HIGH 8.0

CVE-2025-14773: ABB T-MAC Plus XSS Vulnerability – HIGH Risk Assessment

ABB T-MAC Plus versions up to 4.0-24 contain a cross-site scripting (XSS) vulnerability that allows authenticated users to inject malicious scripts into web pages. When another user views a page containing the injected script, the script executes in their browser with their privileges, potentially enabling attackers to steal sensitive information, hijack sessions, or perform unauthorized actions on behalf of victims. The vulnerability requires both user authentication and victim interaction, limiting but not eliminating its risk in multi-user environments.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.0 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-06-03 / 2026-06-17

NVD description (verbatim)

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2025-14773 is a stored or reflected XSS vulnerability (CWE-79) in ABB T-MAC Plus affecting version 4.0-24. The application fails to properly sanitize user-supplied input before rendering it in web page responses. An authenticated attacker can craft malicious input containing JavaScript that bypasses input validation and neutralization controls. The vulnerability requires a low attack complexity and user interaction from a victim, making exploitation straightforward once an attacker gains initial authentication. The vector indicates network accessibility with no special privileges required beyond standard user authentication.

Business impact

For organizations deploying ABB T-MAC Plus in production environments, this vulnerability poses a moderate-to-significant risk depending on deployment context. If T-MAC Plus manages critical operational technology (OT) or industrial control processes, compromised user sessions could enable unauthorized system changes, data theft, or service disruption. In multi-user setups, malicious insiders or compromised accounts can target other users, potentially escalating privileges or exfiltrating sensitive operational data. Organizations should assess whether T-MAC Plus handles PII, financial data, or critical process parameters to determine impact severity.

Affected systems

ABB T-MAC Plus version 4.0-24 is affected. Organizations should verify their exact deployed version and review ABB's advisory for any additional minor versions or patch levels that may be in scope. T-MAC Plus is typically deployed in industrial automation and control environments, so affected systems likely span manufacturing facilities, utilities, or other OT-heavy organizations using ABB solutions.

Exploitability

Exploitation requires valid user credentials and victim user interaction. An attacker with legitimate access (or who compromises a low-privileged account) can inject malicious payloads via web input fields. The attack vector is network-accessible, making remote exploitation possible from anywhere with network access to the application. However, the requirement for authentication and victim interaction significantly reduces the attack surface compared to unauthenticated XSS vulnerabilities. The CVSS score of 8 (HIGH) reflects high impact on confidentiality, integrity, and availability once successfully exploited, despite the authentication and user interaction requirements.

Remediation

ABB customers should immediately check for and apply security patches addressing CVE-2025-14773. Verify against the vendor advisory for the specific patch version or upgrade path for T-MAC Plus 4.0-24. Implement input validation and output encoding controls if patches are not immediately available. Consider restricting access to T-MAC Plus to trusted networks or implementing additional authentication layers (e.g., multi-factor authentication). Monitor for suspicious user activity, unusual input patterns, or session anomalies that may indicate exploitation attempts.

Patch guidance

Consult the ABB security advisory for T-MAC Plus regarding available patches or updates that address this vulnerability. Apply patches promptly in a controlled manner, prioritizing production systems first. Verify the patched version number in the advisory and test in non-production environments before production deployment. If upgrades are required, plan migration carefully to avoid OT disruption. Maintain an inventory of T-MAC Plus deployments to ensure comprehensive coverage across your organization.

Detection guidance

Monitor T-MAC Plus access logs for unusual input containing script tags, event handlers (onclick, onload, etc.), or other JavaScript indicators in user-supplied form fields or URL parameters. Set alerts for repeated failed input validation attempts or anomalous web requests to the application. Implement web application firewalls (WAF) configured with rules to detect and block XSS payloads. Monitor for unexpected DOM modifications or unexpected browser-side execution. Network-level monitoring of connections to T-MAC Plus can identify unauthorized or anomalous access patterns. Review user activity logs for sessions accessing pages shortly after suspicious input submissions.

Why prioritize this

Despite not yet appearing on the CISA Known Exploited Vulnerabilities (KEV) catalog, this vulnerability merits immediate attention due to its HIGH CVSS score and potential impact on industrial control environments. The combination of network accessibility, high impact on confidentiality and integrity, and the operational criticality of ABB T-MAC Plus in many organizations justifies prioritizing this above general HIGH-severity vulnerabilities. Early patching reduces the window of opportunity for sophisticated threat actors to develop reliable exploits.

Risk score, explained

The CVSS 3.1 score of 8.0 reflects HIGH severity driven by high impact scores across confidentiality (C:H), integrity (I:H), and availability (A:H). The network attack vector (AV:N) and low attack complexity (AC:L) indicate ease of exploitation from remote locations. The requirement for prior authentication (PR:L) and user interaction (UI:R) prevents a critical rating, but these mitigating factors are often bypassable in real-world scenarios—particularly if attackers compromise low-privileged accounts or social engineer users. The unchanged scope (S:U) means impact is confined to the vulnerable component, not other systems. This score appropriately reflects the serious nature of XSS in industrial software.

Frequently asked questions

What versions of ABB T-MAC Plus are affected by this vulnerability?

Version 4.0-24 is confirmed affected. Always consult the ABB security advisory to confirm whether earlier versions, later minor releases, or related products (e.g., T-MAC, other ABB automation platforms) are also in scope.

Can this vulnerability be exploited without user credentials?

No. CVE-2025-14773 requires valid authentication to ABB T-MAC Plus. An attacker must either compromise a legitimate user account or have authorized access. However, once authenticated, exploitation is straightforward and does not require sophisticated technical skills.

How does this vulnerability differ from other XSS issues?

This is a classic input validation failure in web-based industrial software. The impact is amplified in OT environments where users may have privileged access to critical processes; a compromised session could directly enable malicious changes to industrial operations or data theft affecting production.

If ABB has not released a patch yet, what should we do?

Immediately restrict access to T-MAC Plus to trusted networks and users, implement network segmentation, enforce strong authentication, and monitor for exploitation attempts. Contact ABB support to confirm patch timelines. Implement compensating controls such as web application firewalls, input validation rules, and enhanced logging until patches are available.

This analysis is based on publicly available information current as of the publication date. CVSS scores, affected versions, and patch availability are sourced from authoritative CVE and vendor sources. Organizations must verify patch version numbers and availability directly with ABB before deployment. This assessment does not constitute professional security advice; consult with your security team and ABB support for guidance specific to your environment. Exploitation of this vulnerability without authorization is illegal. SEC.co assumes no liability for loss or damage resulting from use of this information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).