Cybersecurity researchers have found over a dozen safety vulnerabilities impacting Tridium’s Niagara Framework that might permit an attacker on the identical community to compromise the system beneath sure circumstances.
“These vulnerabilities are absolutely exploitable if a Niagara system is misconfigured, thereby disabling encryption on a selected community gadget,” Nozomi Networks Labs stated in a report printed final week. “If chained collectively, they might permit an attacker with entry to the identical community — corresponding to by means of a Man-in-the-Center (MiTM) place — to compromise the Niagara system.”
Developed by Tridium, an impartial enterprise entity of Honeywell, the Niagara Framework is a vendor-neutral platform used to handle and management a variety of gadgets from totally different producers, corresponding to HVAC, lighting, vitality administration, and safety, making it a beneficial resolution in constructing administration, industrial automation, and sensible infrastructure environments.
It consists of two key parts: Platform, which is the underlying software program surroundings that gives the required providers to create, handle, and run Stations, and Station, which communicates with and controls linked gadgets and programs.
The vulnerabilities recognized by Nozomi Networks are exploitable ought to a Niagara system be misconfigured, inflicting encryption to be disabled on a community gadget and opening the door to lateral motion and broader operational disruptions, impacting security, productiveness, and repair continuity.
Essentially the most extreme of the problems are listed beneath –
- CVE-2025-3936 (CVSS rating: 9.8) – Incorrect Permission Task for Important Useful resource
- CVE-2025-3937 (CVSS rating: 9.8) – Use of Password Hash With Inadequate Computational Effort
- CVE-2025-3938 (CVSS rating: 9.8) – Lacking Cryptographic Step
- CVE-2025-3941 (CVSS rating: 9.8) – Improper Dealing with of Home windows: DATA Alternate Knowledge Stream
- CVE-2025-3944 (CVSS rating: 9.8) – Incorrect Permission Task for Important Useful resource
- CVE-2025-3945 (CVSS rating: 9.8) – Improper Neutralization of Argument Delimiters in a Command
- CVE-2025-3943 (CVSS rating: 7.3) – Use of GET Request Methodology With Delicate Question Strings
Nozomi Networks stated it was capable of craft an exploit chain combining CVE-2025-3943 and CVE-2025-3944 that might allow an adjoining attacker with entry to the community to breach a Niagara-based goal gadget, finally facilitating root-level distant code execution.
Particularly, the attacker might weaponize CVE-2025-3943 to intercept the anti-CSRF (cross-site request forgery) refresh token in situations the place the Syslog service is enabled, inflicting the logs containing the token to be transmitted probably over an unencrypted channel.
Armed with the token, the menace actor can set off a CSRF assault and lure an administrator into visiting a specifically crafted hyperlink that causes the content material of all incoming HTTP requests and responses to be absolutely logged. The attacker then proceeds to extract the administrator’s JSESSIONID session token and use it to hook up with the Niagara Station with full elevated permissions and creates a brand new backdoor administrator person for persistent entry.
Within the subsequent stage of the assault, the executive entry is abused to obtain the non-public key related to the gadget’s TLS certificates and conduct adversary-in-the-middle (AitM) assaults by profiting from the truth that each the Station and Platform share the identical certificates and key infrastructure.
With management of the Platform, the attacker might leverage CVE-2025-3944 to facilitate root-level distant code execution on the gadget, reaching full takeover. Following accountable disclosure, the problems have been addressed in Niagara Framework and Enterprise Safety variations 4.14.2u2, 4.15.u1, or 4.10u.11.
“As a result of Niagara typically connects important programs and typically bridges IoT know-how and data know-how (IT) networks, it might signify a high-value goal,” the corporate stated.
“Given the important capabilities that may be managed by Niagara-powered programs, these vulnerabilities might pose a excessive danger to operational resilience and safety supplied the occasion has not been configured per Tridium’s hardening tips and greatest practices.”
The disclosure comes as a number of reminiscence corruption flaws have been found within the P-Internet C library, an open-source implementation of the PROFINET protocol for IO gadgets, that, if efficiently exploited, might permit unauthenticated attackers with community entry to the focused gadget to set off denial-of-service (DoS) situations.
“Virtually talking, exploiting CVE-2025-32399, an attacker can power the CPU operating the P-Internet library into an infinite loop, consuming 100% CPU assets,” Nozomi Networks stated. “One other vulnerability, tracked as CVE-2025-32405, permits an attacker to jot down past the boundaries of a connection buffer, corrupting reminiscence and making the gadget totally unusable.”
The vulnerabilities have been resolved in model 1.0.2 of the library, which was launched in late April 2025.
In current months, a number of safety defects have additionally been unearthed in Rockwell Automation PowerMonitor 1000, Bosch Rexroth ctrlX CORE, and Inaba Denki Sangyo’s IB-MCT001 cameras that might end in execution of arbitrary instructions, gadget takeover, DoS, info theft, and even remotely entry stay footage for surveillance.
“Profitable exploitation of those vulnerabilities might permit an attacker to acquire the product’s login password, achieve unauthorized entry, tamper with product’s information, and/or modify product settings,” the U.S. Cybersecurity and Infrastructure Safety Company (CISA) stated in an advisory for IB-MCT001 flaws.
