CVE-2025-9574
published 2025-10-20CVE-2025-9574: Missing Authentication for Critical Function vulnerability in ABB ALS-mini-s4 IP, ABB ALS-mini-s8 IP.This issue affects . All firmware versions with the Serial…
PriorityP271critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.75%
50.4th percentile
Missing Authentication for Critical Function vulnerability in ABB ALS-mini-s4 IP, ABB ALS-mini-s8 IP.This issue affects .
All firmware versions with the Serial Number from 2000 to 5166
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| abb | als-mini-s4_ip | — | — |
| abb | als-mini-s8_ip | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target devices are ALS-mini-S4/S8 IP controllers with serial numbers 2000–5166; detect unauthenticated HTTP requests to the embedded web server that read or modify device configuration parameters without any authentication headers/session tokens. ↗
- →Monitor for any network access to the embedded web server of ALS-mini-S4/S8 IP devices, especially from non-whitelisted IPs; alert on such access attempts via firewall, IDS, or IPS. ↗
- →The vulnerability is in the embedded web server component; network traffic to the web server port from external/untrusted sources should be flagged as suspicious, particularly configuration read/write operations. ↗
- ·All firmware versions are affected for serial numbers 2000–5166; no patch exists as the product reached end of life in 2022 and ABB has no plans for a fix. ↗
- ·Affected serial number range is explicitly 2000 to 5166 for both ALS-mini-s4 IP and ALS-mini-s8 IP; devices outside this range are not listed as affected. ↗
- ·The embedded web server provides load monitoring, alarms, and remote configuration functionality; physically disconnecting the Ethernet port is the recommended workaround if the web server is not needed. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv4.09.9CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:U/V:D/RE:M/U:Red
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
ASKI Energy ALS-Mini-S8 and ALS-Mini-S4
cisa_ics·2025-10-23·CVSS 10.0
[CRITICAL] ASKI Energy ALS-Mini-S8 and ALS-Mini-S4
ICS Advisory
##
ASKI Energy ALS-Mini-S8 and ALS-Mini-S4
Release DateOctober 23, 2025
Alert CodeICSA-25-296-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.9
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: ASKI Energy
- Equipment: ALS-Mini-S8, ALS-mini-s4 IP
- Vulnerability: Missing Authentication for Critical Function
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to gain full control over the device.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following ASKI Energy products are affected:
- ALS-mini-s4 IP (serial number from 2000 to 5166): All versions
- ALS-mini-s8 IP (serial number from 200
GHSA
GHSA-22jr-jqv2-c6r8: Missing Authentication for Critical Function vulnerability in ABB ALS-mini-s4 IP, ABB ALS-mini-s8 IP
ghsa_unreviewed·2025-10-20
CVE-2025-9574 [CRITICAL] CWE-306 GHSA-22jr-jqv2-c6r8: Missing Authentication for Critical Function vulnerability in ABB ALS-mini-s4 IP, ABB ALS-mini-s8 IP
Missing Authentication for Critical Function vulnerability in ABB ALS-mini-s4 IP, ABB ALS-mini-s8 IP.This issue affects .
All firmware versions with the Serial Number from 2000 to 5166
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-10-20
Published