01 · The Real Story
This is less a front-door kick-in than a bad badge reader letting an already-admitted visitor open the wrong filing cabinet
CVE-2025-14771 is an authenticated file disclosure bug in the ABB T-MAC Plus web application. ABB says T-MAC Plus 4.0-24 is affected and 4.0-25 fixes it. The vulnerable behavior is a crafted HTTP GET request that lets an authenticated user exfiltrate files containing sensitive information from the web application context.
The vendor's 9.9/CRITICAL score does not match field reality for this CVE. The big friction points are that exploitation starts with valid low-privilege access and usually requires reachability to a terminal-management system on an OT/internal network, not an internet-wide unauthenticated edge service. Add no KEV listing, no public exploitation evidence, and a very low EPSS, and this drops out of emergency territory.
"Vendor scored this like an internet RCE. Reality: it needs a logged-in user on an OT app that usually lives behind the fence."
02 · The Attack Path
4 steps from start to impact.
STEP 01
Land on the T-MAC Plus web app with a real account
The attacker first needs valid access to the T-MAC Plus web application, likely using a low-privilege role such as a customer or operator account. Practical tooling is boring here: a browser,
curl, or Burp Suite is enough because the flaw is in normal HTTP request handling, not memory corruption or protocol desync.Conditions required:
- Network path to the T-MAC Plus IIS-hosted web application
- A valid authenticated account with at least low privileges
- Target is running affected version 4.0-24
Where this breaks in practice:
- This is already post-initial-access in most enterprises
- Many T-MAC deployments sit on segmented terminal/OT networks, not public internet
- Identity controls, jump hosts, and vendor access workflows reduce the reachable population
Detection/coverage: Web-app scanners may flag authenticated path or file-access issues only if supplied valid credentials. Anonymous external scanning is unlikely to see it.
STEP 02
Replay crafted HTTP GETs to retrieve unintended files
Using Burp Repeater, curl, or similar HTTP tooling, the attacker sends crafted
GET requests against the application to pull back files the role should not be able to read. ABB's own mitigation notes point to IIS file browsing/default site misconfiguration as part of the exposure, which strongly suggests mis-scoped web content or file-serving behavior is involved.Conditions required:
- Authenticated session remains valid
- Vulnerable IIS/web-app configuration still present
- Requested files are readable from the application path/context
Where this breaks in practice:
- IIS hardening may already have removed the default site and directory browsing
- WAFs, reverse proxies, or custom URL filtering may break obvious path probes
- Needed files may not be where the attacker expects them
Detection/coverage: IIS logs, reverse-proxy logs, and WAF telemetry can show unusual
GET patterns, traversal-style enumeration, or reads against rarely used paths.STEP 03
Mine the disclosed files for credentials, config, or operational data
The immediate impact of this CVE is information disclosure: configs, connection strings, user data, operational files, or integration details may be exposed. In a terminal-management environment, that information can materially help follow-on access to card-reader integrations, ERP-connected workflows, or adjacent OT/IT services.
Conditions required:
- Sensitive files are present in the exposed scope
- Disclosed contents contain secrets, topology clues, or business-sensitive workflows
Where this breaks in practice:
- Some deployments may expose only low-value static files
- Secrets may be stored elsewhere or encrypted
- Least-privilege service design can limit pivot value
Detection/coverage: DLP, SIEM parsing of IIS logs, and file-access anomaly reviews can catch high-volume or odd-path retrieval, but many environments do not baseline this well.
STEP 04
Use the leaked data for a second-stage move
This step is an inference from product role and architecture, not ABB's explicit statement for this CVE: disclosed files can support credential reuse, privilege discovery, or targeting of adjacent systems. The file leak is the foothold amplifier, not the final blast by itself.
