Vulnerabilities in T-MAC Plus - ICS Security Advisory

// Description

ABB became aware of vulnerability in the products versions listed as affected in the advisory. An update is available that resolves the reported vulnerabilities. An attacker who successfully exploited any of these vulnerabilities could potentially compromise the system in different ways.

// Vulnerabilities (4)

CVE ID	CVSS Score	Severity	Description
CVE-2025-14772	8.8	high	CVE-2025-14772. Broken access controls in ABB T-MAC Plus web application allows unprivileged users to performs administrative operations
CVE-2025-14773	8.0	high	CVE-2025-14773. Stored Cross-Site Scripting (XSS) in ABB T-MAC Plus web application allows authenticated users to execute arbitrary HTML or JavaScript code on victims browser.
CVE-2025-14771	9.9	critical	CVE-2025-14771. File Disclosure in ABB T-MAC Plus web application allows authenticated users to exfiltrate files containing sensitive information via crafted HTTP GET request.
CVE-2025-14774	7.4	high	CVE-2025-14774. Insecure network protocol in ABB T-MAC Plus allows unauthenticated attackers to perform a denial-of-service (DoS) of the Card Reader service.

// Remediations (3)

Patch: ABB has investigated these vulnerabilities to provide adequate protection to customers. The problem

ABB has investigated these vulnerabilities to provide adequate protection to customers. The problem is corrected in the following product versions: T-MAC Plus version 4.0-25 ABB recommends that customers apply the update at earliest convenience.

Workaround: Workarounds are specific measures that a user can take to help block an attack, for example, tempora

Workarounds are specific measures that a user can take to help block an attack, for example, temporarily disabling the vulnerable feature may remove the exposure with well-known impact on functionality. ABB has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they can help block known attack vectors. When a workaround reduces functionality, this is identified below as “Impact of workaround”.

Mitigation: If a malicious actor gains physical access to a serial device, disables it, connects a malicious dev

If a malicious actor gains physical access to a serial device, disables it, connects a malicious device with same IP address, and sends a specially crafted message, the service responsible for communicating with the device will be blocked until a manual restart is performed. New T-MAC Plus version 4.0-25 will correct the vulnerability.

// References

ABB PSIRT 9AKK108472A7840
ABB PSIRT https://search.abb.com/library/Download.aspx?DocumentID=9AKK108472A7840&LanguageCode=en&DocumentPartId=&Action=Launch
ABB PSIRT https://psirt.abb.com/csaf/2026/9akk108472a7840.json