ABB and the U.S. Cybersecurity and Infrastructure Security Agency issued a joint advisory in June 2026 warning that a high-severity vulnerability in the Freelance Security Lock component could let authenticated local attackers break out of the restricted engineering console and seize control of industrial processes. CVE-2025-7064 affects every version of ABB Freelance going back to the 2013 release, right through Freelance 2024, leaving thousands of distributed control systems in power plants, oil refineries, and manufacturing sites exposed.

The flaw directly targets the Windows-based operator station that runs the Freelance Engineering Interface. In a standard deployment, the Security Lock is supposed to restrict users to a tightly controlled set of OT applications. CVE-2025-7064 punches a hole in that container, giving an attacker full access to the underlying Windows desktop and all the process control functions it can reach.

What is ABB Freelance?

ABB Freelance is a distributed control system used across process industries to monitor and automate everything from chemical reactors to turbine generators. The system combines an engineering station, operator panels, and a controller network into a single Windows application suite. Because the engineering station runs on a standard Windows operating system, ABB implemented the Security Lock feature to prevent operators from escaping the process interface and launching unauthorised apps, file explorers, or command prompts.

That containment is the last line of defense between a rogue insider or compromised account and the physical machinery. Breaking out of it effectively hands the attacker a remote desktop to the entire plant.

CVE-2025-7064: Technical Breakdown

The vulnerability received a CVSS v4 score of 8.4, placing it firmly in the high-severity band. According to the advisory, the flaw stems from insufficient restriction of code execution within the Security Lock environment. A local attacker who already holds valid credentials can send specially crafted keystrokes, sequence of clicks, or process messages to break out of the locked session and gain full Windows access.

ABB’s security bulletin describes the attack vector as local, with low attack complexity and low privileges required. No user interaction is needed once the attacker has authenticated. The impact is total: the confidentiality, integrity, and availability of the engineering station are fully compromised. From there, an attacker can change setpoints, download malicious logic to controllers, or pivot deeper into the OT network.

Affected Systems

The vulnerability affects every supported and many unsupported Freelance releases:
- ABB Freelance 2013 (all updates)
- ABB Freelance 2016 / 2016 SP1
- ABB Freelance 2019 / 2019 SP1
- ABB Freelance 2022
- ABB Freelance 2024

The 2013 version has been out of mainstream support for years, yet ABB confirmed it remains vulnerable and will not receive a direct patch. Systems running these older versions must employ alternative mitigations.

How the Attack Works

A practical exploit scenario begins with an attacker who has already gained access to a valid user account on the engineering station. That initial foothold might come from a phishing attack, a stolen credential, or a malicious USB device plugged into the console. Once logged in, the Security Lock normally presents a full-screen interface with no visible way to access the Windows desktop or run arbitrary executables.

By triggering the vulnerability, the attacker can cause the Security Lock process to crash, spawn a hidden command prompt, or directly call Windows Explorer. Reports from early incident responses suggest that the bypass does not require any debugging tools or admin rights; a standard operator account is sufficient. After escape, the attacker can install backdoors, steal configuration files, or directly interface with the control system using the same level of authority the engineering station already carries.

One field service engineer described the experience: “I found myself staring at the Windows desktop after a routine maintenance login. I hadn’t run anything strange — that’s when it hit me that the lock was illusory.”

Official Warning and Timeline

CISA published ICS Advisory ICSA-26-162-01 on June 11, 2026, the same day ABB released its own security bulletin. The coordinated disclosure indicates the flaw was reported through proper channels, though neither organization has named the researcher. ABB credited an internal security team and an unnamed OT security firm with the discovery.

The timeline shows a 90-day window from initial report to patch availability. ABB released Freelance 2024 Service Pack 1 on June 10, 2026, with a redesigned Security Lock mechanism that validates all inter-process calls and stops the escape technique. For older versions still under limited support, ABB provides a hotfix that can be applied manually.

Remediation and Mitigation

Organizations that can upgrade should move straight to Freelance 2024 SP1 or the most recent release. ABB’s download center provides the service pack along with release notes confirming CVE-2025-7064 is addressed.

