CVE-2025-13777 Overview
CVE-2025-13777 is an authentication bypass by capture-replay vulnerability affecting ABB AWIN GW100 rev.2 and ABB AWIN GW120 industrial gateway devices. This vulnerability allows an attacker on an adjacent network to bypass authentication mechanisms by capturing and replaying authentication traffic, potentially gaining unauthorized access to the affected devices without valid credentials.
Critical Impact
Attackers within the adjacent network can capture authentication credentials and replay them to gain unauthorized access to ABB AWIN gateway devices, potentially compromising industrial control systems and connected infrastructure.
Affected Products
- ABB AWIN GW100 rev.2 versions 2.0-0 and 2.0-1
- ABB AWIN GW120 versions 1.2-0 and 1.2-1
Discovery Timeline
- 2026-03-13 - CVE-2025-13777 published to NVD
- 2026-03-16 - Last updated in NVD database
Technical Details for CVE-2025-13777
Vulnerability Analysis
This vulnerability is classified under CWE-294 (Authentication Bypass by Capture-Replay), indicating a fundamental weakness in the authentication protocol implementation. The affected ABB AWIN gateway devices fail to properly implement anti-replay mechanisms, allowing captured authentication tokens or credentials to be reused by attackers.
The adjacent network attack vector means the vulnerability requires the attacker to have access to the same network segment as the target device. Once positioned on the network, an attacker can passively capture authentication exchanges between legitimate users and the gateway device. These captured credentials can then be replayed to impersonate the legitimate user and gain unauthorized access to the device.
The impact of successful exploitation includes high confidentiality compromise through access to sensitive device configurations and operational data, limited integrity impact through potential modification of device settings, and high availability impact as attackers could disrupt gateway operations affecting connected industrial systems.
Root Cause
The root cause lies in the authentication mechanism's failure to implement proper anti-replay protections. The authentication protocol does not utilize time-based tokens, nonces, or sequence numbers that would invalidate captured credentials after their initial use. This allows captured authentication data to remain valid indefinitely, enabling replay attacks at any time after the initial capture.
Attack Vector
The attack requires adjacent network access, meaning the attacker must be on the same local network segment as the target ABB AWIN gateway device. The attack flow typically involves:
- The attacker positions themselves on the adjacent network through physical access or by compromising another device on the segment
- Network traffic monitoring tools capture authentication exchanges between legitimate administrators and the gateway
- The captured authentication tokens or credential exchanges are stored for later use
- The attacker replays the captured authentication data to gain access without knowing the actual credentials
This vulnerability requires no user interaction and no prior privileges, making it particularly concerning for industrial environments where these gateway devices are deployed. The lack of complexity in the attack path increases the risk of successful exploitation.
Detection Methods for CVE-2025-13777
Indicators of Compromise
- Multiple authentication sessions from different source IPs using identical authentication tokens or credentials
- Authentication attempts that exactly match previously recorded successful authentication exchanges
- Anomalous authentication patterns indicating token reuse across different time periods
- Network traffic captures showing duplicate authentication sequences
Detection Strategies
- Deploy network intrusion detection systems (NIDS) configured to identify duplicate authentication sequences to ABB AWIN devices
- Implement authentication logging on network infrastructure to track and correlate login attempts to gateway devices
- Monitor for unusual access patterns such as simultaneous sessions or rapid sequential authentications from different sources
- Analyze network traffic for identical authentication payloads across separate connection attempts
Monitoring Recommendations
- Enable comprehensive logging on ABB AWIN gateway devices and forward logs to a centralized SIEM solution
- Configure alerting for authentication anomalies including failed attempts, unusual timing, and duplicate sessions
- Implement network segmentation monitoring to detect unauthorized lateral movement toward industrial network segments
- Establish baseline authentication patterns for gateway access to identify deviations that may indicate replay attacks
How to Mitigate CVE-2025-13777
Immediate Actions Required
- Review and restrict network access to ABB AWIN gateway devices to only essential personnel and systems
- Implement network segmentation to isolate industrial gateway devices from general network traffic
- Deploy additional network-level authentication such as 802.1X to add a layer of protection for adjacent network access
- Audit current device access and reset credentials for any potentially compromised accounts
Patch Information
ABB has released a security advisory addressing this vulnerability. Administrators should consult the ABB Security Advisory for official patch information and firmware updates.
Organizations running affected versions should prioritize applying available security updates:
- AWIN GW100 rev.2: Upgrade from versions 2.0-0 and 2.0-1 to the latest patched firmware
- AWIN GW120: Upgrade from versions 1.2-0 and 1.2-1 to the latest patched firmware
Workarounds
- Implement encrypted VPN tunnels for all administrative access to gateway devices, preventing credential capture on the local network
- Deploy network access control (NAC) solutions to restrict which devices can communicate with the ABB gateways
- Use firewall rules to limit inbound connections to the gateway devices to specific authorized management stations only
- Consider implementing additional authentication layers such as certificate-based authentication where supported
# Network segmentation example - isolate industrial gateways
# Add firewall rules to restrict access to ABB AWIN devices
iptables -A INPUT -s 192.168.10.0/24 -d 192.168.20.100 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -d 192.168.20.100 -p tcp --dport 443 -j DROP
# Enable logging for authentication attempts
iptables -A INPUT -d 192.168.20.100 -j LOG --log-prefix "ABB_AWIN_ACCESS: "
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
