CVE-2025-14773 · Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in ABB T-MAC Plus.

01 · The Real Story

This is a bad note left inside the control room, not a crowbar on the perimeter fence

CVE-2025-14773 is a cross-site scripting flaw in the ABB T-MAC Plus web interface. Based on the supplied CVSS (AV:N/AC:L/PR:L/UI:R) and the product’s role as a terminal-management web application, the most plausible path is *authenticated script injection that executes when another logged-in user views affected content*; that stored-XSS assumption is an inference from the vector because I could not verify a public ABB advisory with exact technical details or affected version ranges. Publicly verifiable fixed-version data was also not available from the sources I could reach.

ABB’s HIGH 8.0 rating overshoots the real operational risk for most enterprises. The decisive friction is the chain: an attacker must reach the T-MAC Plus UI, hold at least low-privileged credentials, plant payload-bearing input, and then wait for another user to render it; in real OT deployments that usually means *post-initial-access on an internal operations network*, not an internet-scale pre-auth compromise.

"This is an authenticated, user-assisted OT web XSS—not a drop-everything internet RCE."

02 · The Attack Path

5 steps from start to impact.

STEP 01

Reach the T-MAC Plus web UI

The attacker first needs IP reachability to the T-MAC Plus web interface. In practice this usually means presence on the terminal operations network, a vendor remote-access path, or a jump host already approved into the OT zone.

Conditions required:

Network path to the T-MAC Plus web application
Web UI enabled and reachable from the attacker position

Where this breaks in practice:

Most T-MAC Plus deployments are not meant to be directly internet-exposed
OT segmentation, VPNs, firewalls, and jump hosts commonly gate access

Detection/coverage: Exposure scanners may find externally exposed systems, but internal-only deployments will be invisible to internet scanning.

STEP 02

Authenticate with a low-privileged account

The vendor vector includes PR:L, so exploitation is not anonymous. The attacker needs a valid operator, contractor, or support-level account before they can submit the malicious input.

Conditions required:

Valid T-MAC Plus credentials
Permissions to edit or submit a field later rendered in the UI

Where this breaks in practice:

This implies a prior compromise stage such as credential theft, insider access, or third-party account abuse
Least-privilege role design may limit which screens or objects can be edited

Detection/coverage: IAM logs, Windows event logs, and application audit trails can show logons from unusual hosts or accounts.

STEP 03

Inject script into a rendered field

The attacker places a payload into an application field that is later reflected or stored and rendered by the web UI. Given PR:L plus UI:R, the likeliest operational model is stored XSS against another user session, but that stored-XSS detail is an inference rather than a verified vendor statement.

Conditions required:

A vulnerable input/output path in the web application
Insufficient server-side encoding or output escaping

Where this breaks in practice:

Some fields may sanitize input or restrict characters
Reverse proxies, WAFs, or content-security-policy headers can reduce exploit reliability

Detection/coverage: DAST and web scanners often catch generic reflected XSS better than niche authenticated stored-XSS flows in OT HMIs.

STEP 04

Wait for a target user to view the payload

A second user must load the poisoned page for the script to execute in their browser. That script can steal session material, issue same-origin requests, or manipulate the web workflow with the victim’s permissions.

Conditions required:

A privileged or operationally meaningful user opens the affected page
Browser protections do not fully neutralize the payload

Where this breaks in practice:

No user click or page view means no impact
Modern browsers, CSP, HttpOnly/SameSite cookies, and short session lifetimes reduce post-execution value

Detection/coverage: Browser telemetry is usually sparse in OT. Look instead for unusual application actions immediately following innocent page views.

STEP 05

Abuse the victim session for business or process impact

If the viewed page belongs to an operator or admin, the attacker may pivot into unauthorized actions exposed by the T-MAC Plus interface. In this product family, that can matter because the platform coordinates terminal workflows and remote monitoring, but the blast radius still depends on what the victim account can do.

Conditions required:

Victim has higher privileges than the attacker
Sensitive actions are available through the web session and not re-prompted

Where this breaks in practice:

Impact is bounded by the victim role and application design
This is browser-session abuse, not proven server takeover

