Cybersecurity researchers have found over a dozen safety vulnerabilities impacting Tridium’s Niagara Framework that would enable an attacker on the identical community to compromise the system below sure circumstances.
“These vulnerabilities are totally exploitable if a Niagara system is misconfigured, thereby disabling encryption on a particular community system,” Nozomi Networks Labs mentioned in a report revealed final week. “If chained collectively, they may enable an attacker with entry to the identical community — corresponding to by way of a Man-in-the-Center (MiTM) place — to compromise the Niagara system.”
Developed by Tridium, an unbiased enterprise entity of Honeywell, the Niagara Framework is a vendor-neutral platform used to handle and management a variety of gadgets from completely different producers, corresponding to HVAC, lighting, power administration, and safety, making it a beneficial answer in constructing administration, industrial automation, and sensible infrastructure environments.
It consists of two key parts: Platform, which is the underlying software program surroundings that gives the mandatory companies to create, handle, and run Stations, and Station, which communicates with and controls related gadgets and methods.
The vulnerabilities recognized by Nozomi Networks are exploitable ought to a Niagara system be misconfigured, inflicting encryption to be disabled on a community system and opening the door to lateral motion and broader operational disruptions, impacting security, productiveness, and repair continuity.
Probably the most extreme of the problems are listed under –
CVE-2025-3936 (CVSS rating: 9.8) – Incorrect Permission Project for Crucial Useful resource
CVE-2025-3937 (CVSS rating: 9.8) – Use of Password Hash With Inadequate Computational Effort
CVE-2025-3938 (CVSS rating: 9.8) – Lacking Cryptographic Step
CVE-2025-3941 (CVSS rating: 9.8) – Improper Dealing with of Home windows: DATA Alternate Information Stream
CVE-2025-3944 (CVSS rating: 9.8) – Incorrect Permission Project for Crucial Useful resource
CVE-2025-3945 (CVSS rating: 9.8) – Improper Neutralization of Argument Delimiters in a Command
CVE-2025-3943 (CVSS rating: 7.3) – Use of GET Request Technique With Delicate Question Strings
Nozomi Networks mentioned it was in a position to craft an exploit chain combining CVE-2025-3943 and CVE-2025-3944 that would allow an adjoining attacker with entry to the community to breach a Niagara-based goal system, finally facilitating root-level distant code execution.
Particularly, the attacker might weaponize CVE-2025-3943 to intercept the anti-CSRF (cross-site request forgery) refresh token in situations the place the Syslog service is enabled, inflicting the logs containing the token to be transmitted doubtlessly over an unencrypted channel.
Armed with the token, the menace actor can set off a CSRF assault and lure an administrator into visiting a specifically crafted hyperlink that causes the content material of all incoming HTTP requests and responses to be totally logged. The attacker then proceeds to extract the administrator’s JSESSIONID session token and use it to hook up with the Niagara Station with full elevated permissions and creates a brand new backdoor administrator consumer for persistent entry.
Within the subsequent stage of the assault, the executive entry is abused to obtain the non-public key related to the system’s TLS certificates and conduct adversary-in-the-middle (AitM) assaults by benefiting from the truth that each the Station and Platform share the identical certificates and key infrastructure.
With management of the Platform, the attacker might leverage CVE-2025-3944 to facilitate root-level distant code execution on the system, reaching full takeover. Following accountable disclosure, the problems have been addressed in Niagara Framework and Enterprise Safety variations 4.14.2u2, 4.15.u1, or 4.10u.11.
“As a result of Niagara typically connects important methods and generally bridges IoT expertise and knowledge expertise (IT) networks, it might symbolize a high-value goal,” the corporate mentioned.
“Given the important features that may be managed by Niagara-powered methods, these vulnerabilities could pose a excessive threat to operational resilience and safety supplied the occasion has not been configured per Tridium’s hardening tips and finest practices.”
The disclosure comes as a number of reminiscence corruption flaws have been found within the P-Internet C library, an open-source implementation of the PROFINET protocol for IO gadgets, that, if efficiently exploited, might enable unauthenticated attackers with community entry to the focused system to set off denial-of-service (DoS) circumstances.
“Virtually talking, exploiting CVE-2025-32399, an attacker can power the CPU operating the P-Internet library into an infinite loop, consuming 100% CPU sources,” Nozomi Networks mentioned. “One other vulnerability, tracked as CVE-2025-32405, permits an attacker to jot down past the boundaries of a connection buffer, corrupting reminiscence and making the system totally unusable.”
The vulnerabilities have been resolved in model 1.0.2 of the library, which was launched in late April 2025.
In latest months, a number of safety defects have additionally been unearthed in Rockwell Automation PowerMonitor 1000, Bosch Rexroth ctrlX CORE, and Inaba Denki Sangyo’s IB-MCT001 cameras that would end in execution of arbitrary instructions, system takeover, DoS, info theft, and even remotely entry dwell footage for surveillance.
“Profitable exploitation of those vulnerabilities might enable an attacker to acquire the product’s login password, achieve unauthorized entry, tamper with product’s knowledge, and/or modify product settings,” the U.S. Cybersecurity and Infrastructure Safety Company (CISA) mentioned in an advisory for IB-MCT001 flaws.
