VYPR

Vendor CVEs

B&R Industrial Automation

All CVEs

88 total · sorted by risk
  • CVE-2025-3450CriOct 7, 2025
    risk 0.65cvss 10.0epss 0.00

    An Improper Resource Locking vulnerability in the SDM component of B&R Automation Runtime versions before 6.3 and before Q4.93 may allow an unauthenticated network-based attacker to delete data causing denial of service conditions.

  • CVE-2024-45480CriMar 25, 2025
    risk 0.60cvss epss 0.00

    An improper control of generation of code ('Code Injection') vulnerability in the AprolCreateReport component of B&R APROL <4.4-00P5 may allow an unauthenticated network-based attacker to read files from the local system.

  • CVE-2024-8313HigMar 25, 2025
    risk 0.57cvss epss 0.00

    An Exposure of Sensitive System Information to an Unauthorized Control Sphere and Initialization of a Resource with an Insecure Default vulnerability in the SNMP component of B&R APROL <4.4-00P5 may allow an unauthenticated adjacent-based attacker to read and alter configuration…

  • CVE-2024-10210HigMar 25, 2025
    risk 0.55cvss epss 0.00

    An External Control of File Name or Path vulnerability in the APROL Web Portal used in B&R APROL <4.4-005P may allow an authenticated network-based attacker to access data from the file system.

  • CVE-2024-45482HigMar 25, 2025
    risk 0.55cvss epss 0.00

    An Inclusion of Functionality from Untrusted Control Sphere vulnerability in the SSH server on B&R APROL <4.4-00P1 may allow an authenticated local attacker from a trusted remote server to execute malicious commands.

  • CVE-2024-45481HigMar 25, 2025
    risk 0.55cvss epss 0.00

    An Incomplete Filtering of Special Elements vulnerability in scripts using the SSH server on B&R APROL <4.4-00P5 may allow an authenticated local attacker to authenticate as another legitimate user.

  • CVE-2024-10209HigMar 25, 2025
    risk 0.55cvss epss 0.00

    An Incorrect Permission Assignment for Critical Resource vulnerability in the file system used in B&R APROL <4.4-01 may allow an authenticated local attacker to read and alter the configuration of another engineering or runtime user.

  • CVE-2024-10490HigDec 2, 2024
    risk 0.55cvss epss 0.00

    An “Authentication Bypass Using an Alternate Path or Channel” vulnerability in the OPC UA Server configuration required for B&R mapp Cockpit before 6.0, B&R mapp View before 6.0, B&R mapp Services before 6.0, B&R mapp Motion before 6.0 and B&R mapp Vision before 6.0 may be…

  • CVE-2024-8603HigJan 15, 2025
    risk 0.49cvss 7.5epss 0.00

    A “Use of a Broken or Risky Cryptographic Algorithm” vulnerability in the SSL/TLS component used in B&R Automation Runtime versions before 6.1 and B&R mapp View versions before 6.1 may be abused by unauthenticated network-based attackers to masquerade as services on impacted…

  • CVE-2025-11043HigJan 19, 2026
    risk 0.48cvss 7.4epss 0.00

    An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions before 6.5 could allow an unauthenticated attacker on the network to position themselves to intercept and interfere with data exchanges.

  • CVE-2024-45484HigMar 25, 2025
    risk 0.47cvss epss 0.00

    An Allocation of Resources Without Limits or Throttling vulnerability in the operating system network configuration used in B&R APROL <4.4-00P5 may allow an unauthenticated adjacent attacker to per-form Denial-of-Service (DoS) attacks against the product.

  • CVE-2024-2637HigMay 14, 2024
    risk 0.47cvss 7.2epss 0.00

    An Uncontrolled Search Path Element vulnerability in B&R Industrial Automation Scene Viewer, B&R Industrial Automation Automation Runtime, B&R Industrial Automation mapp Vision, B&R Industrial Automation mapp View, B&R Industrial Automation mapp Cockpit, B&R Industrial…

  • CVE-2024-45483HigMar 25, 2025
    risk 0.46cvss epss 0.00

    A Missing Authentication for Critical Function vulnerability in the GRUB configuration used B&R APROL <4.4-01 may allow an unauthenticated physical attacker to alter the boot configuration of the operating system.

  • CVE-2024-10206MedMar 25, 2025
    risk 0.45cvss epss 0.00

    A Server-Side Request Forgery vulnerability in the APROL Web Portal used in B&R APROL <4.4-00P5 may allow an unauthenticated network-based attacker to force the web server to request arbitrary URLs.

  • CVE-2025-11044MedJan 19, 2026
    risk 0.44cvss 6.8epss 0.00

    An Allocation of Resources Without Limits or Throttling vulnerability in the ANSL-Server component of B&R Automation Runtime versions prior to 6.5 and prior to R4.93 could be exploited by an unauthenti-cated attacker on the network to win a race condition, resulting in permanent…

  • CVE-2024-8315MedMar 25, 2025
    risk 0.44cvss epss 0.00

    An Improper Handling of Insufficient Permissions or Privileges vulnerability in scripts used in B&R APROL <4.4-00P5 may allow an authenticated local attacker to read credential information.

