CVE-2025-14771: ABB T-MAC Plus File and Directory Exposure
A near-maximum severity vulnerability tracked as CVE-2025-14771 has been disclosed affecting the ABB T-MAC Plus industrial device. With a CVSS v3.1 score of 9.9 (Critical), the flaw falls under CWE-552 (Files or Directories Accessible to External Parties), allowing unauthenticated remote attackers to access internal files and directories on the device — a severe risk in operational technology (OT) and industrial automation environments.
The vulnerability affects T-MAC Plus version 4.0-24 and was published to the NIST National Vulnerability Database on June 3, 2026.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-14771 |
| CVSS Score | 9.9 (Critical) |
| CWE Classification | CWE-552 — Files or Directories Accessible to External Parties |
| Affected Product | ABB T-MAC Plus v4.0-24 |
| Attack Vector | Network |
| Authentication Required | None (unauthenticated) |
| Primary Impact | Unauthorized file and directory access |
| Vendor | ABB (ASEA Brown Boveri) |
| Source | NVD / NIST |
Technical Details
About ABB T-MAC Plus
The ABB T-MAC Plus is an industrial motor control and protection relay used in electrical distribution and process automation environments. T-MAC devices are deployed in utilities, manufacturing plants, oil and gas facilities, and data center power infrastructure to provide overcurrent protection, motor management, and communication with supervisory control systems.
The network-accessible management interface of these devices allows remote configuration and monitoring — and it is this interface that exposes the CWE-552 file disclosure vulnerability.
Root Cause
CWE-552 describes a scenario where files or directories intended to be private are made accessible to network-based parties without authentication. In the context of the T-MAC Plus, this likely manifests as:
- A web server or file transfer service that does not enforce authentication before serving file system content
- Missing or improperly implemented access controls on the device's HTTP/FTP/TFTP management interface
- Directory traversal capability allowing requests to escape the intended document root
An unauthenticated remote attacker on the same network segment (or, if the device is internet-facing, from the internet) can request internal files such as:
- Device configuration files containing SCADA/DCS network parameters, relay settings, and communication credentials
- Firmware components enabling reverse engineering for further vulnerabilities
- Stored credentials used for upstream communication with control systems
- Private key material or certificates for encrypted management sessions
Exploitation Path
Attacker (network-accessible to T-MAC Plus management interface)
→ HTTP/FTP request to device without authentication
→ No access control enforced
→ Internal files and directories served directly
→ Configuration files, credentials, firmware extracted
→ Pivot into connected ICS/OT infrastructure
The CVSS score of 9.9 indicates an essentially complete confidentiality, integrity, and availability impact with no authentication required and a network attack vector — placing this vulnerability at the extreme end of severity for ICS device flaws.
Impact Assessment
| Impact Area | Description |
|---|---|
| Configuration Exposure | Relay protection settings, network topology, and communication parameters disclosed |
| Credential Theft | Stored usernames, passwords, and shared secrets for SCADA/DCS integration exposed |
| Firmware Extraction | Full firmware image accessible for offline vulnerability research or cloning |
| Network Mapping | Device file system may reveal upstream SCADA/HMI addresses and network configuration |
| Lateral Movement | Stolen credentials enable pivoting to SCADA systems, historians, and engineering workstations |
| Physical Process Risk | Compromised protection relay configuration could lead to unprotected motor operations |
ABB T-MAC Plus devices protect electrical motors and distribution equipment. In a worst-case exploitation scenario, an attacker extracting and modifying device configurations could disable overcurrent protection or alter trip thresholds, creating conditions for equipment damage or electrical hazards.
Affected Systems
| Product | Version | Status |
|---|---|---|
| ABB T-MAC Plus | 4.0-24 | Affected |
Organizations should contact ABB Product Security and monitor the ABB Cybersecurity Advisory Portal for patch availability and official mitigation guidance. ICS patches are typically coordinated through CISA ICS-CERT advisories.
Remediation
Immediate Actions
-
Apply ABB security patches — Monitor ABB's official security advisory portal and CISA ICS-CERT for patch releases specific to T-MAC Plus v4.0-24:
- ABB Cybersecurity Advisory Portal:
new.abb.com/support/cybersecurity - CISA ICS-CERT Advisories:
cisa.gov/ics-advisories
- ABB Cybersecurity Advisory Portal:
-
Network isolation — If the T-MAC Plus does not require direct network access from untrusted segments, isolate it behind firewalls:
# Block T-MAC Plus management ports from non-administrative hosts # Common management ports: 80/TCP (HTTP), 21/TCP (FTP), 23/TCP (Telnet), 443/TCP (HTTPS) iptables -A INPUT -p tcp -m multiport --dports 80,21,23,443 \ -s <ot-management-subnet> -j ACCEPT iptables -A INPUT -p tcp -m multiport --dports 80,21,23,443 -j DROP -
Disable unused management interfaces — If TFTP, FTP, or Telnet services are not required, disable them through the device's configuration interface.
-
Change default credentials — Even before patching, change all default usernames and passwords on T-MAC Plus devices. Many ICS devices ship with well-known defaults that are commonly targeted.
-
Audit network exposure — Run a network scan to identify T-MAC Plus devices accessible from unexpected network segments:
nmap -p 80,21,23,443 <ot-subnet-range> --open -
Review audit logs — If the T-MAC Plus supports logging, review for unauthorized file access attempts prior to patching.
Defense-in-Depth for OT Environments
Priority 1: Patch or apply vendor mitigations as soon as available
Priority 2: Network segmentation — OT devices must not be internet-accessible
Priority 3: Unidirectional security gateways for data flows from OT to IT
Priority 4: ICS-specific IDS/IPS (e.g., Claroty, Dragos, Nozomi) monitoring
Priority 5: Asset inventory — know every T-MAC Plus on your network
Priority 6: Incident response plan for ICS device compromise scenarios
ICS Security Context
Near-maximum CVSS scores in industrial control system devices are particularly alarming because:
| Challenge | Implication |
|---|---|
| Long patch cycles | ICS devices may remain unpatched for months or years |
| Availability priority | Protection relays cannot simply be rebooted mid-production |
| Physical consequences | Motor protection settings affect physical safety of equipment |
| Legacy protocols | Devices may use Modbus, DNP3, or IEC 61850 with minimal security |
| Internet exposure | Many ICS devices are inadvertently internet-accessible via Shodan |
CISA's Known Exploited Vulnerabilities (KEV) catalog and the ICS-CERT advisory feed are the primary channels for tracking active exploitation of vulnerabilities like CVE-2025-14771 in operational technology environments.
Key Takeaways
- CVE-2025-14771 is a CVSS 9.9 critical CWE-552 vulnerability in ABB T-MAC Plus v4.0-24 — no authentication required for exploitation
- Attackers can extract configuration files, credentials, and firmware via unauthenticated file system access on the management interface
- T-MAC Plus devices protect industrial motors and electrical distribution equipment — compromise carries physical safety implications
- Immediate action: isolate affected devices from untrusted networks pending ABB patch release
- Monitor ABB's Cybersecurity Advisory Portal and CISA ICS-CERT for official remediation guidance