CVE-2025-14771: Upgrade ABB T-MAC Plus to 4.0-25

ABB has fixed four security vulnerabilities in T-MAC Plus 4.0-24, including a critical file-disclosure flaw and a broken-access-control bug that could let a low-privileged account perform administrative operations. The remedy is T-MAC Plus 4.0-25, and operators should treat the upgrade as more than routine web-server maintenance: the affected platform coordinates receipt and dispatch, access control, inventory movement, and card-reader communications at chemical, petroleum, refinery, bulk-storage, pipeline, and hydrogen terminals worldwide.
CISA published its republication of ABB’s advisory on July 14, 2026, under ICSA-26-195-03, expanding the visibility of a vendor disclosure initially released on June 3. The most serious issue, CVE-2025-14771, carries a CVSS 3.1 score of 9.9, but the larger concern is the way all four vulnerabilities intersect: exposed files, excessive privileges, stored script execution, and disruption of the card-reader service form a credible sequence of failures around a system positioned between business data, operators, and physical terminal access.

Cybersecurity operators monitor a refinery network amid critical alerts and a secure system upgrade.A Terminal Management System Is an Operational Choke Point​

ABB describes T-MAC Plus as a terminal management system that brings control systems, subsystems, and field devices into a common platform. Its job can include managing product receipt and dispatch, inventory and balance, access control, tank-farm movements, loading operations, reporting, and integration with enterprise systems.
That makes T-MAC Plus an unusually consequential target even when a vulnerability does not directly manipulate a safety controller. A conventional business application may expose records or interrupt office workflows; a terminal-management application can sit in the operational path through which personnel, vehicles, orders, products, and field equipment are coordinated.
ABB’s product literature also describes architectures containing servers, workstations, card readers, weighbridges, loading equipment, tank-gauging systems, and connections to enterprise resource planning platforms. The security boundary is therefore not simply a browser talking to a website. It is a chain extending from user identities and web forms to operational decisions and physical devices.
The advisory places affected deployments in the Critical Manufacturing sector and says the product is deployed worldwide. ABB is headquartered in Switzerland, but the remediation problem belongs to every operator still running the specifically affected T-MAC Plus 4.0-24 release.

Four Flaws Break Different Parts of the Same Trust Model​

The vulnerabilities are distinct, but they are not isolated in operational terms. Three affect the T-MAC Plus web application, while the fourth targets communication with card readers.
VulnerabilityAffected areaAccess requiredPrimary effectCVSS 3.1
CVE-2025-14771Web application and IIS configurationAuthenticated, low privilegeSensitive-file exfiltration through a crafted HTTP GET request9.9 Critical
CVE-2025-14772Web application authorizationAuthenticated, low privilegeAdministrative operations by an unprivileged user8.8 High
CVE-2025-14773Web application formsAuthenticated user; victim interaction requiredStored HTML or JavaScript execution in a victim’s browser8.0 High
CVE-2025-14774Card-reader communication protocolAdjacent network and physical device accessCard Reader service denial of service until manual restart7.4 High
CVE-2025-14771 is the headline flaw because its CVSS 3.1 vector combines network reachability, low complexity, low privileges, no required user interaction, and high potential impact to confidentiality, integrity, and availability. CISA categorizes it as CWE-552, Files or Directories Accessible to External Parties.
According to ABB’s advisory, the underlying condition included an incorrect IIS configuration in which file browsing was enabled. ABB says the default IIS site and the file-browsing feature were removed as part of the correction.
The practical danger is not limited to someone downloading a stray configuration file. On a management server, exposed files may contain information useful for understanding users, software structure, integrations, paths, operating procedures, or connected systems. What is actually present will vary by deployment, but an attacker able to retrieve sensitive material may gain the context needed to pursue the remaining weaknesses more effectively.
CVE-2025-14772 attacks the authorization model itself. T-MAC Plus supports multiple user classes, including administrative and lower-privileged roles, but ABB found that a low-privileged authenticated user could perform administrative operations.
That is a trust-boundary failure, not merely a missing button restriction. If authorization is not enforced correctly on the server, limiting what a low-level user sees in the interface does not prevent that account from invoking protected operations through crafted requests or manipulated identifiers. ABB says the privileges assigned to the different user classes were revised and correctly applied in the fixed release.

