{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/s+-operations/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":6.5,"id":"CVE-2025-3756"}],"_cs_exploited":false,"_cs_products":["ABB System 800xA","Symphony Plus IEC 61850","S+ Operations","Symphony Plus SD Series CI850","Symphony Plus MR (Melody Rack) PM 877","AC800M Product line (System 800xA) CI868"],"_cs_severities":["medium"],"_cs_tags":["ics","denial-of-service","industrial-control-system","iec61850"],"_cs_type":"advisory","_cs_vendors":["ABB"],"content_html":"\u003cp\u003eABB System 800xA and Symphony Plus IEC 61850 products are vulnerable to a denial-of-service attack due to improper validation of input within the IEC 61850 communication stack. This affects specific modules within the AC800M, Symphony Plus SD Series, Symphony Plus MR, and S+ Operations product lines. An attacker with network access to the IEC 61850 network can exploit this vulnerability by sending a specially crafted 61850 packet. The exploitation leads to device faults in PM 877, CI850, and CI868 modules, requiring manual restarts, or causes unavailability of the S+ Operations 61850 connectivity due to communication driver crashes. The System 800xA IEC61850 Connect is not affected by this vulnerability. This issue was reported to ABB by Hitachi Energy and affects firmware versions prior to the patched releases detailed in ABB\u0026rsquo;s advisory.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains network access to the targeted IEC 61850 network.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a vulnerable ABB device (PM 877, CI850, CI868 modules, or S+ Operations node).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious IEC 61850 packet specifically designed to exploit the input validation vulnerability (CVE-2025-3756).\u003c/li\u003e\n\u003cli\u003eAttacker sends the crafted packet to the targeted vulnerable ABB device via the IEC 61850 network.\u003c/li\u003e\n\u003cli\u003eThe vulnerable device processes the malicious packet.\u003c/li\u003e\n\u003cli\u003eDue to the input validation flaw, the processing of the crafted packet triggers a fault condition in PM 877, CI850, or CI868 modules, or a crash in the S+ Operations IEC 61850 communication driver.\u003c/li\u003e\n\u003cli\u003eThe affected module or node becomes unavailable, resulting in a denial-of-service.\u003c/li\u003e\n\u003cli\u003eFor PM 877, CI850, and CI868 modules, manual restart of the device is required to restore functionality. S+ Operations requires restarting the IEC 61850 communication driver.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can disrupt critical industrial control processes. Affected sectors include Chemical, Critical Manufacturing, Energy, and Water/Wastewater. A successful attack can lead to temporary loss of control and monitoring capabilities, potentially causing process disruptions, safety incidents, or environmental damage. The vulnerability affects devices deployed worldwide. While the S+ Operations node\u0026rsquo;s overall functionality remains available, the loss of IEC 61850 communication can still impede operations relying on this protocol.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply vendor-provided patches to affected ABB System 800xA and Symphony Plus IEC 61850 products as soon as they are available. Refer to ABB\u0026rsquo;s advisory for specific version information and patch availability.\u003c/li\u003e\n\u003cli\u003eSegment and isolate IEC 61850 networks using firewalls to prevent unauthorized access and lateral movement. Implement strict access control policies to limit access to these networks.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious IEC 61850 packets that may indicate exploitation attempts. Create network connection rules to only allow traffic from known good IEC 61850 clients.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious IEC 61850 Traffic\u0026rdquo; to detect potential exploitation attempts based on unexpected network activity.\u003c/li\u003e\n\u003cli\u003eEnable and review firewall logs to identify and block potentially malicious traffic attempting to reach vulnerable ABB devices.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-30T12:00:00Z","date_published":"2026-04-30T12:00:00Z","id":"/briefs/2026-04-abb-iec61850-dos/","summary":"A vulnerability in ABB's IEC 61850 communication stack allows a remote attacker with access to the IEC 61850 network to cause a denial-of-service condition by sending a specially crafted packet, leading to device faults or communication driver crashes.","title":"ABB System 800xA and Symphony Plus IEC 61850 Denial-of-Service Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-abb-iec61850-dos/"}],"language":"en","title":"CraftedSignal Threat Feed — S+ Operations","version":"https://jsonfeed.org/version/1.1"}