Authorization bypass through User-Controlled key vulnerability in ABB T-MAC Plus

CVE-2025-14772 is a broken access control flaw in the ABB T-MAC Plus web application where a low-privilege authenticated user can perform administrative operations. ABB’s advisory says T-MAC Plus 4.0-24 is affected and 4.0-25 fixes it; the vulnerable surface is the web application in a terminal management system used for oil, gas, and chemical operations, with supporting field-device integrations such as card readers and access-control workflows.

ABB’s 8.8/HIGH score is technically defensible in a lab because the flaw can lead to high C/I/A impact inside the application. In real enterprise deployments, though, the exploit chain starts with two heavy friction points: the attacker must already have network reachability to the T-MAC Plus system and must already possess a valid low-privilege account. For a niche OT product that should live on segmented operations networks, that makes this more of a *post-initial-access privilege escalation inside a terminal* than a broad remote compromise event.

Why this verdict

• Downgrade for attacker position: the vendor starts at 8.8, but exploitation requires network access to the T-MAC Plus environment, which usually implies OT foothold, jump-host access, or a misexposed plant app.
• Downgrade for authentication: PR:L matters in the real world. Requiring a valid low-privilege account compounds the friction because the attacker needs credential theft, insider access, or prior compromise.
• Downgrade for exposure population: T-MAC Plus is a specialized terminal management platform, not a commodity edge appliance. The exposed population is materially smaller than the average product implied by a raw CVSS network score.
• Keep it above LOW for impact: once the chain lands, the attacker can perform administrative actions in a system tied to terminal access control and operations, so this is not mere nuisance-level misuse.
• No exploit pressure amplifier: no KEV, no public exploitation evidence from ABB, and a very low EPSS all argue against retaining HIGH absent local exposure evidence in your estate.

Why not higher?

This is not unauthenticated remote compromise, and it is not a broad pre-auth edge flaw. The attacker must already be able to reach the application and already possess a valid account, which makes it a classic *inside-the-fence* escalation problem.

Why not lower?

The vulnerability still enables administrative operations from a low-privilege starting point inside an OT application that can affect terminal workflows. If you run T-MAC Plus in production, the operational consequences are substantial enough that this should not be treated as backlog trivia.

1. Restrict app reachability — Constrain T-MAC Plus web access to dedicated operator/admin source networks, jump hosts, and approved remote-access paths only. For a MEDIUM verdict there is no mitigation SLA; do this in the next normal network change window while you drive remediation inside the 365-day window.
2. Cull low-privilege accounts — Review customer, contractor, and dormant low-privilege accounts because this flaw depends on a valid authenticated identity. Remove unused accounts and tighten role assignment during the next IAM review cycle; for MEDIUM, there is no mitigation SLA, but this sharply reduces reachable exploit population.
3. Alert on role/action mismatches — Create detections for low-privilege users invoking admin endpoints or performing configuration-changing actions. This is the best interim tripwire for an authz bug that looks like legitimate application traffic; deploy in the next logging/content update cycle.
4. Front the app with strong access control — If remote access is necessary, force access through MFA-protected VPN or brokered admin access rather than direct flat-network reachability. That does not fix the flaw, but it raises the cost of obtaining the prerequisite authenticated foothold.

Run this on the Windows host that runs T-MAC Plus / IIS, or via your endpoint management tool in remote PowerShell. Example: powershell -ExecutionPolicy Bypass -File .\check-tmacplus-cve-2025-14772.ps1 from an elevated shell; local admin helps for full registry/file coverage, but standard user often works.

