AWIN Gateways Vulnerabilities in Embedded Webserver

Plan Patch8.34JNO000329Mar 13, 2026

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

ABB AWIN gateways contain authentication bypass vulnerabilities in the embedded webserver (CWE-294: Improper Authentication, CWE-306: Missing Authentication). Affected versions include GW100 rev. 2 (2.0-0, 2.0-1) and GW120 (1.2-0, 1.2-1). An unauthenticated attacker with network access to an AWIN gateway could remotely execute commands, reboot the device causing denial of service, and extract system configuration information. The vulnerability requires network-level access but does not require valid credentials. ABB emphasizes that AWIN gateways are not intended for internet exposure and should be deployed behind firewalls with proper network segmentation.

What this means

What could happen

An attacker with network access to an AWIN gateway could remotely execute commands, reboot the device causing operational outages, and extract system configuration details. This affects gateway connectivity for industrial automation networks.

Who's at risk

Water utilities and municipal electric utilities using ABB AWIN gateway products (GW100 rev. 2 or GW120) for industrial automation network connectivity. These gateways are commonly deployed to connect legacy control systems to modern monitoring and management networks in substations, water treatment plants, and distribution control centers.

How it could be exploited

An attacker on the same network segment as an AWIN gateway exploits weaknesses in the embedded webserver authentication (CWE-294, CWE-306) to bypass credential requirements. Once access is gained, the attacker can issue remote commands including reboot or configuration extraction without legitimate credentials.

Prerequisites

Network access to the AWIN gateway (local network or compromised perimeter/firewall)
No valid credentials required for exploitation
Gateway must be running affected firmware versions (GW100 v2.0-x or GW120 v1.2-x)

Remotely exploitable from networkNo authentication requiredLow complexity exploitationAffects gateway/network connectivity systemsFirmware update required (vendor fix available)Default/missing credential protection

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

AWIN GW100 rev. 2 Product ID: 3BNP102988R12.0-02.1-0

AWIN GW100 rev. 2 Product ID: 3BNP102988R12.0-12.1-0

AWIN GW120 Product ID 3BNP103003R11.2-02.0-0

AWIN GW120 Product ID 3BNP103003R11.2-12.0-0

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDImmediately disconnect any AWIN gateways directly exposed to the internet

HARDENINGImplement firewall rules to restrict network access to AWIN gateways to only trusted automation networks and management subnets

HARDENINGImplement physical access controls to restrict unauthorized personnel from connecting to or modifying gateway devices

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade AWIN GW100 rev. 2 to firmware version 2.1-0

HOTFIXUpgrade AWIN GW120 to firmware version 2.0-0

Long-term hardening

0/1

HARDENINGUse secure remote access methods only (VPN, SSH, encrypted tunnels) if remote management of gateways is required

CVEs (3)

CVE-2025-13777 CVE-2025-13778 CVE-2025-13779

View full ABB PSIRT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/83130942-c23d-43c9-863c-33fec1c27863