CISA Warns of Three Vulnerabilities in ABB B&R Automation Runtime, Including Session Hijack and XSS
CISA has issued an advisory for three vulnerabilities in ABB B&R Automation Runtime, including a session hijack flaw (CVE-2025-3449) that could allow unauthenticated attackers to take over remote sessions.
CISA has published an advisory warning of three vulnerabilities in ABB B&R Automation Runtime, a widely used industrial automation platform deployed across the energy sector worldwide. The flaws—tracked as CVE-2025-3449, CVE-2025-3448, and CVE-2025-11498—affect versions prior to 6.4 and could enable attackers to hijack remote sessions, execute arbitrary JavaScript, or inject malicious formulas into CSV files.
The most severe of the three is CVE-2025-3449, a generation of predictable numbers or identifiers vulnerability in the System Diagnostic Manager (SDM) component. With a CVSS v3.1 base score of 4.2 (medium), the flaw allows an unauthenticated network-based attacker to take over already established remote sessions by exploiting predictable session identifiers. The SDM component is disabled by default in Automation Runtime version 6, but organizations that have enabled it on active systems outside secured production networks are at heightened risk.
The second vulnerability, CVE-2025-3448, is a reflected cross-site scripting (XSS) flaw in the same SDM component, carrying a CVSS score of 6.1 (medium). An attacker can exploit this by crafting a malicious link that, when clicked by a user, executes arbitrary JavaScript in the context of the victim's browser session. This could lead to data theft, session hijacking, or further compromise within the industrial control system environment.
The third issue, CVE-2025-11498, is a CSV injection vulnerability (CVSS 6.1) that allows an attacker to inject formula elements into a generated CSV file via a malicious link. Exploitation requires the user to click the link and then manually open the resulting CSV file in a spreadsheet application, which could execute arbitrary commands or exfiltrate data. While the attack chain is more complex, it highlights the importance of user awareness in industrial settings.
ABB B&R has released Automation Runtime version 6.4 to address all three vulnerabilities. The company recommends that customers using SDM apply the update based on their risk assessment at the earliest convenience. For those who do not require SDM, the default disabled state provides a natural mitigation. CISA notes that the vulnerabilities were identified through B&R's internal security analysis and reported by ABB PSIRT.
The advisory underscores the ongoing challenge of securing industrial control systems, where legacy components and default configurations can create blind spots. With Automation Runtime deployed in critical energy infrastructure worldwide, the disclosure serves as a reminder for asset owners to audit their use of diagnostic tools and ensure they are not exposed to untrusted networks. Organizations should review the CISA advisory for full details and remediation guidance.