Stored Script Execution Turns Operators Into an Attack Surface​

CVE-2025-14773 is a stored cross-site scripting vulnerability in the T-MAC Plus web application. An authenticated attacker who can create or edit an entity may be able to insert malicious HTML or JavaScript that executes when a victim opens the affected web form.
The requirement for victim interaction lowers its score relative to the file-disclosure and authorization flaws, but it should not reassure operators. Industrial web consoles tend to be used by trusted personnel with meaningful access, and stored script execution adopts the victim’s browser session and application context.
That can make the operator the bridge between a low-privileged attacker and a more powerful account. Depending on the affected interface and session protections, malicious script could reportedly be used to manipulate displayed information, perform actions through the victim’s session, or capture data available to the browser.
ABB’s description calls the condition DOM-based XSS while the advisory classifies the vulnerability as stored cross-site scripting. Those labels describe different aspects of the execution path rather than necessarily contradicting each other: attacker-controlled data can be stored by the application and later processed unsafely by browser-side code.
The more important point is that this flaw does not stand alone. CVE-2025-14772 already shows that the application’s role boundaries were not consistently enforced, while CVE-2025-14771 may expose sensitive files. In combination, a compromised low-level account has more avenues for reconnaissance, privilege misuse, and interaction with higher-value users than any single CVSS score conveys.

The Card-Reader Flaw Crosses From Software Into Physical Operations​

CVE-2025-14774 affects the communication protocol used with card readers and is the only flaw in the set described as requiring no authenticated application account. ABB says an attacker with physical access to a serial device could disable it, connect a malicious device using the same IP address, and send a specially crafted message.
The resulting failure blocks the service responsible for communicating with the card reader. Recovery requires a manual restart, turning the bug into an operational disruption rather than a silent data compromise.
Its 7.4 score is the lowest of the four, but that numerical ranking can obscure site-specific impact. T-MAC Plus uses card-reader integrations for access-control workflows, so loss of the associated service may interfere with automated identification or force a terminal to use contingency procedures.
The exploit conditions are significant. The attacker needs proximity to the relevant environment, physical access to a device, and a position from which to send the crafted traffic. This is not described as a drive-by internet attack.
Yet the conditions are not implausible in an environment containing contractors, drivers, maintenance personnel, field cabinets, serial equipment, and segmented networks that may have accumulated exceptions over years of operation. Physical access should be considered part of the threat model, especially where a field device can be disconnected or impersonated without an immediate alert.

ABB’s Remote-Exploitation Language Needs Careful Reading​

The advisory’s frequently asked questions say the vulnerabilities cannot be exploited remotely and that physical access to an affected system node is required. Read literally across all four CVEs, that statement sits awkwardly beside the CVSS vectors for the three web vulnerabilities, which use a network attack vector and describe authenticated users sending web requests or editing application entities.
The most defensible interpretation is that ABB does not regard these flaws as remotely exploitable from outside the operational environment. An attacker may first need access to the system network or a valid T-MAC Plus account, while the card-reader denial of service has the additional physical-device conditions ABB describes explicitly.
That distinction matters. Not remotely exploitable does not mean not exploitable over a network once inside. CVE-2025-14771, CVE-2025-14772, and CVE-2025-14773 are application-level weaknesses whose descriptions presume interaction with the T-MAC Plus web service.
CISA’s defensive recommendations reinforce that reading. It advises operators to minimize network exposure, prevent control-system devices from being accessible from the internet, place operational networks behind firewalls, isolate them from business networks, and use maintained VPN technology where remote access is required.
Administrators should therefore avoid converting ABB’s FAQ wording into a justification for delayed patching. An operations-network foothold is already a serious incident, but security architecture exists precisely because one compromised credential, laptop, remote-access endpoint, or maintenance connection should not yield unrestricted access to every management application.

The Fix Repairs Configuration as Well as Code​

ABB says all four vulnerabilities are corrected in T-MAC Plus 4.0-25 and recommends applying the update at the earliest convenience. The update modifies the configuration of both the web application and the communication protocol.
For CVE-2025-14771, the remediation removes the default IIS site and disables the file-browsing exposure. For CVE-2025-14772, ABB revised and correctly applied privileges across user roles. The new release also corrects the script-injection weakness and the condition that allows crafted card-reader traffic to block the service.
This mixture of changes is important because it shows that the incident is not reducible to one defective function. The disclosed causes include incorrect IIS configuration, incorrect user privileges, and a lack of encryption in the communication protocol.
Operators should not assume that manually changing one IIS setting produces an equivalent security state to installing 4.0-25. A local configuration adjustment may reduce exposure to the file-disclosure path, but it does not necessarily correct application authorization, stored script handling, or card-reader communications.
Nor should a workaround become the permanent solution simply because industrial systems are difficult to patch. ABB states that workarounds can block known attack vectors without correcting the underlying vulnerabilities. That is conventional advisory language, but here the distinction is especially relevant because the affected components span both the web tier and a field-device protocol.