Detection/coverage: Application audit logs are the best source; signature-based endpoint tools are weak at seeing same-origin session abuse.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No public exploitation evidence found in the sources reviewed; not in CISA KEV.
KEV status	Not listed in the CISA Known Exploited Vulnerabilities Catalog as checked today.
PoC availability	No public PoC located for this CVE. That materially lowers immediate operational risk.
EPSS	`0.00041` from FIRST; that is very low predicted exploitation probability and matches the absence of public exploit chatter.
CVSS vector readout	`AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H` means network-reachable if you can reach the UI, but requires valid low-privileged access and user interaction. Those two prerequisites are the main downward pressure on risk.
Affected scope	Affected product is ABB T-MAC Plus. Exact affected version range could not be publicly verified from reachable vendor documentation.
Fixed version	Public fixed-version data not verified. Treat version validation as a vendor-support task before you close findings.
Exposure reality	ABB describes T-MAC Plus as a terminal management system for oil, gas, and chemical operations with centralized/remote monitoring. That usually means internal OT/HMI placement, not broad internet exposure.
Disclosure date check	The supplied disclosure date was 2026-06-03, which I could not verify publicly. That date is also later than the CVE year and should be treated as unverified metadata until ABB or CVE records confirm it.
Reporter / researcher	Not publicly verified from the sources reviewed.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to MEDIUM (5.4/10)

The bucket drops to MEDIUM because the exploit chain starts with authenticated remote access to an OT web UI and finishes only if another user renders the payload. That is classic post-initial-access, user-assisted abuse with narrow reachable population, not mass-exploitable perimeter compromise.

HIGH Severity downgrade driven by `PR:L` + `UI:R` friction

MEDIUM Attack-path modeling as authenticated stored/reflected XSS in a web workflow

LOW Exact affected and fixed versions due lack of publicly reachable ABB advisory detail

Why this verdict

Requires authenticated access: PR:L means the attacker already has credentials, which usually implies prior compromise, insider misuse, or third-party account abuse.
Requires user interaction: UI:R means no page view, no exploit. That sharply limits reliability versus wormable or one-shot server-side flaws.
Exposure population is narrow: T-MAC Plus is an OT terminal-management platform, so most real deployments live behind segmentation, VPN, jump hosts, or vendor remote-access controls rather than open internet.
No field evidence of weaponization: no KEV listing, no public PoC found, and the supplied EPSS is extremely low.
Vendor impact looks worst-case: scoring C:H/I:H/A:H assumes the victim session can be abused into meaningful operational actions, but that depends on role permissions and workflow design, not on the XSS alone.

Why not higher?

This is not pre-auth remote code execution, not a server-side auth bypass, and not a perimeter edge bug with known broad exposure. Every prerequisite in the chain compounds downward pressure: reachable UI, valid account, injectable field, and a second user viewing the content. Without those, the bug is inert.

Why not lower?

It is still an OT web application tied to terminal operations, so browser-session abuse against an operator or admin may have outsized business consequences inside the site. Also, authenticated XSS in industrial management software is more serious than the same bug in a low-value brochure app because operator sessions can trigger real workflows.

05 · Compensating Control

What to do — in priority order.

Restrict UI reachability — Put the T-MAC Plus web UI behind OT firewalls, jump hosts, or VPN-only access so an attacker needs an additional foothold before they can even touch the vulnerable page. For a MEDIUM verdict there is no mitigation SLA, but this is the first control to apply whenever exposure is broader than intended.
Separate low-privilege and admin use — Keep engineering/admin accounts off day-to-day operator browsing and use separate browser profiles or dedicated admin workstations. That reduces the payoff if a low-privileged user can plant script for a higher-privileged victim.
Harden the browser side — Where product support allows it, enforce CSP, HttpOnly, SameSite, short session lifetimes, and re-authentication for sensitive actions through the front-end or reverse proxy layer. This cuts session theft value and forces additional hurdles after payload execution.
Review editable fields and workflows — Identify screens where operators, contractors, or integrators can submit free-form text later rendered to others, then reduce who can edit them. With no mitigation SLA for MEDIUM, do this during normal remediation planning rather than emergency change windows.
Turn on application audit review — Monitor for unusual create/edit actions in forms, comments, labels, or notes followed by high-privilege actions from another user session. This is one of the few practical ways to spot stored-XSS abuse in OT web software.

What doesn't work

MFA by itself does not stop XSS once the victim is already logged in; the script rides the existing session.
Server-side EDR alone is weak here because the exploit executes in the browser and abuses same-origin requests rather than dropping malware on the host.
Pure perimeter scanning misses the real problem when the app is internal-only; you still need authenticated application testing or vendor confirmation.

06 · Verification

Crowdsourced verification payload.

