ABB has released a critical advisory addressing multiple security flaws in its T-MAC Plus product, a controller widely used in the Critical Manufacturing sector. With a CVSS v3 score of 9.9, these vulnerabilities represent a severe risk to industrial environments, potentially allowing attackers to bypass authorization, access sensitive files, and execute cross-site scripting (XSS) attacks.
For defenders managing Operational Technology (OT) and Industrial Control Systems (ICS), this is not a routine update. The combination of "Authorization Bypass Through User-Controlled Key" (CVE-2025-14772) and "Files or Directories Accessible to External Parties" (CVE-2025-14771) suggests a fundamental breakdown in the device's web interface access control model. If an attacker gains a foothold in the OT network, these flaws facilitate immediate lateral movement and data exfiltration without requiring deep knowledge of proprietary industrial protocols.
Technical Analysis
Affected Products:
- ABB T-MAC Plus (Version 4.0-24)
CVE Identifiers and Impact:
- CVE-2025-14771 (Files or Directories Accessible to External Parties): Critical severity. Allows unauthorized read access to files on the device's filesystem via the web interface.
- CVE-2025-14772 (Authorization Bypass Through User-Controlled Key): Critical severity. An attacker can manipulate specific parameters (keys) to bypass authentication checks entirely.
- CVE-2025-14773 (Cross-site Scripting - Reflected): High severity. Improper input neutralization allows execution of arbitrary scripts in the context of a victim's browser, potentially hijacking sessions.
- CVE-2025-14774 (Incorrect Authorization): High severity. The system fails to properly enforce permission checks on sensitive functions.
Attack Chain and Exploitation Mechanics: The primary attack vector is the web interface. The vulnerability chain likely begins with CVE-2025-14773 (XSS) or scanning for CVE-2025-14771 (Directory Access). An attacker on the network layer does not need to authenticate initially to probe for sensitive files. Once sensitive directories are mapped, the attacker can utilize the Authorization Bypass (CVE-2025-14772) to access administrative functions by manipulating the user-controlled key.
In an ICS environment, this level of access can lead to configuration tampering, credential theft, or denial of service. CISA has released advisory ICSA-26-195-03, urging organizations to implement defensive measures immediately. While active exploitation in the wild has not been explicitly confirmed at the time of writing, the accessibility of these exploits and the criticality of the target sector make imminent exploitation highly probable.
Detection and Response
Defending against these vulnerabilities requires monitoring web traffic destined for ICS subnets. Since these are web-based vulnerabilities, your network detection infrastructure (IDS/IPS) and proxy logs are the primary sources of truth.
The following detection rules focus on the behavioral indicators of these specific CVEs: probing for accessible directories and the injection of scripts indicative of XSS attempts.
---
title: Potential ABB T-MAC Directory Traversal or Access
id: 8c2d4a12-3b4e-4f9d-8a1e-0c5b6d7e8f9a
status: experimental
description: Detects attempts to access sensitive directories or files on ABB T-MAC devices, indicative of exploitation of CVE-2025-14771.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-195-03
author: Security Arsenal
date: 2026/07/14
tags:
- attack.initial_access
- attack.t1190
logsource:
category: web
product: apache
detection:
selection:
c-uri|contains:
- '/admin/'
- '/backup/'
- '/config/'
- '/logs/'
- '/download/'
sc-status:
- 200
- 301
- 302
condition: selection
falsepositives:
- Authorized administrative access
level: high
---
title: ABB T-MAC Potential XSS Exploitation
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects common Cross-site Scripting payloads in URL parameters targeting the web interface, related to CVE-2025-14773.
references:
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-195-03
author: Security Arsenal
date: 2026/07/14
tags:
- attack.initial_access
- attack.t1190
- cve.2025.14773
logsource:
category: web
product: apache
detection:
selection:
c-uri-query|contains:
- '<script'
- 'javascript:'
- 'onerror='
- 'onload='
- 'alert('
condition: selection
falsepositives:
- Authorized penetration testing
level: medium
**Microsoft Sentinel / Defender KQL**
Use this query to hunt for suspicious web traffic against known OT assets or specific patterns associated with these vulnerabilities.
