Operators of chemical, petroleum, and hydrogen terminals face a serious cybersecurity threat after ABB confirmed that a critical flaw in its T-MAC Plus terminal management system could hand low-privileged attackers the keys to sensitive files and administrative control. The Swiss industrial technology giant released version 4.0-25 on June 3, 2026, patching four vulnerabilities—including CVE-2025-14771 with a CVSS score of 9.9—and CISA republished the advisory on July 14 to alert critical infrastructure owners worldwide.

Inside the Four Vulnerabilities

The advisory from ABB, tracked as ICSA-26-195-03 by CISA, details flaws that break different layers of the T-MAC Plus trust model. The most severe, CVE-2025-14771, allows any authenticated user—even with low privileges—to exfiltrate sensitive files through a simple HTTP GET request. CISA categorizes it as CWE-552: Files or Directories Accessible to External Parties, and ABB attributes the flaw to an incorrectly configured IIS server with file browsing enabled.

The second vulnerability, CVE-2025-14772 (CVSS 8.8), exposes broken access controls. An authenticated low-privilege user can perform administrative operations, effectively bypassing the role-based separation that T-MAC Plus promises. ABB states that user privilege assignments were revised and corrected in the new version.

CVE-2025-14773 (CVSS 8.0) is a stored cross-site scripting (XSS) vulnerability. An attacker who can create or edit web-form entities can inject malicious HTML or JavaScript that executes in another user’s browser, potentially hijacking sessions or manipulating data. ABB describes the root cause as DOM-based XSS, while CISA labels it stored XSS—both reflecting unsafe handling of user-controlled input.

A fourth flaw, CVE-2025-14774 (CVSS 7.4), targets the communication protocol with card readers. An unauthenticated attacker with physical access to a serial device can send a specially crafted message to block the card-reader service, requiring a manual restart. This disruption directly affects physical access control at terminals.

CVE ID Type CVSS 3.1 Access Required Primary Impact
CVE-2025-14771 File disclosure (IIS misconfiguration) 9.9 Critical Authenticated, low privilege Sensitive file exfiltration
CVE-2025-14772 Authorization bypass 8.8 High Authenticated, low privilege Administrative operations by unprivileged user
CVE-2025-14773 Stored/DOM-based cross-site scripting 8.0 High Authenticated + victim interaction Arbitrary script execution in victim’s browser
CVE-2025-14774 Insecure network protocol (card reader) 7.4 High Physical access + adjacent network Card reader service denial of service

Why Terminals Are a Prime Target

T-MAC Plus is more than a web application. ABB markets it as a terminal management system that coordinates product receipt and dispatch, inventory movement, access control, card-reader integrations, and even enterprise-resource-planning ties. It runs in server–workstation architectures beside weighbridges, loading equipment, and tank-gauging systems. That means compromising the software can ripple into physical operations.

“A conventional business application may expose records or interrupt office workflows; a terminal-management application can sit in the operational path through which personnel, vehicles, orders, products, and field equipment are coordinated,” the vendor’s own literature implies. The affected deployments span critical manufacturing sectors worldwide—chemical, petroleum, refinery, pipeline, bulk-storage, and hydrogen terminals—making any successful attack a regional or even global supply-chain concern.

The Multi-Layered Fix

ABB’s update to version 4.0-25 doesn’t just patch code. It alters both the web application configuration and the card-reader communication protocol. For CVE-2025-14771, the remediation removes the default IIS site and disables file browsing—a deeper configuration change, not a simple function patch. For CVE-2025-14772, the vendor reassigns privileges across user classes. The XSS and card-reader flaws receive direct code-level corrections.

This multi-layered nature underscores why manual workarounds are dangerous. Turning off file browsing in IIS might close the file-disclosure path, but it doesn’t fix broken authorization, XSS, or the card-reader protocol. “Workarounds can block known attack vectors without correcting the underlying vulnerabilities,” ABB warns, a standard phrase that here carries extra weight because the flaws span web, authentication, and field-device layers.

A Patching Playbook for Operators

Upgrading from 4.0-24 to 4.0-25 is the only complete fix. However, industrial sites cannot simply run a Windows update; the patch must be validated without disrupting loading, dispatch, or access control. ABB and CISA recommend these steps:

  • Identify affected systems — Confirm whether any production, standby, engineering, or disaster-recovery node runs T-MAC Plus 4.0-24.
  • Obtain the update — Contact ABB support channels for the 4.0-25 installer.
  • Back up everything — Save application data, site-specific configurations, and document a tested rollback procedure before touching production.
  • Audit user roles — Map existing accounts, remove stale ones, and ensure role assignments align with operational needs so that the patched privilege model works correctly.
  • Check physical security of card readers — Review serial-device access, IP address assignments, and physical cabinet locks. An attacker would need local access to exploit CVE-2025-14774.
  • Review IIS configuration — After upgrading, verify that the default IIS site is removed and file browsing is disabled. Use this opportunity to harden the web server.
  • Scan for evidence of past probes — Look for unusual HTTP GET requests targeting sensitive directories, unexpected administrative actions by low-privilege accounts, suspicious edits to web forms, or repeated card-reader service stoppages.
  • Test operational continuity — Simulate a full patch deployment in a staging environment, then after go-live verify card-reader communications, web forms, identity mappings, and device workflows.

CISA’s broader defense-in-depth practices still apply: minimize network exposure, place control-system networks behind firewalls, isolate them from business IT, and use maintained VPNs if remote access is unavoidable. “Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation,” the agency advises.

The Timeline: From Discovery to Disclosure

Angelo Catalani of Italy’s National Cybersecurity Agency (ACN) responsibly disclosed the vulnerabilities to ABB, giving the vendor time to craft a fix. The sequence unfolded like this:

  • June 3, 2026 — ABB issues its initial advisory (PSIRT 9AKK108472A7840), announcing T-MAC Plus 4.0-25 as the corrected release and stating no public disclosure or known exploitation had occurred.
  • July 14, 2026 — CISA republishes the advisory as ICSA-26-195-03, converting the vendor’s CSAF material verbatim to increase visibility for U.S. critical-infrastructure owners.

A frequently asked question in the advisory claims the vulnerabilities “cannot be exploited remotely” because physical access to an affected system node is required. That statement must be read carefully. The three web vulnerabilities carry network attack vectors in their CVSS scores and involve authenticated users sending web requests. The most defensible reading is that an attacker needs a foothold on the operations network or a valid account—not necessarily physical access to the server. CISA’s own recommendations reflect this: they advise isolating control-system devices from the internet and business networks, recognizing that network-adjacent threats are real.

The Road Ahead

ABB reported no known exploitation when the advisory was first released, but the gap between June and July means technical details have now been in the public domain for over a month. Industrial patching often lags behind IT cycles, giving adversaries a window to weaponize the information.

The lesson of ICSA-26-195-03 isn’t simply that four bugs exist. It’s that configuration errors, broken authorization, browser-trust abuse, and insecure device protocols all converge in a single platform that sits at the operational heart of terminals worldwide. Upgrading to 4.0-25 closes the disclosed paths, but the patch cycle should also prompt a broader architectural review—because the next weakness may again start in an ordinary web setting and end at a critical physical choke point.