CVE-2025-7064: ABB Freelance Auth Bypass Vulnerability

CVE-2025-7064 Overview

CVE-2025-7064 is an authentication bypass vulnerability affecting ABB Freelance distributed control system (DCS) software. The flaw is categorized under [CWE-305] Authentication Bypass by Primary Weakness, meaning the primary authentication mechanism can be circumvented by an attacker with local access and low privileges. ABB Freelance is widely deployed in industrial process automation environments, including chemical, energy, and manufacturing facilities. Affected releases span Freelance 2013, 2013 SP1, 2016, 2016 SP1, 2019, 2019 SP1, 2019 SP1 FP1, and 2024. Successful exploitation can compromise the integrity of engineering and control operations on affected workstations.

Critical Impact

A local, authenticated attacker can bypass authentication controls in ABB Freelance, gaining elevated influence over integrity-sensitive functions in industrial control system workflows.

Affected Products

• ABB Freelance 2013 and 2013 SP1
• ABB Freelance 2016 and 2016 SP1
• ABB Freelance 2019, 2019 SP1, and 2019 SP1 FP1
• ABB Freelance 2024

Discovery Timeline

• 2026-06-11 - CVE-2025-7064 published to NVD
• 2026-06-11 - Last updated in NVD database

Technical Details for CVE-2025-7064

Vulnerability Analysis

The vulnerability resides in the primary authentication routine of ABB Freelance. The implementation relies on a single authentication check that can be bypassed through a known weakness in its design, classified as [CWE-305]. An attacker operating on the local engineering workstation can present input that the authentication logic accepts without enforcing the intended credential verification. Once the check is bypassed, the attacker inherits the trust assumed by downstream components of the Freelance engineering and control environment. The result is a meaningful loss of integrity for control logic, configurations, and operator-facing functions, with secondary effects on availability and confidentiality.

Root Cause

The root cause is reliance on a primary authentication weakness rather than layered identity validation. ABB Freelance's authentication flow does not adequately verify the legitimacy of the credential or session before granting access to privileged engineering functions. Because the design treats successful traversal of one check as sufficient proof of identity, attackers who satisfy that single check, even under attacker-controlled conditions, gain access. The vulnerability requires a passive component to be present (AT:P), indicating the attack relies on specific configuration or runtime state in the target environment.

Attack Vector

Exploitation requires local access to a system running ABB Freelance and low-privileged credentials on that host. No user interaction is needed. The attacker leverages the authentication bypass to obtain access reserved for higher-privileged engineering or operator roles. From this position, the attacker can modify control logic, alter configurations, or influence process operations. Refer to the ABB security advisory for vendor-supplied technical details.

No verified proof-of-concept code is publicly available for CVE-2025-7064.
Refer to the ABB advisory for technical exploitation context.

Detection Methods for CVE-2025-7064

Indicators of Compromise

• Unexpected authentication events on Freelance engineering workstations originating from low-privileged local accounts.
• Configuration or control-logic changes performed outside of approved engineering change windows.
• Session escalations or role assignments in Freelance audit logs that lack a corresponding approved request.

Detection Strategies

• Correlate Freelance application logs with operating system authentication logs to identify mismatches between OS-level identity and Freelance-level privileges.
• Baseline normal engineering activity per user and alert on deviations such as off-hours logins or first-time use of privileged functions.
• Monitor for process or service interactions with Freelance binaries by accounts that have no legitimate engineering role.

Monitoring Recommendations

• Forward Freelance host telemetry, including authentication and configuration-change events, to a centralized SIEM for retention and correlation.
• Enable file integrity monitoring on Freelance installation directories and configuration stores.
• Track local account creation, group membership changes, and interactive logons on all engineering workstations running Freelance.

How to Mitigate CVE-2025-7064

Immediate Actions Required

• Apply the security update referenced in the ABB Freelance advisory to all affected Freelance versions.
• Restrict local interactive access to Freelance engineering workstations to a minimal set of named accounts.
• Audit existing local accounts on Freelance hosts and remove unused or shared credentials.

Patch Information

ABB has published guidance in document 7PAA020361. Operators should consult the advisory to identify the correct remediation for each installed Freelance release (2013 through 2024) and schedule maintenance windows aligned with industrial change-management procedures.

Workarounds

• Place Freelance engineering workstations on a segmented control network with strict firewall rules limiting inbound access to approved engineering hosts only.
• Enforce multi-factor authentication at the workstation OS layer where supported, reducing the population of attackers that can reach the vulnerable code path.
• Apply application allowlisting on Freelance hosts to prevent unauthorized binaries from interacting with engineering software.
• Increase the frequency of configuration backups and integrity checks so unauthorized changes can be detected and reversed quickly.

# Example: restrict interactive logon on a Freelance workstation (Windows)
# Limit the "Allow log on locally" right to a dedicated engineering group
secedit /export /cfg current.inf
# Edit current.inf to set:
# SeInteractiveLogonRight = *S-1-5-32-544,FREELANCE\Engineers
secedit /configure /db secedit.sdb /cfg current.inf /overwrite