// Hunt for directory access attempts and XSS patterns against ABB devices
let SuspiciousPaths = dynamic(['/admin', '/backup', '/config', '/data', '/etc', '/bin']);
let XSSPatterns = dynamic(['<script', 'javascript:', 'onerror', 'onload', 'fromCharCode']);
CommonSecurityLog
| where DeviceVendor in~ ('ABB', 'Schneider Electric', 'Siemens') // Adjust vendor to match your environment's logging
| where RequestURL has_any (SuspiciousPaths) or RequestURL has_any (XSSPatterns)
| project TimeGenerated, DeviceIP, SourceIP, RequestURL, RequestMethod, DeviceAction,
StatusCode, ReceivedBytes, SentBytes
| summarize count() by SourceIP, RequestURL, StatusCode
| order by count_ desc
**Velociraptor VQL**
This VQL artifact hunts for processes that may be interacting with ICS web interfaces on non-standard ports or establishing unexpected connections, useful for identifying management workstations that might be compromised.
-- Hunt for processes connecting to web ports on ICS subnets
SELECT Pid, Name, CommandLine, Exe, Username, RemoteAddress, RemotePort
FROM listen()
WHERE RemotePort IN (80, 443, 8080, 443)
AND RemoteAddress =~ "192.168.1." // Adjust to match your ICS subnet
AND Name NOT IN ("chrome.exe", "firefox.exe", "msedge.exe", "iexplore.exe")
**Remediation Verification Script (Bash)**
The following script attempts to identify vulnerable ABB T-MAC Plus instances by checking the HTTP response headers for version information. Note: Use this only with proper authorization within your managed environment.
#!/bin/bash
# Scan a subnet for ABB T-MAC Plus devices to check version status
# Usage: ./check_abb_version.sh <subnet>
SUBNET=$1
if [ -z "$SUBNET" ]; then
echo "Usage: $0 <subnet> (e.g., 192.168.1)"
exit 1
fi
echo "Scanning $SUBNET.0/24 for ABB T-MAC Plus Web Interfaces..."
for i in {1..254}; do
IP="$SUBNET.$i"
# Timeout 1 sec to prevent hanging on unresponsive hosts
RESPONSE=$(curl -s -m 1 --connect-timeout 1 -I "http://$IP" 2>/dev/null | grep -i "Server")
if [[ "$RESPONSE" == *"ABB"* ]] || [[ "$RESPONSE" == *"T-MAC"* ]]; then
echo "[+] Potential ABB Device found at: $IP"
echo " Header: $RESPONSE"
# Attempt to fetch version page (hypothetical path based on device behavior)
VERSION_PAGE=$(curl -s -m 2 "http://$IP/version.html" 2>/dev/null)
if [[ "$VERSION_PAGE" == *"4.0-24"* ]]; then
echo " [!] VULNERABLE VERSION 4.0-24 DETECTED."
fi
fi
done
Remediation
- Apply Firmware Updates: Immediately update ABB T-MAC Plus to the latest version provided by ABB that resolves these vulnerabilities. Do not operate version 4.0-24 on exposed networks.
- Network Segmentation: Ensure T-MAC Plus devices are placed behind a firewall or a demilitarized zone (DMZ). The web management interface should not be accessible from the internet or the general IT network without strict jump-host controls.
- Review Access Controls: Audit who has access to the management interfaces. Due to CVE-2025-14772 (Authorization Bypass), ensure that application-level controls are reinforced until patching is complete.
- Vendor Advisory: Refer to the official CISA advisory ICSA-26-195-03 for detailed mitigation steps and patch availability.
Related Resources
Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.