CISA has published an ICS advisory for a medium-severity authentication bypass vulnerability (CVE-2025-7064) in ABB Freelance Security Lock, a component used to restrict operator access on Freelance distributed control system (DCS) workstations. Every supported ABB Freelance release is affected, spanning versions from Freelance 2013 through Freelance 2024.

How the Vulnerability Works

ABB Freelance Security Lock is designed to keep operators confined to the Freelance Operations interface, preventing access to the underlying Windows operating system. The flaw, classified under CWE-305 (Authentication Bypass by Primary Weakness), allows an attacker to escape that confinement using undocumented or special key combinations available on modern keyboards. Once the Freelance Operations layer is bypassed, the attacker can interact directly with Windows OS functions and, from there, attack Freelance user management.

Exploitation requires local access and at least low-level privileges on the target system. The actual impact depends on the system configuration and the permissions assigned to the logged-in user. CISA has assigned a CVSS v3.1 base score of 6.6 (Medium), with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L, reflecting high potential for integrity impact even at medium overall severity.

Affected Products

All versions of ABB Freelance Security Lock installed alongside any of the following ABB System releases are affected:

  • Freelance 2013 and earlier
  • Freelance 2013 SP1
  • Freelance 2016
  • Freelance 2016 SP1
  • Freelance 2019
  • Freelance 2019 SP1
  • Freelance 2019 SP1 FP1
  • Freelance 2024

Affected deployments are reported worldwide, primarily in the critical manufacturing sector. ABB is headquartered in Switzerland.

Remediation and Mitigations

ABB has published a dedicated PSIRT advisory (7PAA020361) detailing mitigations. Organizations should consult that advisory directly for vendor-specific guidance. In the interim, CISA recommends the following defensive measures:

  • Isolate ICS workstations from the internet and from corporate business networks using firewalls and network segmentation.
  • Restrict physical and local access to DCS workstations to authorized personnel only, which is the primary barrier against this local-access vulnerability.
  • Use VPNs for any required remote access, keeping VPN software updated.
  • Review and harden Windows user permission assignments on affected workstations to limit the damage achievable after an OS-layer bypass.

The vulnerability was discovered and reported to ABB by security researcher Gergely Regweld Szini.