ABB B&R Automation Runtime

Summary

ABB B&R disclosed three vulnerabilities (CVE-2025-3449, CVE-2025-3448, CVE-2025-11498) in Automation Runtime versions before 6.4 affecting the System Diagnostics Manager (SDM) component. The flaws enable unauthenticated attackers to hijack sessions via predictable identifiers, execute arbitrary JavaScript via reflected XSS, and inject malicious formulas into CSV files. Fix is available in Automation Runtime 6.4; SDM is disabled by default and primarily impacts systems where it is explicitly enabled.

Full text

ICS Advisory ABB B&R Automation Runtime Release DateMay 21, 2026 Alert CodeICSA-26-141-04 Related topics: Industrial Control System Vulnerabilities, Industrial Control Systems View CSAF Summary An update is available that resolves a vulnerability identified by B&Rs internal security analysis in the product versions listed as affected in this advisory. An attacker who successfully exploited these vulnerabilities could take over a remote session or execute code in the context of the user’s browser session. The following versions of ABB B&R Automation Runtime are affected: Automation Runtime <6.4, 6.4 (CVE-2025-3449, CVE-2025-3448, CVE-2025-11498) CVSS Vendor Equipment Vulnerabilities v3 6.1 B&R ABB B&R Automation Runtime Generation of Predictable Numbers or Identifiers, Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Neutralization of Formula Elements in a CSV File Background Critical Infrastructure Sectors: Energy Countries/Areas Deployed: Worldwide Company Headquarters Location: Switzerland Vulnerabilities Expand All + CVE-2025-3449 A Generation of Predictable Numbers or Identifiers vulnerability in the SDM component of B&R Automation Runtime versions before 6.4 may allow an unauthenticated network-based attacker to take over already established sessions. View CVE Details Affected Products ABB B&R Automation Runtime Vendor:B&R Product Version:Automation Runtime <6.4 Product Status:fixed, known_affected Remediations Vendor fixThe problem is corrected in Automation Runtime 6.4. The System Diagnostic Manager (SDM) is disabled by default in Automation Runtime 6 and is not intended be enabled on active systems located outside properly secured production networks or in facilities lacking adequate physical and logical access controls to prevent any form of unauthorized interaction. For customers who use SDM on their systems, B&R recommends applying the update based on risk assessment at the earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Relevant CWE: CWE-340 Generation of Predictable Numbers or Identifiers Metrics CVSS Version Base Score Base Severity Vector String 3.1 4.2 MEDIUM CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N/E:F/RL:O/RC:C CVE-2025-3448 Reflected cross-site scripting (XSS) vulnerabilities exist in System Diagnostics Manager (SDM) of B&R Automation Runtime versions before 6.4 that enables a remote attacker to execute arbitrary JavaScript code in the context of the attacked user’s browser session View CVE Details Affected Products ABB B&R Automation Runtime Vendor:B&R Product Version:Automation Runtime <6.4 Product Status:fixed, known_affected Remediations Vendor fixThe problem is corrected in Automation Runtime 6.4. The System Diagnostic Manager (SDM) is disabled by default in Automation Runtime 6 and is not intended be enabled on active systems located outside properly secured production networks or in facilities lacking adequate physical and logical access controls to prevent any form of unauthorized interaction. For customers who use SDM on their systems, B&R recommends applying the update based on risk assessment at the earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Relevant CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:F/RC:C CVE-2025-11498 An Improper Neutralization of Formula Elements in a CSV File vulnerability exists in System Diagnostics Manager (SDM) of B&R Automation Runtime versions before 6.4 enabling a remote attacker to inject formula data into a generated CSV file. The exploitation of this vulnerability requires the attack-er to create a malicious link. The user would need to click on this link, after which the resulting CSV file additionally needs to be manually opened. View CVE Details Affected Products ABB B&R Automation Runtime Vendor:B&R Product Version:Automation Runtime <6.4 Product Status:fixed, known_affected Remediations Vendor fixThe problem is corrected in Automation Runtime 6.4. The System Diagnostic Manager (SDM) is disabled by default in Automation Runtime 6 and is not intended be enabled on active systems located outside properly secured production networks or in facilities lacking adequate physical and logical access controls to prevent any form of unauthorized interaction. For customers who use SDM on their systems, B&R recommends applying the update based on risk assessment at the earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual. Relevant CWE: CWE-1236 Improper Neutralization of Formula Elements in a CSV File Metrics CVSS Version Base Score Base Severity Vector String 3.1 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/RL:O/RC:C Acknowledgments ABB PSIRT reported these vulnerabilities to CISA. Notice The information in this document is subject to change without notice, and should not be construed as a commitment by B&R. B&R provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall B&R or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if B&R or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from B&R, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Mitigating factors Do not enable the System Diagnostics Manager when it is not required. Refer to section “General security recommendations” for further advise on how to keep your system secure. Workarounds Do not use Hyperlinks provided by untrusted 3rd party to access the SDM. Hyperlinks may be provided via: • Emails from unknown users • Social media channels • Messaging services • Webpages with comment functionality • QR Codes The use of external Web Application Firewalls (WAF) can mitigate attacks using reflected cross-site scripting. Frequently asked questions What causes the vulnerabilities? The vulnerabilities are caused by insufficient input sanitization and generation of predictable numbers. What is System Diagnostics Manager (SDM)? System Diagnostics Manager (SDM) is a webpage available over the Automation Runtime Webserver, showing key diagnostic information of the running controller. What is Automation Runtime (AR)? B&R Automation Runtime is a middleware system enabling customers to run applications on B&R target systems. What might an attacker use the vulnerabilities to do? An attacker who successfully exploited these vulnerabilities could cause to run arbitrary code in the context of the user’s browser session or take over the user’s session. Since the SDM currently does not process any session-specific data and also does not implement authentication mechanisms at the session level, B&R is not aware of any advantages an attacker could gain by taking over the session ID How could an attacker exploit the vulnerabilities? To exploit the XSS vulnerability CVE-2025-3448, an attacker could try to create a hyperlink including malicious script code. This hyperlink must be opened by the user to launch the attack. To exploit vulnerability CVE-2025-3

Indicators of Compromise

• cve — CVE-2025-3449
• cve — CVE-2025-3448
• cve — CVE-2025-11498

Entities