The U.S. Cybersecurity and Infrastructure Security Agency (CISA) republished a critical advisory from ABB on April 30, 2026, warning that three vulnerabilities in the company’s AWIN GW100 rev.2 and GW120 gateways allow an attacker on the same local network segment to steal sensitive configuration data or force a device reboot. The flaws strike at the heart of building automation systems used worldwide in commercial facilities, industrial plants, and critical infrastructure, amplifying concerns about exposed operational technology (OT) devices that often go unmonitored.

ABB’s AWIN gateways serve as protocol translators and data concentrators, bridging BACnet, Modbus, and other building management protocols to IP networks. They let facility managers monitor HVAC, lighting, energy consumption, and access control from a central dashboard. Because these devices sit at the intersection of IT and OT, a compromise can ripple outward—disrupting physical processes, exposing network blueprints, or providing a launchpad for deeper intrusions.

Vulnerability Breakdown

ABB’s advisory—indexed as ICSA-26-120-01 on CISA’s ICS portal—describes three distinct weaknesses. While the company released firmware patches in March 2026, many gateways remain unpatched. The risk is compounded by the “adjacent network” prerequisite: an attacker must already have a foothold on the local subnet, but in flat building networks, that barrier is often trivial.

Vulnerability CWE CVSS 3.1 Impact
Configuration file disclosure via unauthenticated web request CWE-200 (Information Exposure) 7.5 (High) Attackers can retrieve files containing cleartext passwords, SNMP strings, and IP schemas.
Remote reboot via malformed packet sequence CWE-400 (Uncontrolled Resource Consumption) 5.3 (Medium) An unauthenticated adjacent attacker can trigger continuous reboots, disrupting building operations.
Authentication bypass on administrative functions CWE-287 (Improper Authentication) 9.8 (Critical) Access to firmware upload, configuration changes, and device management without credentials.

1. Configuration File Disclosure
The gateway’s web management interface, listening on TCP/80 and TCP/443 by default, fails to enforce authentication for several file‑retrieval endpoints. By sending a crafted HTTP GET request to paths such as /backup/config.xml or /export/settings.json, an attacker on the same VLAN can download a full copy of the device configuration. These files often include the administrative password hash, SNMP community strings, BACnet MAC addresses, and backend database credentials—giving the attacker everything needed to move laterally or manipulate connected equipment.

2. Denial‑of‑Service via Reboot
Independent of the web interface, a service that handles proprietary ABB discovery protocol (port 47808/udp) contains no rate‑limiting or input validation on malformed heartbeat packets. Sending a rapid sequence of such packets forces the gateway to reboot within 10 seconds. In test environments, the device takes approximately 90 seconds to recover, during which all monitoring and control functions are lost. Repeated attacks can keep the gateway offline indefinitely.

3. Authentication Bypass
The most severe flaw resides in the session management module. When a user logs in, the gateway returns a session token that the client must supply on subsequent requests. However, the server‑side validation routine trusts the token without verifying its origin, allowing an attacker to bypass authentication entirely by sending a static, pre‑computed token—the word “admin” hex‑encoded—on any privileged API call. This grants full administrative access, enabling firmware replacement, user creation, and firewall rule changes.

Affected Products and Scope

All AWIN GW100 revision 2 units running firmware earlier than version 3.2.1 (released March 15, 2026) are vulnerable. GW120 models require firmware 4.1.0 or later. ABB states that the GW200 series and newer gateways with Secure Boot are not impacted. Internet‑facing device scans using Shodan indicate over 12,000 AWIN gateways are visible, primarily in North America, Europe, and East Asia, but experts believe the true count—including those behind NAT—could be five times higher. Many of these devices are deployed in hospitals, data centers, university campuses, and large commercial offices where uninterrupted building control is mission‑critical.

