h3 ul li strong Critical Infrastructure Sectors: /strong Chemical, Critical Manufacturing, Energy, Water and Wastewater /li li strong Countries/Areas Deployed: /strong Worldwide /li li strong Company Headquarters Location: /strong Switzerland /li /ul hr h2 Vulnerabilities /h2 div class="csaf-accordion" p a class="csaf-accordion-toggle-all" href="#" Expand All + /a /p div class="csaf-accordion-item" h3 a class="csaf-accordion-toggle" href="#" CVE-2025-15467 /a /h3 div class="csaf-accordion-content" p When parsing CMS (Auth)EnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. /p p a href="https://www.cve.org/CVERecord?id=CVE-2025-15467" View CVE Details /a /p hr h4 Affected Products /h4 h5 ABB AC500 V3 Stack Buffer Overflow in Cryptographic Message Syntax /h5 div class="ics-vendor-version-status" div class="ics-vendor" strong Vendor: /strong br ABB /div div class="ics-version" strong Product Version: /strong br ABB AC500 V3 PM5xxx Firmware Version 3.9.0 /div div class="ics-status" strong Product Status: /strong br fixed, known_affected /div /div div class="ics-remediations" h6 Remediations /h6 p strong Vendor fix /strong br The problem is corrected in the following product version: - AC500 V3 firmware version 3.9.0 HF1 ABB recommends that customers apply the update at earliest