Skip to main content

ABB T-MAC Plus CVE-2025-14773

| EUVDEUVD-2025-210046 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-03 ABB GHSA-ch6v-382r-q8r4
7.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

5
Analysis Updated
Jun 03, 2026 - 11:29 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 03, 2026 - 11:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 03, 2026 - 11:22 vuln.today
cvss_changed
CVSS changed
Jun 03, 2026 - 11:22 NVD
8.0 (HIGH) 7.2 (HIGH)
Analysis Generated
Jun 03, 2026 - 11:01 vuln.today

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in ABB T-MAC Plus.

This issue affects T-MAC Plus: 4.0-24.

AnalysisAI

Stored/reflected cross-site scripting in ABB T-MAC Plus version 4.0-24 allows authenticated low-privileged attackers to inject malicious script content into the web management interface, which executes in the browsers of other users who interact with the affected pages. With a CVSS 4.0 base score of 7.2 and no public exploit identified at time of analysis, the flaw is notable because successful exploitation impacts both the vulnerable component and downstream subsequent systems with high integrity and availability consequences, reflecting the operational-technology context typical of ABB industrial products.

Technical ContextAI

T-MAC Plus is an ABB industrial monitoring/management product exposing a web-based interface (CPE cpe:2.3:a:abb:t-mac_plus). The root cause is CWE-79, improper neutralization of user-controlled input during HTML page generation: the application embeds attacker-supplied data into rendered web pages without adequate output encoding or context-aware sanitization, allowing browser execution of injected JavaScript. Because the affected component is the management plane of an OT/automation device, script execution in an operator's session can be leveraged to issue privileged actions against the underlying system, which explains the elevated VI:H/VA:H and subsequent-system SI:H/SA:H ratings in the CVSS 4.0 vector.

RemediationAI

Patch status is not explicitly declared in the supplied data, so treat this as: patch availability should be confirmed via the ABB advisory at https://search.abb.com/library/Download.aspx?DocumentID=9AKK108472A7840&LanguageCode=en&DocumentPartId=&Action=Launch and any fixed version applied as soon as released by the vendor. As compensating controls until a fix is verified, restrict network access to the T-MAC Plus web management interface to a dedicated OT management VLAN or jump host (trade-off: operators must use the bastion to reach the UI), enforce least-privilege accounts so few users have the low-privilege access PR:L requires, instruct operators not to follow untrusted links or open unexpected items inside the T-MAC Plus UI (trade-off: relies on user discipline), and consider deploying a reverse proxy or WAF in front of the interface to filter script payloads in request/response bodies (trade-off: may break legitimate UI features and requires tuning). Browser-side mitigations such as enforcing a strict Content-Security-Policy via the proxy can reduce script execution impact but may also disable parts of the management UI.

More in Abb

View all
CVE-2012-0245 CRITICAL
10.0 Mar 09

Multiple stack-based buffer overflows in RobNetScanHost.exe in ABB Robot Communications Runtime before 5.14.02, as used

CVE-2024-6298 CRITICAL POC
9.4 Jul 05

Unauthorized file access in WEB Server in ABB ASPECT - Enterprise v3.08.01; NEXUS Series v3.08.01 ; MATRIX Series v3.08.

CVE-2024-6209 CRITICAL POC
9.4 Jul 05

Unauthorized file access in WEB Server in ABB ASPECT - Enterprise v3.08.01; NEXUS Series v3.08.01 ; MATRIX Series v3.08.

CVE-2017-17888 HIGH POC
8.8 Dec 27

cgi-bin/write.cgi in Anti-Web through 3.8.7, as used on NetBiter / HMS, Ouman EH-net, Alliance System WS100 --> AWU 500,

CVE-2019-7225 HIGH POC
8.8 Jun 27

The ABB HMI components implement hidden administrative accounts that are used during the provisioning phase of the HMI i

CVE-2019-7226 HIGH POC
8.8 Jun 27

The ABB IDAL HTTP server CGI interface contains a URL that allows an unauthenticated attacker to bypass authentication a

CVE-2019-7228 HIGH POC
8.8 Jun 27

The ABB IDAL HTTP server mishandles format strings in a username or cookie during the authentication process. Rated high

CVE-2019-7232 HIGH POC
8.8 Jun 24

The ABB IDAL HTTP server is vulnerable to a buffer overflow when a long Host header is sent in a web request. Rated high

CVE-2019-7230 HIGH POC
8.8 Jun 24

The ABB IDAL FTP server mishandles format strings in a username during the authentication process. Rated high severity (

CVE-2024-4007 HIGH POC
8.7 Jul 01

Default credential in install package in ABB ASPECT; NEXUS Series; MATRIX Series version 3.07 allows attacker to login t

CVE-2019-7229 HIGH POC
8.3 Jun 24

The ABB CP635 HMI uses two different transmission methods to upgrade its firmware and its software components: "Utilizat

CVE-2019-18997 HIGH POC
7.5 Dec 18

The HMISimulator component of ABB PB610 Panel Builder 600 uses the readFile/writeFile interface to manipulate the work f

Share

CVE-2025-14773 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy