---
title: "ABB LVS MConfig Vulnerability Exposes Sensitive Data in Memory"
short_title: "ABB MConfig flaw leaks passwords in memory dumps"
description: "ABB warns of a high-severity vulnerability (CVE-2025-9970) in LVS MConfig software, exposing sensitive data in memory dumps. Update now to secure systems."
author: "Vitus"
date: 2024-10-24
categories: [Cybersecurity, Vulnerabilities]
tags: [abb, cve-2025-9970, memory-vulnerability, ics-security, cybersecurity]
score: 0.75
cve_ids: [CVE-2025-9970]
---
## TL;DR
ABB has disclosed a high-severity vulnerability (CVE-2025-9970) in its LVS MConfig software, which stores sensitive information like passwords in plaintext memory. Attackers with local access could exploit this flaw to extract credentials from memory dumps. ABB has released a patch (version 1.4.9.22) to mitigate the risk, urging users to update immediately and implement defensive measures.
Main Content
### Introduction
ABB, a global leader in industrial technology, has identified a critical security flaw in its LVS MConfig software, a tool used for parameterizing low-voltage switchgear components. The vulnerability, tracked as CVE-2025-9970, involves the cleartext storage of sensitive information in memory, potentially exposing user credentials to attackers with local access. This advisory details the flaw, its impact, and recommended actions to secure affected systems.
### Key Points
- Vulnerability: CVE-2025-9970 allows attackers to extract sensitive data, including passwords, from memory dumps of the MConfig application.
- Affected Versions: LVS MConfig versions 1.4.9.21 and earlier.
- Severity: Rated 7.4 (High) on the CVSS 3.1 scale.
- Impact: Successful exploitation could lead to unauthorized modifications of switchgear components, compromising industrial operations.
- Fix: ABB has released MConfig version 1.4.9.22, which addresses the vulnerability by clearing authentication-related memory data and hashing passwords using SHA256.
### Technical Details
#### Vulnerability Overview
The vulnerability stems from a code defect in the MConfig software, which allows attackers to export memory dumps during runtime. If passwords or other sensitive data are stored in plaintext within these dumps, attackers can extract and exploit them. This flaw is particularly concerning for industrial environments where MConfig is used to configure critical components like motor controllers, feeder controllers, and temperature monitoring solutions.
#### Exploitation Requirements
- Physical Access: An attacker must have physical access to a host machine running MConfig.
- Timing: Exploitation requires the attacker to act after a user logs into the application, increasing the likelihood of capturing active session data.
- Memory Dump Extraction: The attacker must export a memory dump file from the operating system, which may contain plaintext credentials.
#### Mitigation Measures
ABB has implemented the following fixes in the patched version (1.4.9.22):
- Memory Clearing: Authentication-related memory data is now cleared after a successful login.
- Password Hashing: Passwords are hashed using SHA256, preventing plaintext exposure.
### Impact Assessment
#### Affected Sectors
The vulnerability impacts multiple critical infrastructure sectors, including:
- Chemical
- Critical Manufacturing
- Energy
- Food and Agriculture
- Transportation Systems
- Water and Wastewater
#### Potential Consequences
If exploited, this vulnerability could allow attackers to:
1. Extract User Credentials: Gain access to sensitive information stored in memory dumps.
2. Modify Switchgear Settings: Alter configurations of low-voltage switchgear components, potentially disrupting industrial operations.
3. Compromise Industrial Safety: Unauthorized changes to switchgear settings could lead to equipment failure or safety hazards.
#### Attack Vector
- Local Access Required: The vulnerability cannot be exploited remotely; physical access to the host machine is necessary.
- Targeted Exploitation: Attackers must target systems where MConfig is installed and actively used, such as switch rooms in industrial facilities.
### Mitigation Steps
ABB and CISA recommend the following actions to mitigate the risk:
#### Immediate Actions
1. Update Software: Install MConfig version 1.4.9.22 or later to resolve the vulnerability.
2. Restrict Physical Access: Limit access to host machines running MConfig to authorized personnel only.
3. Monitor Memory Dumps: Implement policies to securely handle and dispose of memory dump files.
#### Long-Term Recommendations
1. Network Segmentation: Isolate control system networks from business networks using firewalls.
2. Secure Remote Access: Use Virtual Private Networks (VPNs) for remote access, ensuring they are updated to the latest version.
3. Defensive Measures: Follow ABB’s General Security Recommendations for industrial control systems (ICS), as outlined in the product instruction manual.
### Affected Systems
| Vendor | Product | Affected Versions | Status |
|------------|------------------------|-----------------------------|---------------------|
| ABB | LVS MConfig | <= 1.4.9.21 | Fixed in 1.4.9.22 |
## Conclusion
The CVE-2025-9970 vulnerability in ABB’s LVS MConfig software highlights the risks associated with cleartext storage of sensitive information in memory. While the flaw requires local access for exploitation, its potential impact on critical infrastructure sectors is significant. Organizations using MConfig are urged to update to version 1.4.9.22 immediately and implement recommended security measures to reduce the risk of exploitation.
For further details, refer to ABB’s official advisory and CISA’s recommendations on securing industrial control systems.
## References
[^1]: ABB PSIRT. "ABB LVS MConfig Vulnerability Advisory". Retrieved 2024-10-24.
[^2]: CISA. "ICS Advisory ICSA-26-146-06". Retrieved 2024-10-24.
[^3]: CVE Details. "CVE-2025-9970". Retrieved 2024-10-24.
[^4]: MITRE. "CWE-316: Cleartext Storage of Sensitive Information in Memory". Retrieved 2024-10-24.