  • CVE-2025-11498MedOct 14, 2025
    risk 0.40cvss 6.1epss 0.00

    An Improper Neutralization of Formula Elements in a CSV File vulnerability exists in System Diagnostics Manager (SDM) of B&R Automation Runtime versions before 6.4 enabling a remote attacker to inject formula data into a generated CSV file. The exploitation of this vulnerability…

  • CVE-2025-3448MedOct 7, 2025
    risk 0.40cvss 6.1epss 0.00

    Reflected cross-site scripting (XSS) vulnerabilities exist in System Diagnostics Manager (SDM) of B&R Automation Runtime versions before 6.4 that enables a remote attacker to execute arbitrary JavaScript code in the context of the attacked user’s browser session

  • CVE-2024-8314MedMar 25, 2025
    risk 0.36cvss epss 0.00

    An Incorrect Implementation of Authentication Algorithm and Exposure of Data Element to Wrong Ses-sion vulnerability in the session handling used in B&R APROL <4.4-00P5 may allow an authenticated network attacker to take over a currently active user session without login…

  • CVE-2024-10207MedMar 25, 2025
    risk 0.34cvss epss 0.00

    A Server-Side Request Forgery vulnerability in the APROL Web Portal used in B&R APROL <4.4-00P5 may allow an authenticated network-based attacker to force the web server to request arbitrary URLs.

  • CVE-2024-5801MedAug 12, 2024
    risk 0.34cvss epss 0.00

    Enabled IP Forwarding feature in B&R Automation Runtime versions before 6.0.2 may allow remote attack-ers to compromise network security by routing IP-based packets through the host, potentially by-passing firewall, router, or NAC filtering.

  • CVE-2026-0936MedJan 29, 2026
    risk 0.33cvss 5.0epss 0.00

    An Insertion of Sensitive Information into Log File vulnerability in B&R PVI client versions prior to 6.5 may be abused by an authenticated local attacker to gather credential information which is processed by the PVI client application. The logging function of the PVI client…

  • CVE-2024-10208MedMar 25, 2025
    risk 0.33cvss epss 0.00

    An Improper Neutralization of Input During Web Page Generation vulnerability in the APROL Web Portal used in B&R APROL <4.4-00P5 may allow an authenticated network-based attacker to insert malicious code which is then executed in the context of the user’s browser session.

  • CVE-2025-3449MedOct 7, 2025
    risk 0.27cvss 4.2epss 0.00

    A Generation of Predictable Numbers or Identifiers vulnerability in the SDM component of B&R Automation Runtime versions before 6.4 may allow an unauthenticated network-based attacker to take over already established sessions.

  • CVE-2024-5624Aug 29, 2024
    risk 0.00cvss epss 0.00

    Reflected Cross-Site Scripting (XSS) in Shift Logbook application of B&R APROL <= R 4.4-00P3 may allow a network-based attacker to execute arbitrary JavaScript code in the context of the user's browser session

  • CVE-2024-5623Aug 29, 2024
    risk 0.00cvss epss 0.00

    An untrusted search path vulnerability in B&R APROL <= R 4.4-00P3 may be used by an authenticated local attacker to get other users to execute arbitrary code under their privileges.

  • CVE-2024-5622Aug 29, 2024
    risk 0.00cvss epss 0.00

    An untrusted search path vulnerability in the AprolConfigureCCServices of B&R APROL <= R 4.2.-07P3 and <= R 4.4-00P3 may allow an authenticated local attacker to execute arbitrary code with elevated privileges.

  • CVE-2024-5800Aug 10, 2024
    risk 0.00cvss epss 0.00

    Diffie-Hellman groups with insufficient strength are used in the SSL/TLS stack of B&R Automation Runtime versions before 6.0.2, allowing a network attacker to decrypt the SSL/TLS communication.

  • CVE-2021-22280May 14, 2024
    risk 0.00cvss epss 0.00

    Improper DLL loading algorithms in B&R Automation Studio versions >=4.0 and <4.12 may allow an authenticated local attacker to execute code in the context of the product.

  • CVE-2024-0220Feb 22, 2024
    risk 0.00cvss epss 0.00

    B&R Automation Studio Upgrade Service and B&R Technology Guarding use insufficient cryptography for communication to the upgrade and the licensing servers. A network-based attacker could exploit the vulnerability to execute arbitrary code on the products or sniff sensitive data.

  • CVE-2023-6028Feb 5, 2024
    risk 0.00cvss epss 0.00

    A reflected cross-site scripting (XSS) vulnerability exists in the SVG version of System Diagnostics Manager of B&R Automation Runtime versions <= G4.93 that enables a remote attacker to execute arbitrary JavaScript code in the context of the attacked user’s browser session. …

  • CVE-2024-0323Feb 5, 2024
    risk 0.00cvss epss 0.00

    The FTP server used on the B&R Automation Runtime supports unsecure encryption mechanisms, such as SSLv3, TLSv1.0 and TLS1.1. An network-based attacker can exploit the flaws to conduct man-in-the-middle attacks or to decrypt communications between the affected product clients.