Conditions required:
- Leaked files contain reusable secrets or trusted integration details
- Adjacent systems accept those secrets or expose reachable services
Where this breaks in practice:
- Requires a successful second exploit or credential reuse event
- Modern PAM, MFA, and network segmentation can stop the pivot
- Some leaked data may be stale or non-actionable
Detection/coverage: Correlation between suspicious web-file access and later auth events or lateral movement is the right hunting pattern; single-control detection is rarely enough.
03 · Intelligence Metadata
The supporting signals.
| In-the-wild status | No public exploitation evidence found in this review. ABB says it had no reports of exploitation when the advisory was issued on 2026-06-03. |
|---|---|
| Proof-of-concept availability | No public PoC repo or exploit write-up found in web search during this review. Expect easy private reproduction with standard HTTP tooling once an authenticated test account exists. |
| EPSS | 0.00042 from the user-supplied intel block; that is extremely low and consistent with a niche, post-auth OT bug. *Percentile was not independently verified from FIRST during this review.* |
| KEV status | Not listed in the CISA KEV catalog during this review. |
| CVSS vector reality check | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H assumes network reachability and gives massive weight to impact, but the PR:L requirement is the whole story here: you already need a foothold plus a valid account. |
| Affected versions | ABB CSAF lists T-MAC Plus 4.0-24 as known affected. |
| Fixed version | ABB says T-MAC Plus 4.0-25 corrects the issue. ABB also says the IIS file browsing feature and default IIS site were removed as part of the mitigation/fix path. |
| Exposure population | T-MAC Plus is a terminal management system for oil, gas, chemical, rail, barge, truck, and pipeline workflows. Public product material shows integrations with card readers, weighbridge, ERP, kiosks, and tank systems, which usually places it on restricted operations networks, not general internet edge. |
| Disclosure and reporter | Published by ABB on 2026-06-03. ABB credits Angelo Catalani of the Italian National Cybersecurity Agency (ACN). |
| Advisory quality note | ABB's own FAQ is internally inconsistent: it describes crafted network messages, then says exploitation is not remote and needs physical access. The CVE description itself says authenticated HTTP GET. That inconsistency is another reason to distrust the raw 9.9. |
04 · The Call
noisgate verdict.
Final Verdict
↓ DOWNGRADED to MEDIUM (5.8/10)
The decisive downgrade factor is attacker position: this bug requires an already-authenticated user in a product that is typically deployed on a segmented OT/terminal network. That makes it a post-compromise amplifier, not an internet-scale break-in path, despite the vendor's critical label.
HIGH Affected/fixed version mapping from ABB CSAF
MEDIUM Real-world severity downgrade based on attacker-position friction
MEDIUM Likely deployment exposure assumptions for T-MAC Plus in enterprise OT
Why this verdict
- Downgrade: requires valid authenticated access. Starting from the vendor's 9.9,
PR:Lis not a footnote here; it means the attacker already has credentials to a niche OT web app. - Downgrade: reachability is narrow. T-MAC Plus is a terminal-management platform used in operational environments with card readers, tank systems, and dispatch workflows, which materially lowers the exposed population versus a public-facing enterprise app.
- Downgrade: no exploitation pressure. No KEV entry, no public exploit evidence found, and a user-supplied EPSS of
0.00042all argue against treating this like an urgent edge compromise wave. - Downgrade: vendor score appears inflated by impact bundling. The individual CVE description is file disclosure, while the advisory-level FAQ talks about code execution and service stoppage across multiple vulnerabilities.
- Not LOW: disclosed files can still matter. In a terminal-management stack, config files, connection data, or operational documents can materially improve follow-on access and expose sensitive business/OT workflows.
Why not higher?
This is not an unauthenticated edge exploit, and there is no evidence in this review that it is being mass-scanned or used in the wild. The requirement for a valid account on an OT-internal application sharply limits both the initial reachable population and the speed at which opportunistic attackers can weaponize it.
Why not lower?
Authenticated file disclosure on an operations platform is still real security debt, not paperwork. If low-privilege roles are common or broadly shared, the bug can leak data that meaningfully supports lateral movement, privilege abuse, or operational disruption in a sensitive environment.
