CVE-2025-11043: ABB Automation Studio <6.5 Improper Certificate Validation

Overview: Critical Vulnerability in ABB B&R Automation Studio

CISA has republished an advisory from ABB PSIRT detailing a significant improper certificate validation vulnerability, tracked as CVE-2025-11043, affecting ABB B&R Automation Studio. This flaw poses a substantial risk to critical manufacturing environments globally, where these automation solutions are widely deployed. Successful exploitation could enable threat actors to masquerade as trusted entities, intercept, and manipulate communications between the Automation Studio client and its servers. This can lead to unauthorized data disclosure or alteration, compromising the integrity and confidentiality of industrial control processes.

The vulnerability stems from inadequate server certificate validation in the OPC-UA client and ANSL over TLS client components within Automation Studio versions prior to 6.5. As detailed in the CISA advisory, an unauthenticated attacker with network access could position themselves as a man-in-the-middle, leveraging manipulated certificates to trick the Automation Studio client into establishing a connection with a malicious server. This type of attack is particularly concerning in operational technology (OT) environments, where the integrity of data exchange is paramount for safe and reliable operations.

Technical Details of CVE-2025-11043

The core of CVE-2025-11043 lies in a weakness classified under CWE-295: Improper Certificate Validation. This means the client applications in ABB B&R Automation Studio do not sufficiently verify the authenticity of the server certificates presented during the establishment of secure communication channels using ANSL over TLS or OPC-UA protocols. An attacker can exploit this by:

• Gaining Network Access: The attacker first needs access to the system network, either directly, through a misconfigured firewall, or by infecting a network node with malicious software.
• Man-in-the-Middle (MITM) Position: Once network access is achieved, the attacker can intercept and redirect communication traffic intended for a legitimate server.
• Presenting Malicious Certificates: The attacker then presents a fraudulently crafted server certificate to the Automation Studio client. Due to the improper validation, the client accepts this malicious certificate, believing it is communicating with a trusted server.

The result is a compromised communication channel, allowing the attacker to read, modify, or inject data into the traffic stream. This can have severe implications, including unauthorized control commands, data exfiltration, or disruption of manufacturing processes. The CVSS v3.1 base score for this vulnerability is 7.4 (High severity), reflecting the significant impact on confidentiality and integrity, even though an attacker needs specific network conditions for exploitation.

Affected Systems and Operational Impact

The vulnerability specifically impacts ABB B&R Automation Studio versions prior to 6.5. Organizations utilizing these versions in critical manufacturing environments are at risk. The consequences of a successful exploit could range from industrial espionage—where an attacker steals proprietary manufacturing data or intellectual property—to direct operational sabotage, potentially leading to equipment damage, production halts, or safety incidents. The precise nature of the impact depends on the specific configurations and the sensitivity of the data being exchanged over the compromised OPC-UA or ANSL over TLS connections.

Understanding how to detect CVE-2025-11043 exploit attempts requires a focus on network-level anomalies and certificate trust. Organizations should monitor network traffic for unusual connections, certificate warnings, or deviations from expected communication patterns, particularly involving OPC-UA and ANSL over TLS endpoints.

Actionable Recommendations and CVE-2025-11043 Mitigation Guide

Defenders must prioritize immediate action to mitigate the risks associated with this vulnerability. The primary recommendation is to update affected systems.

• Patch Immediately: The most critical step is to update ABB B&R Automation Studio to version 6.5 or later. This version contains the necessary fixes to address the improper certificate validation. B&R advises customers to apply this update at their earliest convenience, following the instructions provided in the user manual for identifying installed versions and installing updates. This is the definitive CVE-2025-11043 mitigation guide provided by the vendor.
• Network Segmentation and Isolation: Implement robust network segmentation within the OT environment. CISA and ABB recommend operating B&R Automation Studio within Level 2 of the ABB ICS Cyber Security Reference Architecture when connecting to Level 1 devices via ANSL over TLS or OPC-UA. This trusted environment significantly reduces the risk of successful exploitation by limiting an attacker’s ability to intercept and redirect traffic. Industrial control system networks should be physically protected, isolated from business networks by firewalls, and not directly connected to the internet.
• Secure Remote Access: For any necessary remote access to Automation Studio, employ secure methods such as Virtual Private Networks (VPNs). Ensure VPNs are updated to their latest versions and are configured securely, recognizing that their security is dependent on the connected devices.
• Monitoring and Anomaly Detection: Enhance network monitoring capabilities to detect suspicious activity. This includes looking for unusual certificate validation failures, unexpected network traffic patterns on OPC-UA or ANSL over TLS ports, or attempts to redirect network routing. Integrating with a SIEM can help correlate logs and identify potential intrusion IoCs.
• Defense-in-Depth Strategies: Adopt a comprehensive defense-in-depth approach for ICS environments. This involves multiple layers of security controls, including physical security, secure configurations, access controls, and regular security audits, as outlined in CISA’s recommended practices for improving ICS cybersecurity.

By implementing these measures, organizations can significantly reduce their exposure to ABB Automation Studio <6.5 improper certificate validation and enhance the overall security posture of their critical manufacturing operations.