For legacy installations that cannot be upgraded immediately, ABB and CISA recommend a layered set of mitigations:
- Network segmentation: Ensure the engineering station sits on a separate VLAN from IT networks and the internet. Restrict remote access to jump servers only.
- Physical access controls: Lock the engineering console in a secure room and enforce strict key or badge access.
- Application whitelisting: Use Windows AppLocker or similar solutions to restrict which executables can run even if the desktop is reached.
- Endpoint monitoring: Deploy OT-aware endpoint detection that can flag unexpected desktop processes launching under the Freelance service account.
- Remove unused accounts: Delete or disable dormant user profiles and enforce strong multi-factor authentication for any account that can log into the engineering station.

ABB also stresses that the Security Lock is a defense-in-depth measure, not a standalone security boundary. The primary security should always be physical protection, network isolation, and rigorous account management.

The Windows OT Security Angle

This vulnerability underscores a recurring tension in industrial control systems: Windows provides a rich, familiar platform for engineering tools, but its general-purpose nature constantly opens doors that attackers can jiggle. Every Windows update, every .NET framework patch, every background service becomes a potential lever to bypass what are essentially custom shell replacements.

Since 2020, CISA has catalogued at least a dozen similar “kiosk escape” vulnerabilities in OT products from multiple vendors. In almost every case, the root cause is the same: the vendor builds a user interface on top of Windows and tries to wall it off from the operating system, but a small oversights in input handling, message queues, or process spawning allows a breakout.

Asset owners running any OT software on Windows should treat the host OS as a critical security layer, not just a compatibility requirement.

Industry Reaction

Industrial cybersecurity firms responded quickly. Dragos released a detection signature for its platform within 24 hours of the advisory, hunting for any process anomalies matching the escape pattern. Claroty noted that the attack requires authenticated access, which reduces the overall severity slightly but does little to comfort plants where shared operator accounts are still common.

“We’ve seen many Freelance installations where the engineering station sits in an unlocked control room with a shared ‘operator/operator’ login,” said a Claroty researcher in the firm’s blog. “In those environments, this vulnerability turns a simple mistake into a full compromise.”

What This Means for Windows OT Administrators

If you manage a Windows-based OT workstation running ABB Freelance, the immediate priority is to identify every engineering console in the fleet. Asset inventory tools that can fingerprint software versions over the process network are invaluable here. Next, apply the patch or hotfix, and then audit the user accounts configured on each machine.

Even after patching, treat the engineering station as a high-value target. It controls the logic that keeps turbines spinning and reactors stable. Network segmentation should be verified with active firewall rules that deny all inbound traffic except from explicitly authorized management nodes. Any remote access solution, even for vendor support, must be time-bounded and monitored.

For the longer term, consider virtualizing the engineering environment. Several ABB customers have moved to a model where Freelance runs in a virtual machine on a hardened hypervisor, with the Windows desktop largely irrelevant. While still not invulnerable, this architecture provides an extra containment ring and simplifies snapshot-based recovery.

The Road Ahead

ABB has indicated that future versions of Freelance will move away from the standalone Security Lock concept entirely, hinting at a containerized or hardware-backed isolation model. That shift is part of a broader industrial trend: as Windows 10 and 11 lifecycle pressures mount on OT appliances, vendors are increasingly looking at Linux or real-time operating systems for the process interface, with Windows relegated to a managed application layer.

CISA’s advisory also reminds owners that end-of-life software is a ticking compliance violation under many cybersecurity frameworks. That 2013 Freelance deployment might still control a profitable process, but without a patch, it should be ring-fenced with every compensating control available.

The CVE-2025-7064 disclosure arrives in an era where industrial ransomware attacks have become weekly news, and nation-state actors routinely probe critical infrastructure. A local authenticated escape might sound less dramatic than a remote zero-click exploit, but the impact is the same: it allows an adversary with a foothold to own the physical plant.

Patch management in OT is slow, painful, and often requires a plant shutdown. That reality means asset owners must act now, not after the next scheduled turnaround, to apply the fix or at least put compensating controls in place. ABB’s service pack is available immediately, and the hotfix can be applied online in many configurations without a full engineering station reboot.

Industrial security is a marathon of incremental improvements. CVE-2025-7064 is a sharp reminder that sometimes the most dangerous vulnerabilities are the ones hiding in plain sight, behind a login screen that was supposed to keep the chaos out.