Researchers recognized 13 essential vulnerabilities in Tridium’s widely-deployed Niagara Framework that would permit attackers to compromise constructing automation methods and acquire delicate community knowledge.
The vulnerabilities, affecting variations 4.10u10 and earlier, in addition to 4.14u1 and earlier, allow attackers with community entry to execute refined assault chains leading to full system compromise, together with root-level distant code execution on track units.
Key Takeaways1. Vital flaws found in Tridium Niagara Framework affecting constructing automation methods.2. Attackers can obtain full machine compromise when encryption is disabled.3. Updates required to guard essential infrastructure.
Vital Framework Vulnerabilities
In response to Nozomi Networks Labs, Tridium Niagara Framework serves as a essential middleware platform connecting various IoT units throughout constructing administration, industrial automation, and good infrastructure environments.
Niagara Workbench important interface
The newly found vulnerabilities are consolidated into ten distinct CVEs, with CVE-2025-3937 scoring the best CVSS v3.1 score of seven.7 on account of inadequate computational effort in password hashing (CWE-916).
Probably the most extreme vulnerabilities embody CVE-2025-3944 with a CVSS rating of seven.2, involving incorrect permission task for essential sources, and CVE-2025-3945, additionally scoring 7.2, which allows argument injection assaults.
These flaws turn into totally exploitable when Niagara methods are misconfigured with disabled encryption on community units, a configuration that generates safety dashboard warnings.
Researchers recognized an assault chain leveraging CVE-2025-3943 and CVE-2025-3944 that permits adjoining attackers to realize full system compromise.
The assault begins with intercepting anti-CSRF refresh tokens transmitted by way of GET requests to the /ord endpoint:
Attacker interacts with the Niagara station
The vulnerability chain permits attackers to extract JSESSIONID session tokens from unencrypted Syslog site visitors, escalate privileges, and in the end exploit CVE-2025-3944 to execute arbitrary code by way of dhcpd.conf hooks.
The next proof-of-concept demonstrates root-level code execution:
CVE IDTitleCVSS 3.1 ScoreSeverityCVE-2025-3937Use of Password Hash with Inadequate Computational Effort7.7HighCVE-2025-3944Incorrect Permission Project for Vital Resource7.2HighCVE-2025-3945Argument Injection7.2HighCVE-2025-3938Missing Cryptographic Step6.8MediumCVE-2025-3936Incorrect Permission Project for Vital Resource6.5MediumCVE-2025-3941Improper Dealing with of Home windows DATA Alternate Information Stream5.4MediumCVE-2025-3939Observable Response Discrepancy5.3MediumCVE-2025-3940Improper Use of Validation Framework5.3MediumCVE-2025-3942Improper Output Neutralization for Logs4.3MediumCVE-2025-3943Use of GET Request Methodology with Delicate Question Strings4.1Medium
Mitigations
Tridium has responded swiftly by issuing safety patches and publishing a complete safety advisory addressing all recognized vulnerabilities.
The assault conditions embody Man-in-the-Center (MiTM) community positioning and misconfigured Syslog performance transmitting knowledge with out encryption.
Organizations working Niagara-powered methods should instantly replace to patched variations and implement community segmentation to restrict publicity.
The vulnerabilities pose vital dangers to operational know-how environments, probably enabling lateral motion by way of T1210 – Exploitation of Distant Providers and operational disruptions through T1499 – Endpoint Denial of Service assault strategies.
Given Niagara’s deployment throughout essential sectors together with healthcare, transportation, manufacturing, and vitality, these vulnerabilities symbolize substantial dangers to each digital property and real-world security methods.
Expertise quicker, extra correct phishing detection and enhanced safety for your online business with real-time sandbox analysis-> Attempt ANY.RUN now
.webp?ssl=1 "Google Forms Exploited in New PureHVNC Malware Attack")