05 · Compensating Control
What to do — in priority order.
- Remove exposed IIS defaults — Verify that directory browsing is disabled and the Default Web Site is removed or stopped on T-MAC Plus hosts, matching ABB's mitigation notes. For a MEDIUM verdict there is no mitigation SLA; treat this as hardening work during normal change windows while still completing the vendor upgrade inside the 365-day remediation window.
- Constrain web access to trusted admin paths — Limit T-MAC Plus web access to jump hosts, management VLANs, or named allowlists so low-trust users and broad enterprise segments cannot reach the application directly. For MEDIUM, there is no mitigation SLA; implement as operational hygiene where feasible before the scheduled 4.0-25 upgrade.
- Prune and review low-privilege accounts — Inventory customer/operator-style accounts, remove stale users, rotate shared credentials, and review which roles actually need web access. This directly reduces the most important exploit prerequisite: a valid low-privileged session.
- Alert on odd file-retrieval patterns — Add detections for unusual IIS
GETrequests, rarely used paths, repeated enumeration, and large downloads from T-MAC Plus web endpoints. This will not prevent exploitation, but it raises your chance of catching authenticated abuse before follow-on compromise.
What doesn't work
- MFA alone doesn't solve this once the attacker already has a valid authenticated session or is abusing a shared/legacy account.
- Perimeter AV or endpoint signatures won't reliably catch crafted HTTP
GETrequests against IIS content. - Blind unauthenticated external scanning gives false comfort here; the bug sits behind login and often behind OT segmentation.
06 · Verification
Crowdsourced verification payload.
Run this on the Windows T-MAC Plus server itself as a local administrator so it can read installed-software metadata and IIS configuration. Invoke it with powershell -ExecutionPolicy Bypass -File .\check-tmacplus-cve-2025-14771.ps1; it outputs VULNERABLE, PATCHED, or UNKNOWN and exits with 1, 0, or 2 respectively.
# check-tmacplus-cve-2025-14771.ps1
# Checks ABB T-MAC Plus version and basic IIS hardening indicators tied to CVE-2025-14771.
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN
$ErrorActionPreference = 'Stop'
function Get-UninstallEntries {
$paths = @(
'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
)
$items = foreach ($p in $paths) {
Get-ItemProperty -Path $p -ErrorAction SilentlyContinue |
Where-Object { $_.DisplayName -and $_.DisplayName -match 'T-MAC\s*Plus' }
}
$items | Sort-Object DisplayVersion -Descending
}
function Parse-VersionParts([string]$v) {
if ([string]::IsNullOrWhiteSpace($v)) { return $null }
$parts = @($v -split '[^0-9]+' | Where-Object { $_ -ne '' } | ForEach-Object { [int]$_ })
if ($parts.Count -eq 0) { return $null }
while ($parts.Count -lt 3) { $parts += 0 }
return ,$parts
}
function Compare-Version([string]$left, [string]$right) {
$l = Parse-VersionParts $left
$r = Parse-VersionParts $right
if (-not $l -or -not $r) { return $null }
$max = [Math]::Max($l.Count, $r.Count)
while ($l.Count -lt $max) { $l += 0 }
while ($r.Count -lt $max) { $r += 0 }
for ($i = 0; $i -lt $max; $i++) {
if ($l[$i] -gt $r[$i]) { return 1 }
if ($l[$i] -lt $r[$i]) { return -1 }
}
return 0
}
function Get-IISState {
$result = [ordered]@{
IISPresent = $false
DirectoryBrowseEnabled = $null
DefaultWebSiteExists = $null
DefaultWebSiteStarted = $null
Error = $null
}
try {
if (Get-Module -ListAvailable -Name WebAdministration) {