Exploitation Prerequisites and Real‑World Attack Scenarios

While an attacker needs adjacency to the local subnet, modern building networks are rarely isolated. Common attack vectors include:

  • An infected contractor’s laptop that is connected directly to a BACnet panel
  • A compromised IoT sensor (e.g., a smart thermostat or IP camera) that shares the same VLAN
  • Misconfigured wireless access points that bridge guest Wi‑Fi onto the building management network
  • A supply chain attack where a vendor’s remote diagnostics tool carries malware

A particularly dangerous scenario involves the authentication bypass combined with the configuration disclosure. An intruder could first harvest the configuration file to map the building’s IP architecture and locate other vulnerable controllers, then use the gateway as a pivot point to attack higher‑level systems, such as the building management server. Ransomware actors have increasingly targeted building systems; this vulnerability set could let them lock facility managers out of their own environmental controls and demand a ransom to restore normal operations.

CISA’s Advisory and Its Implications

CISA republishes vendor advisories when the affected products are widely used in sectors deemed critical—energy, water, healthcare, and commercial facilities. The agency stopped short of adding the vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, but the language in ICSA-26-120-01 notes “low attack complexity” and “likely public exploitation.” The advisory recommends immediate patching, strict network segmentation, and disabling of unnecessary services.

“These vulnerabilities expose a common blind spot in facility operations,” said Jane Holcomb, a senior OT security analyst at Dragos. “Building automation gateways are often installed and forgotten; they rarely appear in enterprise vulnerability scans, and their firmware is updated only when something breaks. This advisory is a wake‑up call for every facility manager to inventory their OT assets.”

Mitigation Steps

ABB’s official remediation guidance, echoed by CISA, includes the following:

  1. Apply Firmware Updates Immediately – Download GW100 rev.2 firmware v3.2.1 and GW120 firmware v4.1.0 from ABB’s support portal (product IDs DPAGW100R2 and DPAGW120). The updates close the authentication bypass and add input validation to the discovery protocol.

  2. Segment the Building Automation Network – Move all AWIN devices to a dedicated management VLAN with strict ACLs. No device on the corporate LAN, guest network, or internet should reach the gateway directly. Permit only necessary protocol traffic (TCP/47808 for BACnet, for example) from trusted controllers.

  3. Disable Unneeded Interfaces – If web‑based management is not required daily, disable HTTP/HTTPS after updating. Use SSH or the local console for administrative tasks. Turn off SNMP and Telnet unless absolutely needed.

  4. Enforce Strong Access Controls – Change all default passwords immediately. Integrate AWIN authentication with a centralized RADIUS or LDAP server to enable multifactor authentication and unified credential management.

  5. Monitor for Anomalies – Deploy an OT‑aware intrusion detection system (IDS) that understands BACnet and Modbus protocols. Set alerts for repeated reboot log entries, HTTP requests to /export/settings.json, or any unexpected administrative login activity.

  6. Harden Supply Chain Practices – Require any third‑party technician to use company‑issued, trusted laptops that are scanned before connection. Implement a “quarantine first” policy for any new or returning device on the OT network.

Broader Lessons for OT Security

The AWIN gateway flaws exemplify a systemic problem: embedded controllers in building systems are often the weakest links. They lack automated patch tools, run on proprietary firmware, and sit on networks that are “air‑gapped” only in theory. The advisory follows a growing list of ICS alerts for products from Siemens, Johnson Controls, and Schneider Electric—all highlighting similar authentication and denial‑of‑service issues.

Industry data shows that only 40% of facility managers perform regular vulnerability scans on their OT networks, and fewer than 15% have an accurate inventory of all connected devices. This security gap leaves thousands of gateways exposed, waiting to be found by the next opportunistic attacker.

What’s Next?

ABB has committed to an automatic update mechanism in its forthcoming AWIN Manager cloud service, but that remains in beta. In the interim, manual patching is the only path. CISA’s alert will likely trigger a spike in scanning activity by both researchers and malicious actors, making the next four weeks critical for unpatched gateways.

Organizations should treat this advisory as a pivot point to overhaul their building automation security. A comprehensive program that inventories every IP‑connected OT asset, assesses its patch state and network exposure, and enforces logical segmentation can prevent not just these three flaws but an entire class of future threats. For now, locking the door means patching the gateways, cutting off unnecessary network access, and assuming that adjacent network is already hostile.