CISA Warns of Critical Denial-of-Service Vulnerability in B&R PPT30 Operating System
A critical vulnerability in B&R's PPT30 Operating System could allow unauthenticated attackers to render the OPC-UA server inaccessible, impacting critical infrastructure sectors worldwide.
CISA has issued a critical advisory detailing a vulnerability within the B&R PPT30 Operating System, specifically affecting versions prior to 1.8.0. The flaw, identified as CVE-2025-11482, resides in the system's OPC-UA server and could permit an unauthenticated network attacker to exploit resource allocation issues. Successful exploitation could lead to a denial-of-service condition, making the OPC-UA server unresponsive and inaccessible to legitimate users.
The vulnerability, classified with a CVSS v3.1 score of 7.5 (HIGH), is categorized as an "Allocation of Resources Without Limits or Throttling" issue. This means an attacker can send specially crafted messages to an affected system node, overwhelming its resource management capabilities. The attack requires network access to the system, which could be achieved through direct connection, a compromised firewall, or malicious software already present on the network.
B&R Industrial Automation GmbH, the vendor, has acknowledged the vulnerability and released version 1.8.0 of the PPT30 Operating System as a fix. The company strongly recommends that customers with the OPC-UA server enabled update to this patched version as soon as possible. Information on identifying the installed version and the update process is available in the product's user manual.
While the OPC-UA server is not enabled by default, B&R emphasizes that it should only be activated if absolutely necessary. For systems where the server is active, additional mitigation strategies are advised. These include configuring firewalls to restrict access to the OPC-UA server exclusively to trusted IP addresses and ensuring proper network segmentation. Furthermore, physical access to network interfaces connected to the PPT30 should be limited to authorized personnel.
The potential impact of this vulnerability is significant, as the B&R PPT30 Operating System is deployed across various critical infrastructure sectors globally, including Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems, and Water and Wastewater. The ability for an attacker to disable the OPC-UA server could disrupt operations and compromise the availability of essential services.
B&R discovered the vulnerability through its own internal security analysis and has not received any reports of it being actively exploited in the wild at the time of the advisory's release. However, the nature of the vulnerability, allowing remote exploitation by unauthenticated attackers, necessitates prompt patching and adherence to security best practices.
CISA urges users to implement defensive measures to minimize exploitation risks, including minimizing network exposure for all control system devices and ensuring they are not directly accessible from the internet. Proper network segmentation and access controls are crucial for protecting these sensitive environments. The advisory also references relevant CWEs and provides links to further details on the vulnerability and recommended remediation steps.