top of page
Search

CISA Republished ABB AWIN — Three Adjacent-Network Vulns in OT Gateways

  • Writer: Patrick Duggan
    Patrick Duggan
  • 2 minutes ago
  • 3 min read

# CISA Republished ABB AWIN — Three Adjacent-Network Vulns in OT Gateways


CISA republished ABB's industrial control system advisory on April 30, 2026, covering three vulnerabilities in ABB AWIN GW100 rev.2 and GW120 firmware. The CVEs — CVE-2025-13777, CVE-2025-13778, and CVE-2025-13779 — were originally documented by ABB on March 11, 2026, in document 4JNO000329 rev. A. CISA's republication is the federal-level urgency signal: the patches matter, deploy them.


What the three CVEs do



  • CVE-2025-13777 — authentication bypass via improper session validation. Unauthenticated queries reveal data the gateway shouldn't surface to anonymous adjacent-network sources.

  • CVE-2025-13778 — device reboot control. An unauthenticated adjacent attacker can issue a reboot command, denying availability of the gateway and any downstream OT systems depending on it.

  • CVE-2025-13779 — unauthenticated access to system configuration. The full configuration of the gateway, including sensitive details about downstream OT infrastructure, is readable without authentication.


The highest-severity issues carry CVSS 3.1 scores of 8.3. Attack vector is adjacent network, complexity is low, no privileges required, no user interaction required.


Why "adjacent network" is the realistic attacker model in OT



In a non-OT context, "adjacent network" means an attacker has to be on the same broadcast domain as the target. That sounds like a high bar.


In OT, it's the normal attacker model. Industrial control networks are routinely flat — the AWIN gateway sits on the same VLAN as the PLCs, the engineering workstations, the historians, the HMIs, and a long tail of legacy field devices that nobody refreshes. Once an attacker gains a foothold on any device on that VLAN — a Windows engineering workstation that ran an outdated browser, a vendor laptop plugged in for maintenance, a misconfigured remote access concentrator — the attacker is now adjacent-network to every other device on the segment.


So "adjacent network" CVSS 8.3 in OT translates to "if the attacker breaches anything else on the segment, they can dump your entire AWIN configuration and reboot your gateway." That's a higher impact than the CVSS rating suggests, especially for sites that depend on the gateway for any time-sensitive control function.


This is the same pattern we documented for the Iranian-affiliated PLC targeting in the joint advisory AA26-097A (April 7, 2026) — the actor doesn't need to RCE the PLC; they need to land anywhere on the OT VLAN and use legitimate engineering protocols to disrupt operations. ABB AWIN sitting unauthenticated on the same VLAN as the PLCs is exactly the kind of leverage an actor like CL-STA-1128 / Cyber Av3ngers / Storm-0784 would build a campaign around.


Affected versions



  • AWIN Firmware 2.0-0 and 2.0-1 on ABB AWIN GW100 rev.2

  • AWIN Firmware 1.2-0 and 1.2-1 on ABB AWIN GW120


Fixed versions



  • ABB AWIN GW100 rev.2: upgrade to AWIN Firmware 2.1-0

  • ABB AWIN GW120: upgrade to AWIN Firmware 2.0-0


The patches were available March 11. CISA republishing on April 30 is the "you have not patched fast enough" reminder.


What we recommend if you operate ABB AWIN



  • Inventory immediately. Find every AWIN GW100 rev.2 and GW120 in your environment. Document firmware versions. Without an inventory you cannot prioritize.


  • Patch all gateways to the fixed firmware. Both GW100 rev.2 → 2.1-0 and GW120 → 2.0-0. The patches were public seven weeks ago; there is no acceptable engineering reason still in flight to delay deployment.


  • Segment the OT VLAN harder. Even after patching, unauthenticated adjacent-network access to industrial gateways is a posture you should not have. Move the AWIN gateways behind a stricter network access control (802.1X, separate VLAN with allow-list rules, or a firewall enforcing source-IP allow-listing) so that "adjacent network" is no longer the realistic attacker model.


  • Audit who is on the OT VLAN. Every Windows machine, every vendor laptop dock, every wireless access point bridged into the segment is now part of your AWIN gateway's threat model. Reduce the surface.


  • Watch for ABB AWIN-targeting indicators in our IOC pipeline. If any of the three CVEs are added to CISA's KEV catalog with active-exploitation tagging, our cisa_kev index reflects it within the day. The free STIX feed at https://analytics.dugganusa.com/stix/register carries this if you want it pulled into your SIEM directly.


What this fits into



This is the third week running of ICS/OT-specific federal advisories with adjacent-network exploitation models. Iran's PLC campaign (April 7), the broader China-nexus covert-network advisory (AA26-113A, April 23), and now ABB AWIN. The signal is clear: federal agencies are publishing OT vulnerabilities at a faster cadence than asset owners are patching, and the actors are reading the same advisories the defenders are.


Adjacent-network is the OT attacker model. ABB AWIN unauthenticated configuration disclosure is a starting position, not a final position. Patch, segment, audit. Then patch again next week when the next OT CVE drops.


The fixed firmware exists. The CVE IDs are public. Whether your ABB AWIN deployment makes it through the next quarter depends on your patch cadence, not on the adversary's ingenuity.





Her name was Renee Nicole Good.


His name was Alex Jeffery Pretti.

 
 
 
bottom of page