ABB Ability OPTIMAX

Plan PatchCVSS 8.1ICS-CERT ICSA-26-120-04Jan 16, 2026

ABBMicrosoft

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

ABB Ability OPTIMAX contains an authentication bypass vulnerability in the optional Azure Active Directory single-sign-on integration. An attacker who exploits this vulnerability could bypass user authentication and execute arbitrary code, shut down the system, or modify system configurations. The vulnerability affects OPTIMAX v6.1 (all versions, no fix available), v6.2 (all versions, no fix available), v6.3 (before 6.3.1-251120), and v6.4 (before 6.4.1-251120). Only the authentication bypass occurs; actual impact depends on the attacker's post-authentication actions.

What this means

What could happen

An unauthenticated attacker who has network access to ABB Ability OPTIMAX could bypass user authentication when Azure AD single-sign-on is enabled, potentially allowing arbitrary code execution, system shutdown, or configuration changes on the platform.

Who's at risk

Organizations using ABB Ability OPTIMAX for energy management, industrial automation, or facility operations systems—particularly those who have integrated Azure Active Directory for single-sign-on authentication. Most critical for v6.1 and v6.2 users who cannot patch.

How it could be exploited

An attacker sends a specially crafted authentication request to the OPTIMAX system's Azure AD integration endpoint, bypassing the authentication check. With authentication bypassed, the attacker could execute arbitrary commands through the application's administrative interface, modify system configurations, or shut down operations.

Prerequisites

Network access to the ABB Ability OPTIMAX system
Azure Active Directory single-sign-on integration must be enabled
OPTIMAX version 6.1, 6.2, 6.3 (before 6.3.1-251120), or 6.4 (before 6.4.1-251120)

remotely exploitableno authentication requiredlow complexityaffects operations platformversions 6.1 and 6.2 are end-of-life with no patch planned

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (6)

4 with fix2 pending

ProductAffected VersionsFix Status

Ability OPTIMAX 6.1All versionsFix available

Ability OPTIMAX 6.2All versionsFix available

Ability OPTIMAX 6.1 vers:all/*All versionsNo fix yet

Ability OPTIMAX 6.2 vers:all/*All versionsNo fix yet

Ability OPTIMAX 6.3 <6.3.1-251120<6.3.1-2511206.3.1-251120

Ability OPTIMAX 6.4 <6.4.1-251120<6.4.1-2511206.4.1-251120

Remediation & Mitigation

0/4

Do now

0/2

HOTFIXFor OPTIMAX v6.1 and v6.2 users, contact ABB to obtain guidance and potential updates

WORKAROUNDDisable Azure Active Directory single-sign-on integration in OPTIMAX if not required, or restrict network access to the authentication endpoint to trusted networks only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ABB Ability OPTIMAX 6.3 to version 6.3.1-251120 or later

HOTFIXUpdate ABB Ability OPTIMAX 6.4 to version 6.4.1-251120 or later

CVEs (1)

CVE-2025-14510

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4d661057-ea13-433b-a646-e92d46a8ef6d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.