Timeline​

June 3, 2026 — ABB issued its initial advisory covering the four vulnerabilities in T-MAC Plus 4.0-24.
June 3, 2026 — The advisory revision history recorded the initial version, with T-MAC Plus 4.0-25 identified as the corrected release.
July 14, 2026 — CISA published its initial republication of ABB PSIRT 9AKK108472A7840 as ICSA-26-195-03.
The republication timing does not indicate that the vulnerabilities first appeared in July. It means CISA added federal ICS-advisory visibility to an ABB disclosure that had already been available since June 3.
CISA also makes clear that its page is a verbatim republication created from ABB’s Common Security Advisory Framework material. ABB’s vendor advisory remains the technical origin, while CISA’s role is visibility and dissemination rather than independent validation of every statement.

Patch Planning Must Account for Terminal Availability​

The straightforward instruction is to upgrade from T-MAC Plus 4.0-24 to 4.0-25. The operational challenge is validating that change without disrupting loading, dispatch, access control, inventory movement, card-reader operation, or integrations with other terminal systems.
An impact analysis should identify which T-MAC Plus modules are active at the site, which user roles exist, how remote support reaches the system, and which field devices depend on the card-reader communication service. Operators should also establish how they will recover if the upgrade affects web forms, identity mappings, device communications, or site-specific configuration.
Testing should include more than confirming that the application starts. Administrators need to verify that lower-privileged accounts can no longer invoke administrative functions, sensitive directories cannot be browsed or retrieved, stored user-controlled content is handled safely, and card readers continue to communicate normally.
Logs should also be reviewed for pre-upgrade evidence of suspicious HTTP GET requests, unexpected administrative operations by non-administrative accounts, unusual edits to application entities, unexplained script content, and repeated card-reader service failures. ABB reported no known exploitation when the advisory was originally issued, but absence of vendor reports is not proof that no site was probed or compromised.

Action checklist for admins​

  • Confirm whether any production, standby, engineering, or disaster-recovery node runs T-MAC Plus 4.0-24.
  • Obtain and plan deployment of T-MAC Plus 4.0-25 through the appropriate ABB support channel.
  • Back up application data and site-specific configuration, and document a tested rollback procedure.
  • Validate firewall rules, internet exposure, business-network isolation, VPN access, and privileged maintenance paths.
  • Review IIS configuration and verify that file browsing and the default IIS site are not exposed.
  • Audit T-MAC Plus accounts, role assignments, recent administrative actions, and stored web-form content.
  • Inspect card-reader connectivity and investigate unexplained service stoppages requiring manual restarts.
  • Perform an operational impact assessment before deployment and test critical receipt, dispatch, access-control, and device workflows afterward.
CISA points operators to its broader defense-in-depth practices and the mitigation guidance in ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations that identify suspected malicious activity should follow their established incident procedures and report relevant findings to CISA for correlation.

Responsible Disclosure Produced a Fix Before Public Exploitation Reports​

Angelo Catalani of the Italian National Cybersecurity Agency, ACN, responsibly disclosed the vulnerabilities and provided input on product improvements. ABB said the issues had not been publicly disclosed when its advisory was issued and that it had received no information indicating exploitation at that time.
That is the best-case disclosure sequence: a researcher or national authority finds weaknesses, the vendor develops a corrected release, and customers receive remediation before confirmed exploitation becomes public. It does not, however, remove the urgency once technical details and affected versions are known.
Industrial patch windows tend to be slower than enterprise software cycles, while attackers can move in the opposite direction. Once an advisory identifies the vulnerable release, affected components, access conditions, and weakness classes, reconnaissance becomes easier even without a public exploit.

What T-MAC Plus Operators Should Carry Forward​

The incident is a warning about the cumulative effect of ordinary software-security failures inside extraordinary operational environments. None of the weakness classes is exotic; their importance comes from where they occur and how they can be combined.
  • T-MAC Plus 4.0-24 is the affected release; 4.0-25 contains ABB’s fixes.
  • CVE-2025-14771 is the most severe issue, with a CVSS 3.1 score of 9.9.
  • Low-privileged authenticated users are relevant to three web-application attack paths.
  • The card-reader denial of service requires more specific physical and adjacent-network conditions.
  • ABB reported no known exploitation when the advisory was originally issued.
  • Segmentation and restricted remote access reduce risk but do not replace the upgrade.
The real lesson of ICSA-26-195-03 is not that ABB T-MAC Plus contains four bugs; it is that configuration, authorization, browser trust, and field-device communications all converge in the same terminal-management platform. Upgrading to 4.0-25 closes the disclosed paths, but operators should use the patch cycle to verify the architecture around the product as well—because the next weakness may again begin in an ordinary web setting and end at an operational choke point.

References​

  1. Primary source: CISA
    Published: 2026-07-14T12:00:00+00:00
 

Back
Top