OTPulse

ABB Ability™ OPTIMAX® Authentication Bypass in Single-Sign On with Azure Active Directory

Plan PatchCVSS 8.19akk108472a1331Jan 16, 2026
ABB
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

A severe authentication bypass vulnerability exists in ABB Ability OPTIMAX versions 6.1 through 6.4 when the optional Azure Active Directory Single-Sign On integration is enabled. An attacker who exploits this vulnerability can bypass user authentication and gain unauthorized access to perform system shutdown, configuration modification, and arbitrary code execution. The vulnerability has not been reported as actively exploited in the wild.

What this means
What could happen
An attacker who bypasses user authentication could gain full control of the OPTIMAX system, potentially shutting down operations, modifying process configurations, or running arbitrary code on your industrial control platform.
Who's at risk
Organizations using ABB Ability OPTIMAX for industrial process management or optimization, particularly those who have enabled the optional Azure Active Directory Single-Sign On feature for authentication. This affects manufacturing, utilities, refineries, and other industrial operations relying on OPTIMAX for system control and monitoring.
How it could be exploited
An attacker exploits a flaw in the Azure Active Directory Single-Sign On integration to bypass user authentication checks. Once authenticated without valid credentials, the attacker can access the OPTIMAX management interface and perform privileged operations like system shutdown, configuration changes, or code execution.
Prerequisites
  • Azure Active Directory Single-Sign On integration must be enabled on the OPTIMAX system
  • Network access to the OPTIMAX authentication service
  • No valid user credentials required
remotely exploitableno authentication required when exploitedaffects control system configuration and operationsunsupported product versions (6.1 and 6.2) have no patch available
Exploitability
Unlikely to be exploited — EPSS score 0.0%
Affected products (4)
2 with fix2 EOL
ProductAffected VersionsFix Status
Ability OPTIMAX 6.3 <6.3.1-251120<6.3.1-2511206.3.1-251120
Ability OPTIMAX 6.4 <6.4.1-251120<6.4.1-2511206.4.1-251120
Ability OPTIMAX 6.1 vers:all/*All versionsNo fix (EOL)
Ability OPTIMAX 6.2 vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGContact ABB for supported upgrade path if running v6.1 or v6.2 (unsupported versions with no fixes available)
WORKAROUNDDisable Azure Active Directory Single-Sign On integration if the vulnerability cannot be patched immediately
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Ability OPTIMAX v6.3 to version 6.3.1-251120 or later
HOTFIXUpdate Ability OPTIMAX v6.4 to version 6.4.1-251120 or later
View full ABB PSIRT advisory
API: /api/v1/advisories/f2d39948-1a7e-4e6f-b886-b19bfffa388e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

ABB Ability™ OPTIMAX® Authentication Bypass in Single-Sign On with Azure Active Directory | CVSS 8.1 - OTPulse