ABB B&R Automation Runtime DoS via CVE-2025-11044 — Patch Now
- [01] Immediate impact: Unauthenticated network attackers can trigger a permanent denial-of-service in ABB B&R Automation Runtime, impacting critical manufacturing operations worldwide.
- [02] Affected systems: ABB B&R Automation Runtime versions prior to 6.5 and prior to R4.93 are vulnerable.
- [03] Remediation: Immediately apply vendor updates to Automation Runtime 6 >= 6.5 or Automation Runtime 4 >= R4.93.
Urgent DoS Vulnerability in ABB B&R Automation Runtime
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory regarding a significant vulnerability, identified as CVE-2025-11044, affecting ABB B&R Automation Runtime products. This flaw could lead to a permanent denial-of-service (DoS) condition, posing a substantial risk to critical manufacturing sectors globally. Organizations operating affected systems must prioritize immediate remediation to maintain operational continuity and integrity, as highlighted by CISA.
Technical Details: CVE-2025-11044 Explained
The vulnerability, categorized as CWE-770: Allocation of Resources Without Limits or Throttling, resides within the ANSL-Server component of ABB B&R Automation Runtime. An unauthenticated attacker with network access can exploit this weakness by winning a race condition, leading to the affected product stopping completely. This results in a permanent DoS for the device. The CVSS v3.1 base score for this vulnerability is 6.8, classifying it as ‘Medium’ severity.
Specifically, the affected products include:
- ABB B&R Automation Runtime versions prior to 6.5
- ABB B&R Automation Runtime versions prior to R4.93
This means any deployment of ABB B&R Automation Runtime versions prior to 6.5 or earlier than R4.93 is potentially at risk. The ease of exploitation is concerning; an attacker only requires network access to the system node and can trigger the vulnerability by sending a specially crafted message.
Impact on Critical Manufacturing
For industries reliant on industrial control systems (ICS), a permanent denial-of-service attack carries severe implications. Such an event can halt production, disrupt critical processes, and potentially lead to significant financial losses and safety hazards. Although the vulnerability requires network access, the advisory underscores that process control systems should be physically protected and isolated from the internet, often behind firewalls. B&R’s investigations indicate that shorter cycle times in customer projects increase the likelihood of successful exploitation, suggesting that the responsiveness of the control system can play a role in its susceptibility.
Exploitation from outside Level 1 of the ABB ICS Cyber Security Reference Architecture would necessitate bypassing existing control network firewalls, emphasizing the importance of a multi-layered security approach, often referred to as Defense in Depth. Organizations must evaluate their current network segmentation and access controls to determine their exposure to this threat.
Mitigating CVE-2025-11044 in ABB B&R Automation Runtime
The primary and most effective remediation for this vulnerability is to apply the vendor-provided updates immediately. B&R has released patches that correct the issue by limiting incoming network traffic handled by the ANSL server component.
Recommended Updates:
- Automation Runtime 6: Update to version 6.5 or later.
- Automation Runtime 4: Update to version R4.93 or later.
Customers are advised to consult their user manuals for detailed instructions on identifying their installed product version and executing the update process. Addressing how to mitigate CVE-2025-11044 effectively requires a combination of patching and network hygiene.
For installations where immediate patching is not feasible, B&R suggests several mitigating measures:
- Application Configuration: Adjusting application configurations to longer cycle times may reduce the likelihood of exploitation, especially in environments where shorter cycle times are present.
- Network Segmentation and Firewalls: Limit the maximum data traffic and the number of concurrent connections to the ANSL server via the Control Network Firewall. This can significantly reduce the attack surface. Ensure control system networks are isolated from business networks and not directly accessible from the internet.
- Remote Access: When remote access is required, utilize secure methods such as Virtual Private Networks (VPNs). However, it is crucial to recognize that VPNs themselves can have vulnerabilities and must be kept up-to-date. The security of a VPN is directly tied to the security of its connected devices.
- Load Testing: Test the maximum load capacity of the application under Automation Runtime before commissioning to understand potential vulnerabilities under stress.
- Traffic Restriction: Restrict permitted data traffic to the device via the Control Network Firewall to no more than 80% of the measured peak traffic value.
Runtime Rebel urges all organizations using affected ABB B&R Automation Runtime versions to review their systems and implement these recommendations without delay. Proactive defense measures are essential to protect critical infrastructure from potential disruptions caused by such vulnerabilities.
Advertisement