CISA has issued an advisory covering three vulnerabilities in ABB AWIN Gateways (GW100 and GW120) used in critical manufacturing environments worldwide, including New Zealand sites. The flaws allow unauthenticated attackers on an adjacent network to reveal sensitive system configuration or remotely reboot the device — a direct risk to operational continuity for any NZ business running ABB-integrated building or process control systems.

What Happened

Three CVEs have been published against ABB AWIN Gateway firmware. CVE-2025-13777 (CVSS 8.3, High) is an authentication bypass caused by improper session validation, allowing an unauthenticated query to return data that should be protected. CVE-2025-13778 (CVSS 6.5, Medium) lets an unauthenticated attacker remotely reboot the gateway, causing denial of service to whatever downstream systems depend on it. CVE-2025-13779 allows unauthenticated retrieval of system configuration, including sensitive details that could support follow-on attacks.

All vulnerabilities require only adjacent network access (AV:A) with low complexity and no privileges or user interaction. That means an attacker who has already gained any foothold on the OT or shared IT/OT network — via phishing, a compromised vendor laptop, or a flat network segment — could exploit these issues directly.

Affected versions are AWIN Firmware 2.0-0 and 2.0-1 on the GW100 rev.2, and 1.2-0 and 1.2-1 on the GW120. ABB has released fixed firmware: 2.1-0 for the GW100 rev.2 and 2.0-0 for the GW120. Full details are in ABB PSIRT advisory 4JNO000329.

For NZ operators, the practical risk is twofold: information disclosure that maps the environment for an attacker, and a reliable DoS primitive against gateways that often sit between BMS, energy, or process control layers. In manufacturing, food processing, utilities, and large facilities, an unplanned reboot during a sensitive operation can have real safety and production consequences.

Key Takeaways

  • Three CVEs affect ABB AWIN GW100 rev.2 and GW120 gateways; highest is CVSS 8.3.

  • All are exploitable without authentication from an adjacent network.

  • Impacts include sensitive config disclosure and remote device reboot (DoS).

  • Fixed firmware is available: GW100 rev.2 → 2.1-0; GW120 → 2.0-0.

  • ICS gateways are frequently overlooked in patch cycles and asset inventories.

  • Adjacent-network attack vector means flat or poorly segmented networks dramatically raise risk.

What NZ Businesses Should Do

  1. Identify and patch. Audit for ABB AWIN GW100 rev.2 and GW120 devices and upgrade to the fixed firmware per ABB advisory 4JNO000329. If immediate patching isn't possible, document compensating controls and a remediation date.

  2. Segment OT from IT. Ensure AWIN gateways sit behind a firewall on a dedicated OT VLAN with strict ACLs. Block management interfaces from general corporate and guest networks.

  3. Gain visibility into OT assets and exposure. Use Trend Vision One™ Cyber Risk Exposure Management (CREM) to continuously discover internet- and network-exposed devices, prioritise by exploitability, and track remediation of advisories like this one.

  4. Detect lateral movement and protocol anomalies. Deploy Trend Vision One™ Network Security / TippingPoint® for IPS and NDR coverage at IT/OT boundaries to catch reconnaissance, replay attacks, and unauthorised queries against ICS gateways.

  5. Centralise detection and response. Feed OT and IT telemetry into Trend Vision One™ Security Operations (SecOps) so analysts can correlate gateway anomalies (unexpected reboots, config queries) with broader attack chains and respond using Agentic SOAR playbooks.

Source: Read the full article on CISA