ABB OPTIMAX Authentication Bypass and the Cost of Azure AD SSO in OT Environments

CVE-2025-14510, disclosed by CISA on 30 April 2026, allows an unauthenticated attacker to bypass user authentication in ABB Ability OPTIMAX 6.1 through 6.4 when Azure Active Directory Single-Sign On integration is enabled. EU water and energy operators running affected OPTIMAX versions need to assess patch availability immediately, as versions 6.1 and 6.2 have no fixed release listed.

What happened

On 30 April 2026, CISA published a coordinated batch of six ICS advisories covering ABB products deployed across energy, water, and manufacturing sectors. The highest-severity finding relevant to water and energy operators is ICSA-26-120-04, covering ABB Ability OPTIMAX¹. The vulnerability, CVE-2025-14510, carries a CVSS v3.1 base score of 8.1 (HIGH) and enables complete authentication bypass against OPTIMAX installations that use the Azure Active Directory SSO integration¹.

ABB PSIRT self-reported this vulnerability to CISA. The affected version range spans OPTIMAX 6.1 (all builds), OPTIMAX 6.2 (all builds), OPTIMAX 6.3 prior to build 6.3.1-251120, and OPTIMAX 6.4 prior to build 6.4.1-251120¹. Fixed builds exist only for the 6.3 and 6.4 tracks. Operators on 6.1 or 6.2 receive no patch under the current remediation plan and must rely on network-level mitigations until they migrate.

The same batch included three additional advisories that compound the ABB exposure picture for the same critical infrastructure sectors. CVE-2025-3756 in ABB System 800xA and Symphony Plus products allows denial-of-service against IEC 61850 MMS interfaces when an attacker has access to the IEC 61850 network segment, affecting PM 877, CI850, and CI868 modules². ICSA-26-120-06 documents four PostgreSQL-layer vulnerabilities in ABB Ability Symphony Plus S+ Engineering, the most severe being CVE-2023-5869 with a CVSS v3.1 score of 8.8, which allows arbitrary code execution via integer overflow when an authenticated database user can supply crafted data³. The ABB AWIN GW100 and GW120 gateways carry CVE-2025-13777, enabling unauthenticated configuration disclosure via session validation bypass, and CVE-2025-13778, enabling unauthenticated remote reboot, both at CVSS 8.3⁴.

Five days later, on 5 May 2026, CISA published ICSA-26-125-03 covering CVE-2025-11044 in ABB B&R Automation Runtime, a resource exhaustion flaw in the ANSL-Server component that an unauthenticated network attacker can exploit to cause permanent denial-of-service conditions⁵. B&R notes that shorter cycle times increase exploitation likelihood and that the component is designed for Level 1 of the ABB ICS Cyber Security Reference Architecture - meaning exploitation from outside Level 1 requires bypassing the Control Network Firewall first⁵.

Technical detail

CVE-2025-14510 is classified under CWE-303: Incorrect Implementation of Authentication Algorithm. The CVSS vector string is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H¹. Attack Complexity is marked HIGH, which in CVSS terms means the attacker must meet specific preconditions beyond simple network access - here, that precondition is the Azure AD SSO integration being enabled. Where that integration is active, authentication is entirely bypassed with no privileges required and no user interaction.

ABB OPTIMAX is an optimization and energy management platform commonly deployed in district heating, power generation, and water treatment facilities. Its Azure AD SSO support is a feature added to align with enterprise identity federation practices - the same convergence between IT identity management and OT application authentication that NIS2 implementation guidance has pushed as a hardening measure. The irony is precise: correct security hygiene in IT (federated SSO with a major identity provider) introduced an authentication flaw when that provider's token handling was implemented incorrectly at the OPTIMAX layer.

The fix builds (6.3.1-251120 and 6.4.1-251120) are named with a date suffix suggesting a November 2025 build date. The CISA advisory was published April 2026. That gap warrants a direct question to ABB account managers: when was the fixed build made available to customers with active support contracts, and what proactive notification was sent.

For the Symphony Plus S+ Engineering PostgreSQL chain, CVE-2023-5869 is a PostgreSQL 13.11 upstream vulnerability from 2023 that ABB inherited through a bundled database dependency³. ABB's remediation - upgrade to S+ Engineering 2.4 SP2 RU1, released December 2024 - was also delayed relative to the upstream PostgreSQL patch. Operators running S+ Engineering 2.2 through 2.4 SP2 remain exposed until they apply the update. No workaround is available for this advisory³.

