Critical vulnerability discovered in End-of-Life ASKI Energy industrial controllers
Take action: If you're still using ASKI Energy ALS-Mini-S4 or ALS-Mini-S8 industrial controllers, know that they have a critical flaw with no fix coming (product support ended in 2022). Make sure that these devices are isolated from the internet, ideally on a completely separate network, and start planning to replace them with supported equipment as soon as possible.
Learn More
ASKI Energy, now owned by ABB, is reporting a critical security vulnerability affecting its ALS-Mini-S8 and ALS-Mini-S4 IP industrial controllers.
The flaw is tracked as CVE-2025-9574 (CVSS score 9.9) a missing authentication mechanism in the embedded web server, allowing unauthenticated remote attackers to gain full control over affected devices. Successful exploitation could enable attackers to read and modify critical product configuration parameters, compromising industrial control operations and enabling lateral movement in the operational technology network.
Affected products:
- ALS-mini-s4 IP controllers with serial numbers from 2000 to 5166: All firmware versions
- ALS-mini-s8 IP controllers with serial numbers from 2000 to 5166: All firmware versions
ABB, as the parent company of ASKI Energy, has confirmed that the affected products reached their end of life in 2022 and are no longer supported. There are no plans to develop or release security patches to address this vulnerability. Organizations still operating these legacy systems must place devices isolated, protected network segments with no direct internet connectivity and plan replacement with supported devices.
