Description
Missing authentication for critical function vulnerability in ABB AWIN GW100 rev.2, ABB AWIN GW120.This issue affects AWIN GW100 rev.2: 2.0-0, 2.0-1; AWIN GW120: 1.2-0, 1.2-1.
Published: 2026-03-13
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Configuration Access
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a missing authentication for a critical function in ABB AWIN GW100 rev.2 and GW120 devices. This flaw allows an attacker to access or modify configuration data without authenticating, potentially leading to unauthorized configuration changes and compromising the device’s integrity and availability. The weakness is classified as CWE-306.

Affected Systems

Affected vendors and products are ABB: AWIN GW100 rev.2 and ABB: AWIN GW120. The specific firmware versions vulnerable are AWIN GW100 rev.2: 2.0-0 and 2.0-1; AWIN GW120: 1.2-0 and 1.2-1. No other versions are listed as affected.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity risk. The EPSS score is less than 1%, suggesting a low probability of exploitation currently, and the vulnerability is not included in the CISA KEV catalog. The likely attack vector is network‑based: an attacker with network access can send unauthenticated requests to the device’s critical function, leading to configuration data exposure. This can be achieved without additional prerequisites.

Generated by OpenCVE AI on March 19, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware or patch from ABB that corrects the missing authentication in the critical function (refer to ABB release notes or the provided download link).
  • If an immediate firmware update is not possible, isolate the AWIN devices on a separate network segment or implement firewall rules to restrict external access to the management interfaces.
  • After updating or isolating, confirm that all configuration and management functions now require proper authentication.
  • Continuously monitor device logs for unauthenticated access attempts and block any such traffic.

Generated by OpenCVE AI on March 19, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Abb
Abb awin Gw100 Rev.2
Abb awin Gw120
Vendors & Products Abb
Abb awin Gw100 Rev.2
Abb awin Gw120

Fri, 13 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description Missing authentication for critical function vulnerability in ABB AWIN GW100 rev.2, ABB AWIN GW120.This issue affects AWIN GW100 rev.2: 2.0-0, 2.0-1; AWIN GW120: 1.2-0, 1.2-1.
Title Configuration Data Spill
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H'}

cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Abb Awin Gw100 Rev.2 Awin Gw120
cve-icon MITRE

Status: PUBLISHED

Assigner: ABB

Published:

Updated: 2026-03-13T14:11:57.527Z

Reserved: 2025-11-28T14:22:33.792Z

Link: CVE-2025-13779

cve-icon Vulnrichment

Updated: 2026-03-13T14:11:53.590Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-13T19:53:49.480

Modified: 2026-03-16T14:54:11.293

Link: CVE-2025-13779

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:02:58Z

Weaknesses