Skip to content
.ca
sign in
4 minhigh

ABB LVS MConfig

ABB LVS MConfig versions 1.4.9.21 and prior contain a high-severity vulnerability (CVE-2025-9970) where user credentials are stored in cleartext in application memory. An attacker with local or physical access to the host machine can export a memory dump during runtime to extract these passwords, potentially allowing unauthorized modification of low voltage switchgear components.

Conf:highAnalyzed:2026-05-26Google

Authors: CISA, ABB PSIRT

ICSCleartext MemoryABBMConfigCVE-2025-9970

Source:CISA

IOCs · 1

Detection / HunterGoogle

What Happened

A security vulnerability was discovered in ABB's MConfig software, which is used to manage industrial electrical equipment. If an attacker gains physical or local access to a computer running this software, they can extract user passwords from the computer's memory. This could allow the attacker to tamper with critical electrical switchgear settings. Organizations using this software should immediately update to version 1.4.9.22, which fixes the issue by properly securing passwords in memory.

Key Takeaways

  • ABB LVS MConfig versions 1.4.9.21 and prior are vulnerable to cleartext password extraction from memory dumps (CVE-2025-9970).
  • Exploitation requires local or physical access to the host machine running the MConfig software.
  • Successful exploitation allows attackers to extract user credentials and potentially modify critical switchgear component settings.
  • ABB has released MConfig version 1.4.9.22 to resolve the vulnerability by clearing memory data post-login and hashing passwords.

Affected Systems

  • ABB LVS MConfig versions <= 1.4.9.21 running on Windows 11 or later

Vulnerabilities (CVEs)

  • CVE-2025-9970

Attack Chain

An attacker gains physical or local access to a Windows host running ABB LVS MConfig. While a legitimate user is logged into the application, the attacker forces a memory dump of the MConfig process. The attacker then extracts cleartext passwords from the resulting memory dump file. Using these credentials and physical access to the switch room, the attacker modifies the settings of low voltage switchgear components.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: Medium — EDR solutions can detect unauthorized processes attempting to dump the memory of the MConfig application via API calls like MiniDumpWriteDump or tools like Task Manager and ProcDump. Network Visibility: None — The vulnerability is exploited locally via memory dumping, generating no network traffic. Detection Difficulty: Moderate — Detecting memory dumping of a specific application requires fine-tuned EDR rules to monitor process access events against the MConfig executable, which may blend in with legitimate administrative or debugging activity.

Required Log Sources

  • EDR Process Telemetry
  • Windows Security Event Logs (Process Access)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for unusual processes requesting read access (e.g., PROCESS_VM_READ) to the MConfig application process, which may indicate an attempted memory dump.EDR process access logs (e.g., Sysmon Event ID 10)Credential AccessMedium (Legitimate debugging, crash reporting tools, or AV scanners may access process memory)

Control Gaps

  • Lack of application-level memory protection in older versions
  • Inadequate physical security controls for host machines

Key Behavioral Indicators

  • Unexpected memory dump files (.dmp) created in user directories or temp folders
  • Suspicious usage of memory dumping utilities targeting the MConfig process

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Update ABB LVS MConfig to version 1.4.9.22 or later to resolve the cleartext memory vulnerability.
  • Restrict physical and local administrative access to host machines running the MConfig software.

Infrastructure Hardening

  • Ensure host machines running ICS management software are isolated from business networks and the internet.
  • Implement strict physical security controls for switch rooms and areas housing critical ICS components.

User Protection

  • Enforce the principle of least privilege for users accessing the MConfig host machine.
  • If supported by your tooling, consider deploying EDR policies that restrict unauthorized memory dumping of critical applications.

Security Awareness

  • Train personnel to lock host machines when unattended to prevent unauthorized local access.

MITRE ATT&CK Mapping

  • T1552 - Unsecured Credentials
  • T1003 - OS Credential Dumping

Related