Summary
An update is available that resolves a vulnerability identified by B&Rs internal security analysis in the product versions listed as affected in this advisory. An attacker who successfully exploited these vulnerabilities could take over a remote session or execute code in the context of the user’s browser session.
The following versions of ABB B&R Automation Runtime are affected:
- Automation Runtime <6.4, 6.4 (CVE-2025-3449, CVE-2025-3448, CVE-2025-11498)
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 6.1 | B&R | ABB B&R Automation Runtime | Generation of Predictable Numbers or Identifiers, Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), Improper Neutralization of Formula Elements in a CSV File |
Background
- Critical Infrastructure Sectors: Energy
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Switzerland
Vulnerabilities
CVE-2025-3449
A Generation of Predictable Numbers or Identifiers vulnerability in the SDM component of B&R Automation Runtime versions before 6.4 may allow an unauthenticated network-based attacker to take over already established sessions.
Affected Products
ABB B&R Automation Runtime
B&R
Automation Runtime <6.4
fixed, known_affected
Remediations
Vendor fix
The problem is corrected in Automation Runtime 6.4. The System Diagnostic Manager (SDM) is disabled by default in Automation Runtime 6 and is not intended be enabled on active systems located outside properly secured production networks or in facilities lacking adequate physical and logical access controls to prevent any form of unauthorized interaction. For customers who use SDM on their systems, B&R recommends applying the update based on risk assessment at the earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual.
Relevant CWE: CWE-340 Generation of Predictable Numbers or Identifiers
Metrics
| CVSS Version | Base Score | Base Severity | Vector String |
|---|---|---|---|
| 3.1 | 4.2 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C |
CVE-2025-3448
Reflected cross-site scripting (XSS) vulnerabilities exist in System Diagnostics Manager (SDM) of B&R Automation Runtime versions before 6.4 that enables a remote attacker to execute arbitrary JavaScript code in the context of the attacked user’s browser session
Affected Products
ABB B&R Automation Runtime
B&R
Automation Runtime <6.4
fixed, known_affected
Remediations
Vendor fix
The problem is corrected in Automation Runtime 6.4. The System Diagnostic Manager (SDM) is disabled by default in Automation Runtime 6 and is not intended be enabled on active systems located outside proper
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: