ABB LVS MConfig Vulnerability Exposes Stored Passwords

ABB has identified a critical vulnerability (CVE-2025-9970) in its LVS MConfig software affecting versions 1.4.9.21 and earlier. The flaw allows local network attackers to extract memory dump files containing plaintext passwords stored in the application's memory. If these dumps are mishandled, attackers could obtain sensitive credentials. The vulnerability impacts critical infrastructure sectors including energy, manufacturing, and water systems worldwide. ABB rates the issue as HIGH severity (CVSS 7.4) and has released MConfig version 1.4.9.22 as a fix. Users are strongly advised to update immediately and implement the defensive measures outlined in product documentation. Source: CISA.