Attack Chain

1. Attacker identifies an exposed ABB AWIN Gateway on a network (likely adjacent network).
2. Attacker sends a crafted, unauthenticated request to the targeted gateway to trigger CVE-2025-13778.
3. The ABB AWIN Gateway processes the request without authentication.
4. The gateway initiates a reboot, causing a denial-of-service condition.
5. Alternatively, the attacker sends another crafted, unauthenticated request to trigger CVE-2025-13777 or CVE-2025-13779.
6. The gateway responds to the request, disclosing sensitive system configuration information.
7. The attacker uses the disclosed information to gain further insight into the network and potentially plan further attacks.

Impact

Successful exploitation of these vulnerabilities can have significant impacts, particularly within critical manufacturing sectors where these gateways are deployed. A remote reboot (CVE-2025-13778) can disrupt operations, leading to production downtime and financial losses. Disclosure of sensitive system configuration information (CVE-2025-13777, CVE-2025-13779) can provide attackers with valuable insights, enabling them to plan further attacks, such as gaining unauthorized access to other systems or manipulating industrial processes.

Recommendation

• Immediately patch affected ABB AWIN Gateways to the fixed versions (ABB AWIN Firmware 2.1-0 installed on ABB AWIN GW100 rev. 2 and ABB AWIN Firmware 2.0-0 installed on ABB AWIN GW120) as recommended in the ABB PSIRT security advisory 4JNO000329.
• Minimize network exposure for all control system devices and systems, ensuring they are not accessible from the internet as recommended by CISA.
• Monitor network traffic for unauthenticated requests to ABB AWIN Gateways, specifically targeting endpoints related to system reboot or configuration retrieval using the provided Sigma rule.