ABB Ability zenon Remote Transport Service CVE-2025-8754 — Missing Authentication Allows Unauthorized Remote Reboot of OT Systems — Threadlinqs Intelligence
Threat ID: TL-2026-0594 · Severity: HIGH · CVSS: 7.5 · Status: ACTIVE · Category: ICS_SCADA
A Missing Authentication for Critical Function vulnerability (CWE-306) in the ABB Ability zenon software platform allows an unauthenticated network attacker to invoke the Reboot OS function exposed by
ABB Ability zenon is a widely-deployed HMI/SCADA software platform used to engineer and operate supervisory control systems in Chemical, Communications, Critical Manufacturing, Dams, Energy, Healthcare and Public Health, Information Technology, and Water and Wastewater sectors worldwide. The platform's runtime is supported by the zensyssrv.exe Windows service (ABB zenon System Service), which by default is set to start automatically and which exposes the Remote Transport Service (RTS). RTS is intended to permit engineering operations to be performed remotely against a zenon Runtime host, and it nominally requires the operator to configure a password before any RTS function can be invoked.
CVE-2025-8754 is an authentication bypass affecting the Reboot OS command exposed by RTS. The vulnerability allows an attacker who can reach the zensyssrv.exe service over the network to invoke the Reboot OS function without supplying the configured RTS password. The advisory text from ABB PSIRT and CISA's ICSA-26-146-03 (released 2026-05-26) describes the flaw as a Missing Authentication for Critical Function (CWE-306), placing it squarely in the same class as the OPC UA / IEC-104 / Modbus historical patterns where ICS-specific protocol handlers either omit credential checks entirely or fail to enforce them on a privileged subset of operations. The CVSS v3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H reflects a pure availability impact: no data is exfiltrated and no integrity is modified, but the target Windows host can be forcibly rebooted at will by an unauthenticated attacker on the same network.
In an OT context the operational impact is disproportionately severe. zenon Runtime is frequently deployed on stand-alone industrial PCs that drive HMI screens, historian collectors, batch controllers, and gateway nodes to PLCs over IEC 60870-5-104, OPC UA, S7, Modbus TCP, and proprietary fieldbus protocols. An unscheduled reboot during a production run can: (1) lose the in-memory state of an HMI session and detach operator visibility from the process, (2) drop active OPC UA / S7 subscriptions and force a reconnection storm against downstream PLCs, (3) interrupt batch or recipe execution mid-step, (4) lose unwritten historian buffers that have not yet flushed to the SQL backend, and (5) for systems in N+1 redundancy, trigger a forced failover that itself can cascade if the standby is similarly vulnerable. Repeat invocation produces a sustained denial-of-service that prevents the operator from regaining control. In safety-instrumented environments the loss of HMI visibility can force an operator to invoke a process trip out of an abundance of caution, converting an IT-layer DoS into a real physical-process shutdown.
The exploit primitive is straightforward and is the canonical Tier-1 ICS vulnerability shape: a critical action handler that does not verify the caller's authentication state before executing. The zensyssrv.exe RTS listener accepts a Reboot OS message and reaches the OS-level reboot path (most likely InitiateSystemShutdownEx or ExitWindowsEx with SE_SHUTDOWN_NAME privilege already held by the LocalSystem-account service) without consulting whether the connection has presented the RTS password. Note that the vulnerability is in the authentication state machine of the RTS protocol handler, not in the cryptographic algorithm or password storage — even an unconfigured RTS password is not a precondition for exploitation. No public proof-of-concept code has been released as of the advisory date and ABB PSIRT reported the issue to CISA itself, indicating a coordinated disclosure path; CISA noted that as of publication there is no evidence of in-the-wild exploitation.
The remediation guidance from ABB is mitigation-only at the time of writing: (a) restrict network reachability to zenon hosts using firewalls, ACLs, and OT-segmentation patterns from IEC 62443 / NIST SP 800-82; (b) audit whether RTS is operationally required and, if not, stop
Target sectors: chemical, communications, critical-manufacturing, dams, energy, healthcare, information-technology, water-wastewater
Target regions: Worldwide, North America, Europe, Asia-Pacific, Middle East, South America, Africa
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 14 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
ICS_SCADA, HIGH, threat intelligence, cybersecurity, CVE-2025-8754, T1595, T1590, T1588, T1190, T1046, T1007, T1210, T1529, T1499, T1489