Back to Intelligence

ICSA-26-120-05: ABB AWIN Gateway Auth Bypass (CVSS 8.3) — Detection & Hardening

SA
Security Arsenal Team
May 1, 2026
5 min read

CISA has released advisory ICSA-26-120-05 detailing critical security vulnerabilities affecting ABB AWIN Gateways. These devices, widely deployed in Critical Manufacturing sectors worldwide, are susceptible to attacks that could allow adversaries to reboot devices remotely or exfiltrate sensitive system configurations without authentication.

Executive Summary

The vulnerabilities—identified as Authentication Bypass by Capture-replay and Missing Authentication for Critical Function—carry a CVSS v3 score of 8.3 (High). Successful exploitation allows an attacker to disrupt operations by forcing a device reboot (Denial of Service) or gain unauthorized insight into the system configuration, potentially exposing network credentials or operational details.

Given the role of these gateways in bridging OT and IT environments, a compromise here could serve as a pivot point for deeper lateral movement into the industrial control network. Defenders must immediately identify affected assets and apply vendor patches or enforce strict network segmentation.

Technical Analysis

Affected Products & Versions:

  • ABB AWIN GW100 rev.2: Firmware versions 2.0-0 and 2.0-1.
  • ABB AWIN GW120: Firmware versions 1.2-0 and 1.2-1.

Vulnerability Mechanics:

  1. Authentication Bypass by Capture-replay: The gateway fails to properly validate the freshness or integrity of session tokens. An attacker on the network can capture a legitimate administrative request (such as a configuration query) and replay it. The device accepts the replayed request as valid, allowing the attacker to retrieve sensitive system configuration data without valid credentials.
  2. Missing Authentication for Critical Function: Certain sensitive endpoints, specifically those responsible for device lifecycle management (e.g., rebooting), do not require authentication. This allows an unauthenticated attacker to send a specifically crafted request to the device, triggering an immediate restart and causing operational downtime.

Exploitation Requirements:

  • Network access to the ABB Gateway (usually required to be on the same Layer 2 or routed network segment).
  • No prior credentials are needed.
  • Exploitation can be performed via simple HTTP/HTTPS requests to the management interface.

Detection and Response

Detecting these vulnerabilities requires monitoring the management interfaces of OT assets for anomalous behavior. Since standard EDR is often absent on specialized gateways, we rely on network telemetry (Syslog, NetFlow, or Web Proxy logs) to identify exploitation attempts.

Sigma Rules

The following Sigma rules target the network behavior associated with the "Missing Authentication for Critical Function" (remote reboot) and the potential "Configuration Query" capture-replay attacks. These rules assume logging of HTTP traffic to the gateways.

YAML
---
title: ABB AWIN Gateway Potential Remote Reboot via Web Interface
id: 8b7c6d5e-4f3a-4b2a-9c1d-0e8f7a6b5c4d
status: experimental
description: Detects potential remote reboot attempts on ABB AWIN Gateways via unauthenticated HTTP requests. The vulnerability allows unauthenticated access to the reboot function.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-120-05
author: Security Arsenal
date: 2025/05/12
tags:
  - attack.initial_access
  - attack.t1190
  - attack.impact
  - attack.t0814
logsource:
  category: webserver
  product: appliance
detection:
  selection:
    c-method: 'POST'
    cs-uri-query|contains:
      - 'reboot'
      - 'restart'
      - 'restartSystem'
    sc-status: 200
  filter_localhost:
    src_ip|startswith:
      - '127.'
      - '10.'
      - '192.168.'
      - '172.16.'
      - '172.17.'
      - '172.18.'
      - '172.19.'
      - '172.20.'
      - '172.21.'
      - '172.22.'
      - '172.23.'
      - '172.24.'
      - '172.25.'
      - '172.26.'
      - '172.27.'
      - '172.28.'
      - '172.29.'
      - '172.30.'
      - '172.31.'
  condition: selection and not filter_localhost
falsepositives:
  - Legitimate administrative reboot by IT/OT staff (verify source IP)
level: high
---
title: ABB AWIN Gateway Configuration Export or Query
id: a1b2c3d4-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects attempts to query or export system configuration from ABB AWIN Gateways, which may indicate a capture-replay attack exploiting the auth bypass.
references:
  - https://www.cisa.gov/news-events/ics-advisories/icsa-26-120-05
author: Security Arsenal
date: 2025/05/12
tags:
  - attack.discovery
  - attack.t1087
  - attack.credential_access
logsource:
  category: webserver
  product: appliance
detection:
  selection_keywords:
    cs-uri-query|contains:
      - 'config'
      - 'backup'
      - 'export'
      - 'downloadCfg'
  selection_methods:
    c-method:
      - 'GET'
      - 'POST'
  condition: selection_keywords and selection_methods
falsepositives:
  - Authorized scheduled backups
  - Administrative configuration changes
level: medium


**KQL (Microsoft Sentinel)**

This query hunts for suspicious POST requests to known AWIN management interfaces containing keywords associated with rebooting the device.

KQL — Microsoft Sentinel / Defender
// Hunt for ABB AWIN Gateway Reboot Attempts
CommonSecurityLog
| where DeviceVendor in~ ("ABB", "AWIN") or FileVendor in~ ("ABB", "AWIN")
| where RequestMethod =~ "POST"
| where RequestURL has_any ("reboot", "restart", "restartSystem")
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, RequestURL, DeviceAction, ReceivedBytes
| order by TimeGenerated desc


**Velociraptor VQL**

Use this VQL artifact to hunt for the specific vulnerable firmware versions on Linux-based gateways by checking the OS release or package version strings if accessible via an agent.

VQL — Velociraptor
-- Hunt for vulnerable ABB AWIN Firmware versions
SELECT
  OS,
  Fqdn,
  Platform,
  KernelVersion,
  Pid,
  Name,
  CommandLine,
  Exe
FROM pslist()
WHERE Name =~ "awin"
   OR Exe =~ "awin"
   OR CommandLine =~ "AWIN"
-- Additionally, if version files are standard, check them:
-- SELECT read_file(filename = path) AS Data
-- FROM glob(globs="/etc/awin-version", root="/")
-- WHERE Data =~ "2.0-0" OR Data =~ "2.0-1" OR Data =~ "1.2-0" OR Data =~ "1.2-1"


**Remediation Script (Bash)**

This script can be used during an assessment to check the firmware version of ABB AWIN gateways (assuming a Linux-based environment where version info is stored in a standard location like /etc/version or obtainable via system CLI).

Bash / Shell
#!/bin/bash
# Check ABB AWIN Gateway Firmware Version for Vulnerabilities
# Vulnerable: GW100 rev2 (2.0-0, 2.0-1), GW120 (1.2-0, 1.2-1)

echo "Checking ABB AWIN Firmware Version..."

# Check for common version file locations
VERSION_FILE="/etc/version"
if [ -f "$VERSION_FILE" ]; then
    CURRENT_VERSION=$(cat
mdrthreat-huntingendpoint-detectionsecurity-monitoringabbicsot-securitycvss-8.3

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action