Import-Module WebAdministration -ErrorAction Stop
$result.IISPresent = $true
try {
$db = Get-WebConfigurationProperty -PSPath 'MACHINE/WEBROOT/APPHOST' -Filter 'system.webServer/directoryBrowse' -Name 'enabled' -ErrorAction Stop
$result.DirectoryBrowseEnabled = [bool]$db.Value
} catch {
$result.DirectoryBrowseEnabled = $null
}
try {
$site = Get-Website -Name 'Default Web Site' -ErrorAction SilentlyContinue
if ($site) {
$result.DefaultWebSiteExists = $true
$result.DefaultWebSiteStarted = ($site.State -eq 'Started')
} else {
$result.DefaultWebSiteExists = $false
$result.DefaultWebSiteStarted = $false
}
} catch {
$result.DefaultWebSiteExists = $null
$result.DefaultWebSiteStarted = $null
}
}
} catch {
$result.Error = $_.Exception.Message
}
return [pscustomobject]$result
}
try {
$apps = Get-UninstallEntries
$app = $apps | Select-Object -First 1
if (-not $app) {
Write-Output 'UNKNOWN - T-MAC Plus not found in uninstall registry keys'
exit 2
}
$displayName = $app.DisplayName
$displayVersion = $app.DisplayVersion
$cmp = Compare-Version $displayVersion '4.0-25'
$iis = Get-IISState
$versionVulnerable = $false
$versionPatched = $false
if ($cmp -eq $null) {
$versionState = 'unknown'
} elseif ($cmp -lt 0) {
$versionState = 'vulnerable'
$versionVulnerable = $true
} else {
$versionState = 'patched'
$versionPatched = $true
}
$iisIndicators = @()
$iisVulnerable = $false
if ($iis.IISPresent) {
if ($iis.DirectoryBrowseEnabled -eq $true) {
$iisIndicators += 'IIS directory browsing is enabled'
$iisVulnerable = $true
}
if ($iis.DefaultWebSiteExists -eq $true -and $iis.DefaultWebSiteStarted -eq $true) {
$iisIndicators += 'Default Web Site exists and is started'
$iisVulnerable = $true
} elseif ($iis.DefaultWebSiteExists -eq $true) {
$iisIndicators += 'Default Web Site exists (stopped)'
}
}
if ($versionVulnerable -or $iisVulnerable) {
$msg = "VULNERABLE - $displayName version $displayVersion"
if ($iisIndicators.Count -gt 0) { $msg += '; ' + ($iisIndicators -join '; ') }
Write-Output $msg
exit 1
}
if ($versionPatched) {
$msg = "PATCHED - $displayName version $displayVersion"
if ($iisIndicators.Count -gt 0) { $msg += '; note: ' + ($iisIndicators -join '; ') }
Write-Output $msg
exit 0
}
Write-Output "UNKNOWN - unable to compare installed version '$displayVersion' to fixed version 4.0-25"
exit 2
}
catch {
Write-Output ('UNKNOWN - ' + $_.Exception.Message)
exit 2
}
07 · Bottom Line
If you remember one thing.
TL;DR
Monday morning, identify every T-MAC Plus 4.0-24 server, confirm whether the IIS cleanup ABB describes has actually been applied, and queue the upgrade to 4.0-25. This lands in MEDIUM because it is an authenticated, usually OT-internal file disclosure bug, so under the noisgate mitigation SLA there is no mitigation SLA — go straight to the 365-day remediation window; complete the vendor patch under the noisgate remediation SLA within 365 days, while using normal maintenance cycles to remove any lingering IIS file-browsing/default-site exposure sooner.
Sources
- ABB Cyber security alerts and notifications
- ABB CSAF advisory 9AKK108472A7840
- ABB advisory PDF reference for T-MAC Plus
- ABB Ability Terminal Management product sheet
- TIC International ABB Ability T-MAC Plus product page
- CISA Known Exploited Vulnerabilities catalog
- FIRST EPSS overview
- FIRST EPSS model documentation
Peer Review
What defenders are saying.
Submit a review
attribution: handle + country only
0 flags selected · stored anonymously
Validation Results
Crowdsourced verification outputs.
Results submitted by users who ran the verification payload against their environment.