Vulnerabilities in T-MAC Plus

Plan PatchCVSS 9.99akk108472a7840Jun 3, 2026

ABB

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

ABB T-MAC Plus contains multiple authorization and cross-site scripting (XSS) vulnerabilities in versions 4.0-24 and earlier. Low-privilege authenticated users (Customer, Operator roles) can execute administrative operations that should be restricted to high-privilege accounts. Additionally, a DOM-based XSS vulnerability allows attackers on the operations network to inject malicious JavaScript code into web forms that executes when other users access them. The vulnerabilities stem from insufficient privilege validation in the web application and inadequate input sanitization. ABB has corrected these issues in T-MAC Plus version 4.0-25.

What this means

What could happen

An attacker with low-privilege access to the T-MAC Plus web application could execute administrative commands to alter system configurations or plant operations. Additionally, an attacker on the operations network could inject malicious code into web forms that would execute in other users' browsers, potentially gaining control of the system.

Who's at risk

Water authorities and electric utilities operating ABB T-MAC Plus automation control systems. This affects anyone using T-MAC Plus 4.0-24 for operational asset management, particularly those with multiple user roles accessing the web interface from internal networks.

How it could be exploited

An attacker with low-privilege credentials (e.g., Customer role) can directly call administrative functions in the T-MAC Plus web application without proper authorization checks. Separately, an attacker with network access to the operations network can create or edit entities in T-MAC Plus and inject malicious JavaScript code that executes when other authenticated users view those entities in the web interface.

Prerequisites

Low-privilege credentials (Customer, Operator, or similar role) for T-MAC Plus web application
Network access to the T-MAC Plus web application (HTTP/HTTPS)
For XSS attack: ability to create or edit entities in T-MAC Plus

Remotely exploitableLow complexity attackAffects control system authorizationHigh CVSS score (9.9)Privilege escalation riskDOM-based XSS injection possible

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (1)

ProductAffected VersionsFix Status

T-MAC Plus 4.0-244.0-244.0-25

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGReview and re-audit user roles and permissions in T-MAC Plus to ensure low-privilege users (Customer, Operator) cannot execute administrative operations

HARDENINGRestrict network access to the T-MAC Plus web application to authorized personnel and engineering workstations only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate T-MAC Plus to version 4.0-25 or later

HARDENINGDisable directory browsing and remove default IIS sites on the T-MAC Plus server if not already done

CVEs (4)

CVE-2025-14771 CVE-2025-14772 CVE-2025-14773 CVE-2025-14774

View full ABB PSIRT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ff27a573-eca9-4070-b76d-fe99ac6f0fc9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.