ABB AWIN Gateways Authentication Bypass and DoS Vulnerabilities

Overview of ABB AWIN Vulnerabilities

Industrial automation leader ABB has disclosed several vulnerabilities affecting its AWIN gateway series, which are primarily utilized within the critical manufacturing sector. According to CISA Advisory ICSA-26-120-05, these flaws could enable unauthenticated attackers to perform unauthorized queries, reveal sensitive system configurations, or trigger a remote reboot of the affected hardware. The vulnerabilities impact the ABB AWIN GW100 rev.2 and the GW120 gateways, both of which are used globally to bridge industrial communication protocols.

While the vulnerabilities have high CVSS scores, the attack vector is limited to the network layer (AV:A), meaning an attacker must have access to the local or adjacent network to exploit these CVE identifiers. There is currently no evidence of public exploitation in the wild.

Technical Analysis: Authentication and Session Validation

The most significant threats are CVE-2025-13777 and CVE-2025-13779, both of which carry a base score of 8.3.

CVE-2025-13777: Authentication Bypass by Capture-Replay

This flaw involves improper session validation that allows an attacker to bypass authentication mechanisms. By capturing and replaying session data, a malicious actor could gain unauthorized access to the device management interface. This type of bypass often serves as a precursor to more destructive activities, such as Lateral Movement within the industrial control system environment.

CVE-2025-13778: Remote Reboot and DoS

CVE-2025-13778 is a medium-severity vulnerability resulting from missing authentication for a critical function. This allows an unauthenticated user to issue a command that forces the gateway to reboot. In an industrial context, a sudden reboot can lead to a loss of visibility into process data, potentially disrupting manufacturing operations or causing a temporary DDoS-like state for telemetry monitoring.

Impacts of CVE-2025-13779: Sensitive Configuration Leaks

When defenders attempt to detect ABB gateway configuration leak scenarios, they must look for unauthenticated queries targeting the device’s management ports. This vulnerability allows an attacker to extract the entire system configuration. This data often contains IP addresses, routing tables, and service details that provide a roadmap for an APT or other sophisticated actors to plan further stages of a Cyberattack.

Mitigation and ABB AWIN GW100 firmware update instructions

ABB has released firmware updates to address these vulnerabilities. Organizations should prioritize these updates to mitigate ICS authentication bypass in ABB devices and prevent unauthorized access to sensitive telemetry data.

Patch Requirements

• ABB AWIN GW100 rev.2: Update to firmware version 2.1-0 (Product ID: 3BNP102988R1).
• ABB AWIN GW120: Update to firmware version 2.0-0 (Product ID: 3BNP103003R1).

Asset owners should refer to the ABB PSIRT security advisory 4JNO000329 for detailed installation procedures and to verify hardware compatibility.

Defensive Strategies

Beyond patching, CISA recommends several proactive measures to align with Zero Trust principles:

• Isolate Control Networks: Ensure that industrial gateways and control systems are not directly accessible from the internet. Use firewalls to segment the business network from the production environment.
• Secure Remote Access: If remote access is required, utilize a secure VPN. Remember that the VPN itself must be monitored and patched regularly to prevent it from becoming a single point of failure.
• Network Monitoring: Implement a SIEM or an EDR solution capable of detecting anomalous traffic patterns, such as repeated reboot commands or unusual configuration queries on adjacent networks.

Following these MITRE ATT&CK aligned defensive strategies will reduce the SOC workload and enhance the resilience of critical manufacturing infrastructure.