---
title: "Critical Vulnerabilities in ABB B&R Automation Runtime Expose Industrial Systems"
short_title: "ABB B&R Automation Runtime critical flaws patched"
description: "Three critical vulnerabilities in ABB B&R Automation Runtime (CVE-2025-3449, CVE-2025-3448, CVE-2025-11498) allow session hijacking and arbitrary code execution. Update to version 6.4 now."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [abb, industrial-security, cve-2025, xss, session-hijacking]
score: 0.85
cve_ids: [CVE-2025-3449, CVE-2025-3448, CVE-2025-11498]
---
## TL;DR
ABB B&R Automation Runtime versions prior to 6.4 are affected by three critical vulnerabilities, including session hijacking, cross-site scripting (XSS), and CSV formula injection. Exploitation could allow attackers to execute arbitrary code or take over remote sessions. ABB has released Automation Runtime 6.4 to patch these flaws, and users are urged to update immediately, especially in energy sector deployments.
Main Content
### Introduction
Industrial control systems (ICS) are the backbone of critical infrastructure, and vulnerabilities in these systems can have far-reaching consequences. ABB, a global leader in industrial automation, has disclosed three critical vulnerabilities in its B&R Automation Runtime software. These flaws, identified as CVE-2025-3449, CVE-2025-3448, and CVE-2025-11498, could enable attackers to hijack sessions, execute arbitrary code, or inject malicious formulas into CSV files. This advisory details the vulnerabilities, their impact, and the steps organizations must take to mitigate risks.
### Key Points
- Affected Versions: ABB B&R Automation Runtime versions prior to 6.4 are vulnerable.
- Vulnerability Types:
- Session Hijacking (CVE-2025-3449): Predictable session identifiers allow unauthenticated attackers to take over established sessions.
- Cross-Site Scripting (XSS) (CVE-2025-3448): Reflected XSS enables remote attackers to execute arbitrary JavaScript in a user’s browser.
- CSV Formula Injection (CVE-2025-11498): Malicious formulas can be injected into CSV files, requiring user interaction to exploit.
- Impact: Successful exploitation could lead to unauthorized code execution, session takeover, or data manipulation.
- Mitigation: ABB has released Automation Runtime 6.4 to address these vulnerabilities. Users are advised to disable the System Diagnostics Manager (SDM) if not required and apply the update immediately.
Technical Details
#### CVE-2025-3449: Session Hijacking via Predictable Identifiers
- CVSS Score: 4.2 (Medium)
- Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
- Description: The System Diagnostics Manager (SDM) component in vulnerable versions of Automation Runtime generates predictable session identifiers. An unauthenticated attacker with network access can exploit this flaw to hijack established sessions, potentially gaining unauthorized access to sensitive diagnostic data.
- Affected Component: SDM (disabled by default in Automation Runtime 6+).
#### CVE-2025-3448: Reflected Cross-Site Scripting (XSS)
- CVSS Score: 6.1 (Medium)
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Description: A reflected XSS vulnerability in the SDM component allows attackers to inject malicious JavaScript code into a user’s browser session. Exploitation requires tricking a user into clicking a maliciously crafted hyperlink, which could lead to arbitrary code execution in the context of the user’s session.
- Mitigation: External Web Application Firewalls (WAFs) can help mitigate XSS attacks.
#### CVE-2025-11498: CSV Formula Injection
- CVSS Score: 6.1 (Medium)
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Description: This vulnerability allows attackers to inject formula elements into generated CSV files. Exploitation requires a user to click a malicious link and manually open the resulting CSV file, which could lead to data manipulation or unauthorized command execution.
### Impact Assessment
The vulnerabilities pose a significant risk to industrial environments, particularly in the energy sector, where ABB B&R Automation Runtime is widely deployed. Successful exploitation could result in:
- Unauthorized access to industrial control systems.
- Arbitrary code execution in the context of a user’s browser session.
- Data manipulation via malicious CSV files.
- Disruption of critical operations in energy and other industrial sectors.
While the SDM component is disabled by default in Automation Runtime 6+, organizations that enable it are at heightened risk, especially if systems are exposed to untrusted networks or lack adequate access controls.
### Mitigation Steps
ABB has released Automation Runtime 6.4 to patch these vulnerabilities. Organizations are urged to take the following steps:
1. Apply the Update:
- Upgrade to Automation Runtime 6.4 immediately. The update process is detailed in the user manual.
- Identify the installed product version using the steps provided in the manual.
2. Disable SDM if Unnecessary:
- The System Diagnostics Manager (SDM) is disabled by default in Automation Runtime 6+. Do not enable it unless absolutely required, especially on systems outside secured production networks.
3. Implement Network Security Best Practices:
- Isolate control systems from business networks and the internet.
- Use firewalls to limit exposure and restrict access to trusted IP addresses.
- Deploy Web Application Firewalls (WAFs) to mitigate XSS attacks.
4. Educate Users:
- Train employees to avoid clicking hyperlinks from untrusted sources, such as emails, social media, or messaging services.
- Warn users about the risks of opening CSV files from unknown origins.
5. Monitor for Exploitation:
- Implement intrusion detection systems (IDS) to monitor for suspicious activity.
- Report any suspected exploitation to ABB PSIRT or CISA.
### Affected Systems
- Product: ABB B&R Automation Runtime
- Affected Versions: All versions prior to 6.4
- Critical Infrastructure Sectors: Energy (worldwide deployment)
- Vendor Headquarters: Switzerland
## Conclusion
The discovery of these vulnerabilities in ABB B&R Automation Runtime underscores the critical importance of securing industrial control systems. While ABB has released patches, organizations must act swiftly to apply updates, disable unnecessary components, and implement robust security measures to prevent exploitation. The energy sector, in particular, must prioritize these actions to safeguard critical infrastructure from potential cyber threats.
For further guidance, refer to CISA’s recommended practices for industrial control systems and ABB’s official documentation.
## References
[^1]: ABB PSIRT. "Security Advisory SA25P003". Retrieved 2024-10-02.
[^2]: CISA. "ICS Advisory ICSA-26-141-04". Retrieved 2024-10-02.
[^3]: MITRE. "CWE-340: Generation of Predictable Numbers or Identifiers". Retrieved 2024-10-02.
[^4]: MITRE. "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')". Retrieved 2024-10-02.
[^5]: MITRE. "CWE-1236: Improper Neutralization of Formula Elements in a CSV File". Retrieved 2024-10-02.