VYPR
advisoryPublished Jul 14, 2026· 1 source

Multiple Critical Vulnerabilities Disclosed in ABB T-MAC Plus

CISA has issued an advisory detailing four critical vulnerabilities in ABB's T-MAC Plus industrial control system software, with CVSS scores up to 9.9.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory highlighting multiple critical vulnerabilities affecting ABB's T-MAC Plus industrial control system software. The vulnerabilities, identified in versions 4.0 through 4.0-24, pose significant risks to critical manufacturing sectors worldwide.

Four distinct vulnerabilities have been detailed, each carrying a high CVSS score. CVE-2025-14771, rated critical with a CVSS score of 9.9, allows authenticated users to exfiltrate sensitive files from the system via crafted HTTP GET requests. This file disclosure could expose critical operational data.

Another critical vulnerability, CVE-2025-14772, also with a CVSS score of 8.8, stems from broken access controls. This flaw enables unprivileged users to perform administrative operations, effectively bypassing intended security restrictions and potentially leading to unauthorized system modifications.

Furthermore, CVE-2025-14773 introduces a stored cross-site scripting (XSS) vulnerability. Authenticated users can exploit this flaw to inject arbitrary HTML or JavaScript code into web forms, which can then be executed in the browsers of other users, potentially leading to credential theft or session hijacking.

The fourth vulnerability, CVE-2025-14774, affects the Card Reader service. This vulnerability, while not explicitly given a CVSS score in the provided text, is described as an insecure network protocol that allows unauthenticated attackers to perform a denial-of-service (DoS) attack, disrupting the functionality of the card reader service.

ABB has acknowledged these vulnerabilities and has released version 4.0-25 of T-MAC Plus to address them. The company strongly recommends that customers apply this update at their earliest convenience to mitigate the risks associated with these flaws. In addition to the vendor fix, ABB has also implemented mitigations, including correcting misconfigurations on the IIS server and removing the File Browsing feature, and has tested workarounds that may help block known attack vectors.

The T-MAC Plus system is deployed globally and is crucial for operations within the critical manufacturing sector. The potential impact of these vulnerabilities ranges from sensitive data exfiltration and unauthorized administrative control to cross-site scripting attacks and denial-of-service conditions, underscoring the importance of prompt patching and security updates.

This advisory serves as a critical alert for organizations utilizing ABB's T-MAC Plus system, emphasizing the ongoing need for vigilance in securing industrial control systems against sophisticated cyber threats.

Synthesized by Vypr AI