Description
Authorization bypass through User-Controlled key vulnerability in ABB T-MAC Plus.

This issue affects T-MAC Plus: 4.0-24.
Published: 2026-06-03
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a broken access control flaw where a user‑controlled key allows an attacker to bypass authorization checks within the ABB T‑MAC Plus web interface. This permits unauthorized users to gain privileges they should not have. While the description does not explicitly state the scope of data exposed, it is inferred that sensitive configuration data, control commands, or other privileged functions could be accessed. The weakness is classified as CWE‑639: Permission or Access Control Holds Wrong Value.

Affected Systems

The flaw affects the ABB T‑MAC Plus web application in versions ranging from 4.0 through 24.0. Devices running any of these releases are susceptible unless a subsequent patch or firmware update has removed the user‑controlled key mechanism.

Risk and Exploitability

The CVSS base score of 7.3 marks this issue as High, indicating a significant potential impact. The EPSS score is currently unavailable, and the lack of a KEV listing suggests that no mass exploitation is reported yet. Attackers can exploit the flaw remotely by sending crafted requests to the web interface, assuming network access to the device. While the description does not state the exact prerequisites for exploitation, it is inferred that elevation of privilege can be achieved without authentication. Consequently, organizations should treat this as a high‑risk finding pending patch deployment.

Generated by OpenCVE AI on June 3, 2026 at 12:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the latest ABB T‑MAC Plus firmware or security update from the provided ABB release page, which addresses the authorization bypass flaw.
  • Review and enforce strict access controls on the web interface, ensuring that only authorized users can generate or use the user‑controlled key and limiting exposure of management ports to trusted networks.
  • Monitor authentication logs for anomalous access attempts and apply network segmentation or firewall rules to restrict web‑interface traffic to internal management networks.

Generated by OpenCVE AI on June 3, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Authorization bypass through User-Controlled key vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24.
Title Broken Access Control in ABB T-MAC Plus web application
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: ABB

Published:

Updated: 2026-06-03T12:49:14.950Z

Reserved: 2025-12-16T03:47:13.359Z

Link: CVE-2025-14772

cve-icon Vulnrichment

Updated: 2026-06-03T12:47:52.187Z

cve-icon NVD

Status : Received

Published: 2026-06-03T11:16:18.810

Modified: 2026-06-03T11:16:18.810

Link: CVE-2025-14772

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T13:00:13Z

Weaknesses