CISA ICS batch (14 Jul): Rockwell 1715-AENTR unauthenticated debug-port takeover (CVE-2026-10577, CVSS 10.0, fixed in firmware 3.011) and a Swiss-vendor ABB T-MAC Plus auth chain (CVSS 9.9)
CISA published four Industrial Control Systems advisories on 2026-07-14, each a verbatim republication of a vendor PSIRT bulletin, that land squarely on this constituency's energy and water sectors and on a Swiss-headquartered vendor (CISA, 2026-07-14). The most severe is CVE-2026-10577 in the Rockwell Automation 1715-AENTR EtherNet/IP Adapter (all versions ≤ 3.003), rated CVSS v3.1 10.0 for missing authentication on a critical function (CWE-306): a network-accessible debug port exposes intrusive CLI commands with no authentication, so an unauthenticated remote attacker can "read or delete files, stop tasks, modify memory, and change I/O states" on the device (CISA / Rockwell PSIRT, 2026-07-14). The advisory names the affected sectors as Energy, Water and Wastewater, and Critical Manufacturing; Rockwell fixes it in firmware version 3.011 and CISA additionally recommends network isolation for devices that cannot be upgraded immediately (CISA / Rockwell PSIRT SD1785, 2026-07-14). No known public exploitation has been reported to CISA.
Separately, ABB T-MAC Plus 4.0-24 (fixed in 4.0-25) — a Terminal Management System operating chemical/petroleum terminals, pipeline and refinery tankage, bulk plants and hydrogen terminals — is subject to four flaws responsibly disclosed by Angelo Catalani of Italy's national cybersecurity agency (ACN): CVE-2025-14771 (CVSS 9.9, a low-privilege authenticated file disclosure via a crafted HTTP GET against the web application, CWE-552), CVE-2025-14772 (CVSS 8.8, broken access control letting a low-privilege user perform administrative operations, CWE-639), CVE-2025-14773 (CVSS 8.0, stored cross-site scripting) and CVE-2025-14774 (CVSS 7.4, an adjacent-network denial of service of the Card Reader service caused by an unencrypted communication protocol) (CISA / ABB PSIRT, 2026-07-14). ABB states exploitation requires network or physical access to the terminal LAN rather than internet reachability, and that an update resolves the set. The same day, ABB shipped a fix in Ability Edgenius (fixed in 3.2.4.1) for the previously-disclosed CVE-2026-31431 "Copy Fail" Linux-kernel algif_aead local root-escalation flaw — new here only in that a specific Swiss-vendor OT product is now named as an affected instance (CISA / ABB PSIRT, 2026-07-14) — and a low-severity (CVSS 4.4) DLL search-path fix (CVE-2025-13162) in 800xA for Advant Master / Control Builder A (CISA / ABB PSIRT, 2026-07-14).
Successful exploitation of this vulnerability could allow an attacker to read or delete files, stop tasks, modify memory, and change I/O states, potentially impacting the confidentiality, integrity, and availability of the device.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
Defender actions
- Upgrade every Rockwell 1715-AENTR EtherNet/IP Adapter (firmware ≤ 3.003) to firmware 3.011; until the OT change window allows it, confirm the adapter does not answer on a routable or business-network segment and restrict its debug/CLI port to the specific engineering-workstation IPs at the switch/firewall.
- Update any ABB T-MAC Plus 4.0-24 terminal-management system to the fixed 4.0-25 release, and update ABB Ability Edgenius to 3.2.4.1.
ATT&CK mapping
2 techniques mapped from the cited reporting · MITRE ATT&CK v19.1
Initial Access TA0001
T1190Exploit Public-Facing Application
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.
Privilege Escalation TA0004
T1068Exploitation for Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Sources
AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.