2026-07-15 · view entry permalink →
CISA ICS batch (14 Jul): Rockwell 1715-AENTR unauthenticated debug-port takeover (CVE-2026-10577, CVSS 10.0, fixed in firmware 3.011) and a Swiss-vendor ABB T-MAC Plus auth chain (CVSS 9.9)
CISA published four Industrial Control Systems advisories on 2026-07-14, each a verbatim republication of a vendor PSIRT bulletin, that land squarely on this constituency's energy and water sectors and on a Swiss-headquartered vendor (CISA, 2026-07-14). The most severe is CVE-2026-10577 in the Rockwell Automation 1715-AENTR EtherNet/IP Adapter (all versions ≤ 3.003), rated CVSS v3.1 10.0 for missing authentication on a critical function (CWE-306): a network-accessible debug port exposes intrusive CLI commands with no authentication, so an unauthenticated remote attacker can "read or delete files, stop tasks, modify memory, and change I/O states" on the device (CISA / Rockwell PSIRT, 2026-07-14). The advisory names the affected sectors as Energy, Water and Wastewater, and Critical Manufacturing; Rockwell fixes it in firmware version 3.011 and CISA additionally recommends network isolation for devices that cannot be upgraded immediately (CISA / Rockwell PSIRT SD1785, 2026-07-14). No known public exploitation has been reported to CISA.
Separately, ABB T-MAC Plus 4.0-24 (fixed in 4.0-25) — a Terminal Management System operating chemical/petroleum terminals, pipeline and refinery tankage, bulk plants and hydrogen terminals — is subject to four flaws responsibly disclosed by Angelo Catalani of Italy's national cybersecurity agency (ACN): CVE-2025-14771 (CVSS 9.9, a low-privilege authenticated file disclosure via a crafted HTTP GET against the web application, CWE-552), CVE-2025-14772 (CVSS 8.8, broken access control letting a low-privilege user perform administrative operations, CWE-639), CVE-2025-14773 (CVSS 8.0, stored cross-site scripting) and CVE-2025-14774 (CVSS 7.4, an adjacent-network denial of service of the Card Reader service caused by an unencrypted communication protocol) (CISA / ABB PSIRT, 2026-07-14). ABB states exploitation requires network or physical access to the terminal LAN rather than internet reachability, and that an update resolves the set. The same day, ABB shipped a fix in Ability Edgenius (fixed in 3.2.4.1) for the previously-disclosed CVE-2026-31431 "Copy Fail" Linux-kernel algif_aead local root-escalation flaw — new here only in that a specific Swiss-vendor OT product is now named as an affected instance (CISA / ABB PSIRT, 2026-07-14) — and a low-severity (CVSS 4.4) DLL search-path fix (CVE-2025-13162) in 800xA for Advant Master / Control Builder A (CISA / ABB PSIRT, 2026-07-14).
Successful exploitation of this vulnerability could allow an attacker to read or delete files, stop tasks, modify memory, and change I/O states, potentially impacting the confidentiality, integrity, and availability of the device.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.