Attack Chain

1. The attacker gains access to the network where the Edgenius Management Portal is deployed.
2. The attacker identifies a vulnerable ABB Edgenius Management Portal instance (versions 3.2.0.0 or 3.2.1.1).
3. The attacker crafts a malicious message designed to exploit the authentication bypass vulnerability (CVE-2025-10571).
4. The attacker sends the specially crafted message to the system node of the Edgenius Management Portal.
5. The vulnerable Edgenius Management Portal improperly processes the crafted message, bypassing authentication.
6. The attacker leverages the bypassed authentication to install and execute arbitrary code on the system.
7. The attacker uninstalls applications, further compromising the system’s functionality.
8. The attacker modifies the configuration of installed applications to maintain persistence and control.

Impact

Successful exploitation of this vulnerability allows an attacker to gain full control over the ABB Edgenius Management Portal. The attacker can install malicious software, uninstall critical applications, and modify configurations, leading to significant disruption of industrial processes, data theft, or further lateral movement within the OT network. Affected sectors include critical manufacturing and information technology, with deployments worldwide.

Recommendation

• Upgrade to ABB Ability Edgenius version 3.2.2.0 to remediate CVE-2025-10571, as this version contains the vendor fix.
• Until the upgrade is applied, disable the Edgenius Management Portal to mitigate the vulnerability as recommended by ABB.
• Minimize network exposure for all control system devices by ensuring they are not accessible from the internet, as suggested by CISA.
• Locate control system networks and remote devices behind firewalls, isolating them from business networks per CISA recommendations.
• Implement the Sigma rule “Detect ABB Edgenius Management Portal Exploitation Attempt” to identify potential exploitation attempts based on network traffic patterns.