Run this on the T-MAC Plus application server or gold image, not from an auditor laptop. Invoke it from an elevated PowerShell prompt like powershell -ExecutionPolicy Bypass -File .\check-tmacplus-cve-2025-14773.ps1 -FixedVersion 0.0.0 after you obtain ABB's actual fixed version from support; local admin helps for full registry and service inspection, but read-only execution usually works.

noisgate-verify.ps1

POWERSHELLREAD-ONLYSAFE

# check-tmacplus-cve-2025-14773.ps1

# Purpose: Locate ABB T-MAC Plus components and compare discovered version to a known fixed version.

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


param(
    [string]$FixedVersion = "",
    [switch]$VerboseMode
)

function Write-Info($msg) {
    if ($VerboseMode) { Write-Host "[INFO] $msg" }
}

function Normalize-Version([string]$v) {
    if ([string]::IsNullOrWhiteSpace($v)) { return $null }
    $clean = ($v -replace '[^0-9\.]', '')
    if ([string]::IsNullOrWhiteSpace($clean)) { return $null }
    try { return [version]$clean } catch { return $null }
}

function Get-UninstallEntries {
    $paths = @(
        'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*',
        'HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*'
    )
    $items = @()
    foreach ($p in $paths) {
        try {
            $items += Get-ItemProperty $p -ErrorAction SilentlyContinue |
                Where-Object { $_.DisplayName -match 'ABB|T-MAC|TMAC|Terminal Management' }
        } catch {}
    }
    return $items
}

function Get-CandidateFiles {
    $roots = @(
        $env:ProgramFiles,
        ${env:ProgramFiles(x86)},
        'C:\ABB',
        'C:\inetpub',
        'C:\ProgramData'
    ) | Where-Object { $_ -and (Test-Path $_) }

    $patterns = @('*.exe','*.dll','web.config')
    $hits = @()
    foreach ($root in $roots) {
        try {
            $hits += Get-ChildItem -Path $root -Recurse -File -ErrorAction SilentlyContinue |
                Where-Object {
                    $_.FullName -match 'T-MAC|TMAC|Terminal' -or $_.VersionInfo.ProductName -match 'ABB|T-MAC|Terminal'
                }
        } catch {}
    }
    return $hits | Select-Object -First 50
}

function Get-BestVersion($entries, $files) {
    $versions = New-Object System.Collections.Generic.List[object]

    foreach ($e in $entries) {
        $nv = Normalize-Version $e.DisplayVersion
        if ($nv) {
            $versions.Add([pscustomobject]@{ Source='Registry'; Name=$e.DisplayName; Version=$nv.ToString() })
        }
    }

    foreach ($f in $files) {
        try {
            $fv = $f.VersionInfo.FileVersion
            $nv = Normalize-Version $fv
            if ($nv) {
                $versions.Add([pscustomobject]@{ Source='File'; Name=$f.FullName; Version=$nv.ToString() })
            }
        } catch {}
    }

    if ($versions.Count -eq 0) { return $null }

    $sorted = $versions | Sort-Object { Normalize-Version $_.Version } -Descending
    return $sorted[0]
}

Write-Info 'Searching uninstall registry...'
$entries = Get-UninstallEntries
Write-Info ('Registry hits: ' + (($entries | Measure-Object).Count))

Write-Info 'Searching candidate files...'
$files = Get-CandidateFiles
Write-Info ('File hits: ' + (($files | Measure-Object).Count))

$best = Get-BestVersion -entries $entries -files $files

if (-not $best) {
    Write-Host 'UNKNOWN - No ABB T-MAC Plus installation evidence or parsable version found.'
    exit 2
}

Write-Info ("Best candidate: $($best.Name) [$($best.Source)] version $($best.Version)")
$installed = Normalize-Version $best.Version
$fixed = Normalize-Version $FixedVersion

if (-not $fixed) {
    Write-Host ("UNKNOWN - Detected ABB/T-MAC component version " + $installed + ". No verified fixed version supplied; obtain ABB advisory/support guidance and rerun with -FixedVersion.")
    exit 2
}

if ($installed -lt $fixed) {
    Write-Host ("VULNERABLE - Detected version " + $installed + " is older than fixed version " + $fixed)
    exit 1
} else {
    Write-Host ("PATCHED - Detected version " + $installed + " is at or above fixed version " + $fixed)
    exit 0
}

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, treat this as a credentialed internal web-app flaw: inventory every T-MAC Plus deployment, confirm whether the UI is reachable only from sanctioned OT admin paths, identify which roles can submit content rendered to other users, and open a vendor case to obtain ABB’s exact affected/fixed versions because public version data was not verifiable. For a MEDIUM verdict there is no noisgate mitigation SLA — go straight to the 365-day remediation window; in practice, tighten exposure and role separation during normal change control now, then complete the actual vendor patch inside the noisgate remediation SLA of ≤365 days once ABB confirms the target build.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.