CISA Warns of XZ Utils Vulnerability Affecting B&R Industrial Automation Products
CISA has issued an advisory for CVE-2025-31115, a race condition vulnerability in XZ Utils impacting several B&R Industrial Automation products, potentially leading to system crashes or memory corruption.
The Cybersecurity and Infrastructure Security Agency (CISA) has alerted organizations to a critical race condition vulnerability, identified as CVE-2025-31115, present in the XZ Utils data-compression library. This vulnerability affects specific versions of B&R Industrial Automation products, including models such as PPC3100, C50, C80, FT50, MT50, T30, T80, and T50. Successful exploitation could result in the affected product ceasing to function or experiencing memory data corruption, posing a significant risk to industrial control systems.
The vulnerability resides within the multithreaded .xz decoder in liblzma, a component of XZ Utils. Between versions 5.3.3alpha and 5.8.0, an improperly handled invalid input can trigger a crash. The potential consequences include heap use-after-free errors and attempts to write to memory addresses derived from a null pointer plus an offset. Applications and libraries that utilize the lzma_stream_decoder_mt function are particularly susceptible to this flaw.
B&R Industrial Automation GmbH has identified specific product versions that are affected by this vulnerability. For instance, PPC3100 and FT50 are vulnerable if running versions prior to 1.8.1, while C50, C80, T30, and T80 are affected if running versions earlier than 1.8.0. The company recommends that customers update their affected products to the patched versions as soon as possible to mitigate the risks associated with CVE-2025-31115.
The issue has been addressed in XZ Utils version 5.8.1. The fix has also been integrated into the v5.4, v5.6, v5.8, and master branches of the xz Git repository. While no new release packages will be generated from the older stable branches, a standalone patch is available for application to all affected releases. B&R has released updated versions for its affected products, including PPC3100 1.8.1, C50 1.8.0, C80 1.8.0, FT50 1.8.1, MT50 1.8.1, T30 1.8.0, T80 1.8.0, and T50 1.8.1.
According to CISA's advisory, the vulnerability has a CVSS v3.1 base score of 7.5, categorized as HIGH severity. The attack vector is network-based (AV:N), requires low complexity (AC:L), and needs no privileges (PR:N) or user interaction (UI:N). While it doesn't directly lead to confidentiality or integrity loss (C:N, I:N), it has a high impact on availability (A:H). The vulnerability has been publicly disclosed, and CISA notes that B&R had not received reports of active exploitation at the time of the advisory's issuance.
CISA strongly recommends implementing defensive measures to minimize exploitation risks. These include minimizing network exposure for all control system devices, ensuring they are not directly accessible from the internet, and segmenting control system networks from business networks using firewalls with minimal exposed ports. When remote access is necessary, secure methods like Virtual Private Networks (VPNs) should be employed, ensuring VPNs themselves are kept updated and secure.
This advisory highlights the ongoing challenges in securing industrial control systems, where vulnerabilities in foundational software components like XZ Utils can have widespread implications across various hardware vendors. The prompt disclosure by CISA and the availability of patches from both the XZ Utils project and B&R are crucial steps in protecting critical infrastructure from potential disruption.