The AWIN gateway flaws (CVE-2025-13777 and CVE-2025-13778) are in the GW100 rev.2 and GW120 models running firmware 2.0-0, 2.0-1, 1.2-0, and 1.2-1. The authentication bypass via capture-replay (CWE-294) allows unauthenticated query of system configuration including sensitive details. The unauthenticated reboot vector is a separate CVE on the same firmware path⁴. Fixed firmware is available: GW100 rev.2 requires 2.1-0 and GW120 requires firmware build 2.0-0 under the new product ID 3BNP103003R1⁴.

EU context

NIS2 Article 21 requires essential and important entities to implement appropriate technical and organisational measures, including vulnerability handling and patch management processes. The ABB OPTIMAX batch is a concrete test case for how water and energy operators in EU member states operationalise that obligation. The advisory was published 30 April 2026. NIS2-regulated operators are expected to have processes for ingesting CISA ICS advisories, cross-referencing their asset inventories, and triaging within a defined window - not waiting for a vendor account manager to call.

Lithuanian operators fall under TIS2 (the national Cybersecurity Law transposing NIS2), with NKSC as the competent authority for the water and energy sectors. TIS2 sector-specific bylaws require operators to maintain vulnerability management procedures and report significant incidents within 24 hours of awareness. An operator who learns of CVE-2025-14510 through the CISA advisory and determines that Azure AD SSO is enabled on their OPTIMAX installation has a material exposure that should trigger an internal risk assessment and potentially a notification to NKSC if exploitation would constitute a significant incident under the applicable threshold.

The cluster also has relevance to the EU Cyber Resilience Act. OPTIMAX is a connected product in the CRA sense - it integrates with a cloud identity service (Azure AD) and is deployed in critical infrastructure. CRA Article 13 will require manufacturers to address vulnerabilities without delay and notify the relevant CSIRT. ABB's self-reporting through PSIRT to CISA represents current good practice; the CRA will codify and extend this obligation once it enters the applicability period for industrial software products.

Energy sector operators should also note that the ENISA NIS2 implementation guidance for energy emphasises supply chain risk management. A bundled PostgreSQL version at 13.11 with a known 2023 CVE (8.8 CVSS) in a product shipped through 2024 is precisely the dependency management gap that ENISA's sectoral guidance addresses. The question for procurement officers renewing ABB support contracts is whether software bill of materials (SBOM) delivery is now a contract requirement.

Sectoral implication

For water and energy sectoral SOCs running ABB OPTIMAX, the immediate action sequence is straightforward. First, determine whether Azure AD SSO integration is active on any OPTIMAX deployment. This is a configuration question that can be answered by the responsible OT engineer without vendor involvement. If SSO is disabled, the CVE-2025-14510 attack surface does not exist. If SSO is active, determine the installed version and prioritise upgrade to 6.3.1-251120 or 6.4.1-251120 if on those tracks. If running 6.1 or 6.2, escalate to ABB immediately to understand the migration path, and in the interim disable Azure AD SSO and revert to local authentication.

For AWIN GW100 and GW120 gateways, the firmware upgrade requirement is clear and the fixed versions are available now. These are network-attached gateways; unauthenticated configuration disclosure and unauthenticated reboot on a gateway-class device in a water or energy network is a high-priority remediation item regardless of compensating network segmentation.

SOC monitoring teams should add detection logic for anomalous authentication events against OPTIMAX endpoints - specifically, sessions that originate without a corresponding Azure AD token exchange visible in the identity provider logs. If your SIEM ingests Azure AD sign-in logs alongside OT application logs, a gap in the expected token chain for an OPTIMAX session is a detectable signal. This is not a guarantee of exploit detection, but it narrows the blind spot.

For operators managing Symphony Plus S+ Engineering environments, apply the 2.4 SP2 RU1 update released December 2024. The PostgreSQL dependency chain means the exposure is at the database layer; restricting network access to the S+ client/server network is the stated mitigating factor, but it is not a substitute for patching where upgrade is feasible³.

Finally, the B&R Automation Runtime DoS flaw (CVE-2025-11044) should be prioritised for manufacturing and process automation environments where shorter PLC cycle times are configured. B&R's own guidance states that shorter cycle times increase exploitation likelihood, which means high-performance process control applications are the highest-risk deployments⁵. The firewall-based mitigations (limiting concurrent connections to the ANSL-Server, capping traffic at 80% of measured peak) are specific enough to implement as interim controls while patch scheduling proceeds.