Summary
B&R is aware of a vulnerability in the product versions listed as affected in the advisory. An attacker who successfully exploits this vulnerability could make the OPC-UA server of the product inaccessible.
The following versions of B&R PPT30 Operating System are affected:
- PPT30 Operating System <1.8.0, 1.8.0 (CVE-2025-11482)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 7.5 | B&R Industrial Automation GmbH | B&R PPT30 Operating System | Allocation of Resources Without Limits or Throttling |
Background
- Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems, Water and Wastewater
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Switzerland
Vulnerabilities
CVE-2025-11482
An Allocation of Resources Without Limits or Throttling vulnerability in the OPC-UA Server used in PPT30 Operating System versions before 1.8.0 may be used by an unauthenticated network-based at-tacker to permanently prevent legitimate users from interacting with the service.
Affected Products
B&R PPT30 Operating System
B&R Industrial Automation GmbH
B&R Industrial Automation GmbH PPT30 Operating System <1.8.0
fixed, known_affected
Remediations
Vendor fix
The problem is corrected in the following product versions: PPT30 Operating System 1.8.0. The OPC-UA server is not activated by default. B&R recommends that customers with the OPC-UA Server enabled to install the update at their earliest opportunity. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual.
Mitigation
The optional OPC-UA server is not activated by default. The OPC-UA server shall only be activated, if required. PPT30 products are intended to operate at Levels 1 and 2 of the ABB ICS Cyber Security Reference Architecture. To restrict access to the OPC-UA server exclusively to trusted IP addresses, configure the South Firewall and/or the Control Network Firewall accordingly, and properly segment the network where the PPT30 operates. Additionally, ensure that the physical network interfaces assigned to the same logical network as the PPT30 are accessible only to authorized personnel. Refer to section “General security recommendations” for further advise on how to keep your system secure.
Relevant CWE: CWE-770 Allocation of Resources Without Limits or Throttling
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C |
Acknowledgments
- ABB PSIRT reported this vulnerability to CISA.
Notice
The information in this document is subject to change without notice, and should not be construed as a commitment by B&R. B&R provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall B&R or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any har
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: