Executive Summary
In March 2026, ABB disclosed multiple vulnerabilities in its AWIN Gateways, specifically affecting firmware versions 2.0-0 and 2.0-1 on the GW100 rev.2, and versions 1.2-0 and 1.2-1 on the GW120. These vulnerabilities include authentication bypass by capture-replay (CVE-2025-13777), missing authentication for critical functions leading to remote device reboot (CVE-2025-13778), and unauthorized access to system configurations revealing sensitive details (CVE-2025-13779). Exploitation of these flaws could allow attackers to gain unauthorized access, disrupt device operations, and expose confidential information. (library.e.abb.com)
The disclosure underscores the critical need for robust security measures in industrial control systems, as such vulnerabilities can have significant operational and safety implications. Organizations utilizing ABB AWIN Gateways should promptly apply the recommended firmware updates and review their network security protocols to mitigate potential risks.
Why This Matters Now
The vulnerabilities in ABB AWIN Gateways highlight the ongoing challenges in securing industrial control systems. Immediate attention is required to prevent potential exploitation that could lead to operational disruptions and data breaches.
Attack Path Analysis
An attacker exploits authentication bypass vulnerabilities in ABB AWIN Gateways to gain unauthorized access, escalates privileges to execute critical functions, moves laterally within the network, establishes command and control channels, exfiltrates sensitive configuration data, and causes a denial of service by remotely rebooting devices.
Kill Chain Progression
Initial Compromise
Description
The attacker exploits authentication bypass vulnerabilities (CVE-2025-13777, CVE-2025-13778) in ABB AWIN Gateways to gain unauthorized access.
Related CVEs
CVE-2025-13777
CVSS 8.3An authentication bypass by capture-replay vulnerability in ABB AWIN Gateways allows an unauthenticated attacker to reveal system configuration, including sensitive details.
Affected Products:
ABB AWIN GW100 rev.2 – 2.0-0, 2.0-1
ABB AWIN GW120 – 1.2-0, 1.2-1
Exploit Status:
no public exploitCVE-2025-13778
CVSS 6.5A missing authentication for critical function vulnerability in ABB AWIN Gateways allows an unauthenticated attacker to remotely reboot the device, potentially causing a denial of service.
Affected Products:
ABB AWIN GW100 rev.2 – 2.0-0, 2.0-1
ABB AWIN GW120 – 1.2-0, 1.2-1
Exploit Status:
no public exploitCVE-2025-13779
CVSS 8.3A missing authentication for critical function vulnerability in ABB AWIN Gateways allows an unauthenticated attacker to reveal system configuration, including sensitive details.
Affected Products:
ABB AWIN GW100 rev.2 – 2.0-0, 2.0-1
ABB AWIN GW120 – 1.2-0, 1.2-1
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploitation for Credential Access
Modify Authentication Process
Multi-Factor Authentication Interception
Use Alternate Authentication Material
Valid Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Account Management
Control ID: AC-2
PCI DSS 4.0 – Strong Authentication for Users
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.12
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Industrial Automation
ABB AWIN Gateway vulnerabilities enable unauthenticated system access, device reboots, and configuration exposure in critical industrial control systems worldwide.
Oil/Energy/Solar/Greentech
Authentication bypass vulnerabilities in ABB gateways threaten energy infrastructure operations, enabling unauthorized control and potential service disruption attacks.
Utilities
Critical manufacturing sector gateways vulnerable to remote exploitation allowing attackers to disrupt utility operations and access sensitive system configurations.
Manufacturing
Missing authentication controls in ABB industrial gateways expose manufacturing processes to unauthorized access, system manipulation, and operational technology compromise.
Sources
- ABB AWIN Gatewayshttps://www.cisa.gov/news-events/ics-advisories/icsa-26-120-05Verified
- ABB Cyber Security Advisory 4JNO000329https://psirt.abb.com/csaf/2026/4jno000329.jsonVerified
- NVD - CVE-2025-13777https://nvd.nist.gov/vuln/detail/CVE-2025-13777Verified
- NVD - CVE-2025-13778https://nvd.nist.gov/vuln/detail/CVE-2025-13778Verified
- NVD - CVE-2025-13779https://nvd.nist.gov/vuln/detail/CVE-2025-13779Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it would likely limit the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware controls.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent the initial exploitation of authentication vulnerabilities, it would likely limit the attacker's ability to leverage this access to further compromise the network.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation would likely limit the attacker's ability to escalate privileges by enforcing strict access controls and segmenting critical functions.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security would likely constrain the attacker's lateral movement by monitoring and controlling internal traffic flows.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control would likely limit the attacker's ability to establish and maintain command and control channels by providing comprehensive monitoring and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit the attacker's ability to exfiltrate sensitive data by controlling and monitoring outbound traffic.
While Aviatrix CNSF may not prevent the initial compromise, it would likely limit the attacker's ability to disrupt operations by restricting unauthorized access to critical functions.
Impact at a Glance
Affected Business Functions
- Industrial Control Systems Operations
- Remote Monitoring
- System Configuration Management
Estimated downtime: 2 days
Estimated loss: $50,000
System configuration details, including sensitive information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict access to critical functions and prevent unauthorized lateral movement.
- • Deploy East-West Traffic Security controls to monitor and control internal network communications, detecting and preventing lateral movement.
- • Utilize Egress Security & Policy Enforcement to control outbound traffic, preventing unauthorized data exfiltration.
- • Apply Multicloud Visibility & Control to gain comprehensive visibility into network traffic and detect anomalous behaviors.
- • Regularly update and patch systems to address known vulnerabilities and reduce the attack surface.