# check-tmacplus-cve-2025-14772.ps1

# Detects ABB T-MAC Plus version and assesses exposure to CVE-2025-14772.

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 1=VULNERABLE, 0=PATCHED, 2=UNKNOWN


$ErrorActionPreference = 'SilentlyContinue'

function Get-UninstallEntries {
    $paths = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*'
    )
    foreach ($p in $paths) {
        Get-ItemProperty $p | Where-Object { $_.DisplayName }
    }
}

function Parse-TmacVersion([string]$v) {
    if ([string]::IsNullOrWhiteSpace($v)) { return $null }
    if ($v -match '^(\d+)\.(\d+)-(\d+)$') {
        return [pscustomobject]@{ Major=[int]$matches[1]; Minor=[int]$matches[2]; Build=[int]$matches[3]; Raw=$v }
    }
    if ($v -match '^(\d+)\.(\d+)\.(\d+)$') {
        return [pscustomobject]@{ Major=[int]$matches[1]; Minor=[int]$matches[2]; Build=[int]$matches[3]; Raw=$v }
    }
    return $null
}

function Compare-TmacVersion($a, $b) {
    foreach ($k in @('Major','Minor','Build')) {
        if ($a.$k -lt $b.$k) { return -1 }
        if ($a.$k -gt $b.$k) { return 1 }
    }
    return 0
}

$targetFixed = Parse-TmacVersion '4.0-25'
$found = @()

# Registry-based detection

$entries = Get-UninstallEntries | Where-Object {
    $_.DisplayName -match 'T-?MAC\s*Plus' -or $_.Publisher -match '^ABB'
}
foreach ($e in $entries) {
    $ver = Parse-TmacVersion $e.DisplayVersion
    $found += [pscustomobject]@{
        Source = 'Registry'
        Name   = $e.DisplayName
        Version= $e.DisplayVersion
        Parsed = $ver
        Path   = $e.InstallLocation
    }
}

# Fallback file search in common locations

$searchRoots = @(
    $env:ProgramFiles,
    ${env:ProgramFiles(x86)},
    'C:\inetpub\wwwroot',
    'C:\inetpub'
) | Where-Object { $_ -and (Test-Path $_) }

foreach ($root in $searchRoots) {
    Get-ChildItem -Path $root -Recurse -File -Include '*.exe','*.dll','web.config' -ErrorAction SilentlyContinue |
        Where-Object { $_.FullName -match 'T-?MAC|TMAC' } |
        Select-Object -First 20 |
        ForEach-Object {
            $fv = $_.VersionInfo.ProductVersion
            $ver = Parse-TmacVersion $fv
            $found += [pscustomobject]@{
                Source = 'File'
                Name   = $_.Name
                Version= $fv
                Parsed = $ver
                Path   = $_.FullName
            }
        }
}

# Deduplicate noisy results

$found = $found | Sort-Object Source,Name,Version,Path -Unique

if (-not $found -or $found.Count -eq 0) {
    Write-Output 'UNKNOWN: ABB T-MAC Plus not confidently detected on this host.'
    Write-Output 'UNKNOWN'
    exit 2
}

# Prefer explicit registry product version if present

$best = $found | Where-Object { $_.Parsed -ne $null } | Select-Object -First 1
if (-not $best) {
    Write-Output 'UNKNOWN: T-MAC Plus artifacts found, but version could not be parsed.'
    $found | ForEach-Object { Write-Output ("HINT: {0} | {1} | {2}" -f $_.Source,$_.Name,$_.Path) }
    Write-Output 'UNKNOWN'
    exit 2
}

$cmp = Compare-TmacVersion $best.Parsed $targetFixed
Write-Output ("Detected: {0} version {1} via {2}" -f $best.Name,$best.Parsed.Raw,$best.Source)

if ($cmp -lt 0) {
    Write-Output 'Assessment: Version is older than 4.0-25 and should be treated as affected by CVE-2025-14772.'
    Write-Output 'VULNERABLE'
    exit 1
}
elseif ($cmp -ge 0) {
    Write-Output 'Assessment: Version is 4.0-25 or newer.'
    Write-Output 'PATCHED'
    exit 0
}
else {
    Write-Output 'UNKNOWN'
    exit 2
}

Sources

1. ABB Cyber security alerts and notifications
2. ABB CSAF advisory 9AKK108472A7840
3. ABB T-MAC Plus Access Control leaflet
4. CISA Known Exploited Vulnerabilities Catalog
5. FIRST EPSS overview
6. FIRST EPSS data and statistics