CVE-2025-14774 Overview
CVE-2025-14774 is an Incorrect Authorization vulnerability [CWE-863] affecting ABB T-MAC Plus version 4.0-24. The flaw allows an adjacent network attacker to bypass authorization checks and impact the integrity and availability of the affected device. ABB T-MAC Plus is an industrial transformer monitoring product, and weakened authorization on such equipment can affect operational technology environments. The vulnerability requires no privileges and no user interaction, but the attacker must be on an adjacent network segment to reach the device.
Critical Impact
An unauthenticated attacker with adjacent network access can perform actions on ABB T-MAC Plus 4.0-24 that should require authorization, leading to integrity and availability impact on the monitored transformer asset.
Affected Products
- ABB T-MAC Plus version 4.0-24
Discovery Timeline
- 2026-06-03 - CVE-2025-14774 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2025-14774
Vulnerability Analysis
The vulnerability is classified under [CWE-863] Incorrect Authorization. The product performs an authorization check but applies the wrong logic, allowing actions that should be denied. On ABB T-MAC Plus 4.0-24, this results in high impact to integrity and availability of the device and the system it interacts with. Confidentiality is not affected based on the vendor's CVSS assessment. The attack vector is adjacent network, meaning the attacker must be on the same logical or physical network segment as the device, typical for industrial control system communication channels.
Root Cause
The root cause is improper enforcement of authorization rules within the T-MAC Plus device. The product validates a requestor's identity or access context incorrectly, permitting privileged actions without the appropriate access level. ABB has documented the issue in its security advisory and identifies version 4.0-24 as affected.
Attack Vector
An attacker positioned on an adjacent network sends crafted requests to the T-MAC Plus management interface or service endpoint. Because the authorization decision is implemented incorrectly, the device processes the requests as if they were authorized. The attacker can then modify device state or disrupt monitoring functions. No authentication or user interaction is required. Detailed exploitation specifics are not publicly available; see the ABB Security Document for vendor guidance.
Detection Methods for CVE-2025-14774
Indicators of Compromise
- Unexpected configuration changes or parameter writes on T-MAC Plus devices running firmware 4.0-24.
- Management or control protocol traffic to T-MAC Plus from hosts that are not part of the documented engineering workstation inventory.
- Loss of monitoring data, reset events, or service restarts on T-MAC Plus without a corresponding change ticket.
Detection Strategies
- Inspect network flows to and from T-MAC Plus devices and alert on sessions originating outside the engineering VLAN.
- Baseline normal command and configuration traffic, then alert on deviations such as new write operations or new source addresses.
- Correlate device-side audit logs with change management records to identify unauthorized administrative actions.
Monitoring Recommendations
- Forward T-MAC Plus syslog and audit events to a central SIEM for long-term retention and correlation.
- Monitor for repeated failed or anomalous authorization decisions that may indicate probing.
- Track firmware versions across the fleet to identify devices still running the vulnerable 4.0-24 release.
How to Mitigate CVE-2025-14774
Immediate Actions Required
- Identify all ABB T-MAC Plus units running version 4.0-24 and prioritize them for remediation.
- Restrict network access to T-MAC Plus management interfaces to a small set of authorized engineering hosts.
- Place T-MAC Plus devices behind a properly segmented OT network with strict ingress filtering.
- Review device logs for signs of unauthorized configuration changes since the device was deployed.
Patch Information
ABB has published guidance for this issue. Consult the ABB Security Document for the fixed version and update procedure for T-MAC Plus 4.0-24. Apply the vendor-supplied firmware update during the next available maintenance window.
Workarounds
- Enforce network segmentation so that only authorized engineering workstations can reach the T-MAC Plus device on its management ports.
- Deploy ACLs on switches and firewalls to block adjacent-network traffic from untrusted segments.
- Disable or rate-limit unused services on the device where the vendor permits, in line with ABB's hardening guidance.
# Example ACL concept: restrict access to T-MAC Plus management interface
# Replace addresses and interface names with values from your environment
access-list TMAC_MGMT permit ip host 10.10.20.5 host 10.20.30.40
access-list TMAC_MGMT permit ip host 10.10.20.6 host 10.20.30.40
access-list TMAC_MGMT deny ip any host 10.20.30.40 log
access-list TMAC_MGMT permit ip any any
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

