CODESYS RTS Integration in ABB ACS880 Drives: A Comprehensive Analysis
1. EXECUTIVE SUMMARY
The integration of CODESYS Real-Time System (RTS) in ABB’s ACS880 drives has raised significant attention due to the vulnerabilities identified in the Hitachi Energy RTU500 series, which could potentially impact the operational integrity of these drives. The vulnerabilities, rated with a CVSS v4 score of 8.7, are characterized by their remote exploitability and low attack complexity. This report delves into the implications of these vulnerabilities, the affected products, and the necessary mitigations to safeguard against potential threats.
- CVSS v4 8.7: Indicates a high severity level for the vulnerabilities.
- ATTENTION: Vulnerabilities are exploitable remotely with low attack complexity.
- Vendor: Hitachi Energy, responsible for the RTU500 series.
- Equipment: RTU500 series, which may interface with ABB ACS880 drives.
- Vulnerabilities: Include Null Pointer Dereference, Insufficient Resource Pool, and Missing Synchronization.
2. RISK EVALUATION
The successful exploitation of these vulnerabilities could lead to a denial-of-service (DoS) condition, severely impacting the operational capabilities of systems utilizing the affected RTU500 series. Given the critical role of these systems in energy management and automation, the potential for disruption poses a significant risk to both operational efficiency and safety.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The vulnerabilities primarily affect the following versions of the Hitachi Energy RTU500 series CMU:
- RTU500 series CMU: Versions 12.0.1 – 12.0.14 (CVE-2024-10037)
- RTU500 series CMU: Versions 12.2.1 – 12.2.12 (CVE-2024-10037)
- RTU500 series CMU: Versions 12.4.1 – 12.4.11 (CVE-2024-10037)
- RTU500 series CMU: Versions 12.6.1 – 12.6.10 (CVE-2024-10037)
- RTU500 series CMU: Versions 12.7.1 – 12.7.7 (CVE-2024-10037)
- RTU500 series CMU: Versions 13.2.1 – 13.2.7 (CVE-2024-10037)
- RTU500 series CMU: Versions 13.4.1 – 13.4.4 (CVE-2024-10037, CVE-2024-11499, CVE-2024-12169)
- RTU500 series CMU: Versions 13.5.1 – 13.5.3 (CVE-2024-10037, CVE-2024-11499, CVE-2024-12169)
- RTU500 series CMU: Versions 13.6.1 (CVE-2024-10037, CVE-2024-11499, CVE-2024-12169)
- RTU500 series CMU: Versions 13.7.1 (CVE-2024-11499)
- RTU500 series CMU: Versions 13.7.1 – 13.7.4 (CVE-2024-12169, CVE-2025-1445)
3.2 VULNERABILITY OVERVIEW
3.2.1 NULL POINTER DEREFERENCE CWE-476
This vulnerability exists in the RTU500 web server component, which can lead to a denial of service if a specially crafted message sequence is executed on a WebSocket connection. An attacker must be authenticated, and the test mode function of RTU500 must be enabled to exploit this vulnerability. The affected CMU will automatically recover if the vulnerability is successfully exploited.
CVE-2024-10037 has been assigned to this vulnerability, with a CVSS v3 base score of 4.9 and a CVSS v4 score of 5.9.
3.2.2 NULL POINTER DEREFERENCE CWE-476
This vulnerability allows an authenticated attacker to perform a CMU restart if certificates are updated while in use on active connections. The affected CMU will also automatically recover if exploited.
CVE-2024-11499 has a CVSS v3 base score of 4.9 and a CVSS v4 score of 6.9.
3.2.3 INSUFFICIENT RESOURCE POOL CWE-410
This vulnerability allows an attacker to restart the affected CMU through a specific attack sequence, applicable only if secure communication using IEC 62351-3 (TLS) is enabled.
CVE-2024-12169 has a CVSS v3 base score of 6.5 and a CVSS v4 score of 8.7.
3.2.4 MISSING SYNCHRONIZATION CWE-820
This vulnerability could impact availability if renegotiation of an open IEC61850 TLS connection occurs under specific timing conditions. It affects the CMU where the IEC61850 stack is configured.
CVE-2025-1445 has a CVSS v3 base score of 7.5 and a CVSS v4 score of 8.7.
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Energy
- COUNTRIES/AREAS DEPLOY




