ABB T-MAC Plus Vulnerabilities Trigger Administrative Features Exploitation

EXECUTIVE SUMMARY:

Multiple vulnerabilities have been identified in ABB T-MAC Plus terminal management system, version 4.0-25 and earlier releases. The flaws span file disclosure, broken access control, and denial‑of‑service weaknesses that can be triggered via web interfaces or the card‑reader communication daemon. An authenticated low‑privilege user may exfiltrate database records or perform administrative actions, while unauthenticated network attackers can disrupt card‑reader services. Exploitation could lead to loss of sensitive operational data, unauthorized configuration changes, and production downtime, exposing industrial operators to regulatory penalties, reputational damage, and financial loss.[emaillocker id="1283"]

CVE-2025-14771 with a CVSS score of 9.9: file disclosure bug allows authenticated users to exfiltrate database records via crafted HTTP requests; exploitation requires a valid low‑privilege account.

CVE-2025-14772 with a CVSS score of 8.8: broken access control in the web application permits unprivileged users to perform administrative operations, enabling privilege escalation without additional authentication.

CVE-2025-14774 with a CVSS score of 7.4 : denial‑of‑service flaw in the card‑reader communications daemon lets an unauthenticated attacker on the local network flood the service, causing hardware units to become unavailable.

RECOMMENDATION:

• We recommend you to update ABB T-MAC Plus to version 4.0-25 or later.

REFERENCES:

The following reports contain further technical details:

https://securityonline.info/abb-t-mac-plus-vulnerabilities/