  • CVE-2021-22281Feb 2, 2024
    risk 0.00cvss epss 0.00

    : Relative Path Traversal vulnerability in B&R Industrial Automation Automation Studio allows Relative Path Traversal.This issue affects Automation Studio: from 4.0 through 4.12.

  • CVE-2020-24682Feb 2, 2024
    risk 0.00cvss epss 0.00

    Unquoted Search Path or Element vulnerability in B&R Industrial Automation Automation Studio, B&R Industrial Automation NET/PVI allows Target Programs with Elevated Privileges.This issue affects Automation Studio: from 4.0 through 4.6, from 4.7.0 before 4.7.7 SP, from 4.8.0…

  • CVE-2020-24681Feb 2, 2024
    risk 0.00cvss epss 0.00

    Incorrect Permission Assignment for Critical Resource vulnerability in B&R Industrial Automation Automation Studio allows Privilege Escalation.This issue affects Automation Studio: from 4.6.0 through 4.6.X, from 4.7.0 before 4.7.7 SP, from 4.8.0 before 4.8.6 SP, from 4.9.0…

  • CVE-2021-22282Feb 2, 2024
    risk 0.00cvss epss 0.00

    Improper Control of Generation of Code ('Code Injection') vulnerability in B&R Industrial Automation Automation Studio allows Local Execution of Code.This issue affects Automation Studio: from 4.0 through 4.12.

  • CVE-2023-3242Jul 26, 2023
    risk 0.00cvss epss 0.00

    Improper initialization implementation in Portmapper used in B&R Industrial Automation Automation Runtime <G4.93 allows unauthenticated network-based attackers to cause permanent denial-of-service conditions.

  • CVE-2023-1617Apr 14, 2023
    risk 0.00cvss epss 0.01

    Improper Authentication vulnerability in B&R Industrial Automation B&R VC4 (VNC-Server modules).  This vulnerability may allow an unauthenticated network-based attacker to bypass the authentication mechanism of the VC4 visualization on affected devices. The impact of this…

  • CVE-2022-4286Feb 14, 2023
    risk 0.00cvss epss 0.01

    A reflected cross-site scripting (XSS) vulnerability exists in System Diagnostics Manager of B&R Automation Runtime versions >=3.00 and <=C4.93 that enables a remote attacker to execute arbitrary JavaScript in the context of the users browser session.

  • CVE-2022-43765Feb 8, 2023
    risk 0.00cvss epss 0.01

    B&R APROL versions < R 4.2-07 doesn’t process correctly specially formatted data packages sent to port 55502/tcp, which may allow a network based attacker to cause an application Denial-of-Service.

  • CVE-2022-43764Feb 8, 2023
    risk 0.00cvss epss 0.01

    Insufficient validation of input parameters when changing configuration on Tbase server in B&R APROL versions < R 4.2-07 could result in buffer overflow. This may lead to Denial-of-Service conditions or execution of arbitrary code.

  • CVE-2022-43763Feb 8, 2023
    risk 0.00cvss epss 0.01

    Insufficient check of preconditions could lead to Denial of Service conditions when calling commands on the Tbase server of B&R APROL versions < R 4.2-07.

  • CVE-2022-43762Feb 8, 2023
    risk 0.00cvss epss 0.01

     Lack of verification in B&R APROL Tbase server versions < R 4.2-07 may lead to memory leaks when receiving messages

  • CVE-2022-43761Feb 8, 2023
    risk 0.00cvss epss 0.01

    Missing authentication when creating and managing the B&R APROL database in versions < R 4.2-07 allows reading and changing the system configuration. 

  • CVE-2021-22289Aug 11, 2022
    risk 0.00cvss epss 0.01

    Improper Input Validation vulnerability in the project upload mechanism in B&R Automation Studio version >=4.0 may allow an unauthenticated network attacker to execute code.

  • CVE-2021-22275May 13, 2022
    risk 0.00cvss epss 0.01

    Buffer Overflow vulnerability in B&R Automation Runtime webserver allows an unauthenticated network-based attacker to stop the cyclic program on the device and cause a denial of service.

  • CVE-2022-25786May 4, 2022
    risk 0.00cvss epss 0.01

    Unprotected Alternate Channel vulnerability in debug console of GateManager allows system administrator to obtain sensitive information. This issue affects: GateManager all versions prior to 9.7.

  • CVE-2022-25787May 4, 2022
    risk 0.00cvss epss 0.00

    Information Exposure Through Query Strings in GET Request vulnerability in LMM API of Secomea GateManager allows system administrator to hijack connection. This issue affects: Secomea GateManager all versions prior to 9.7.

  • CVE-2022-25783May 4, 2022
    risk 0.00cvss epss 0.01

    Insufficient Logging vulnerability in web server of Secomea GateManager allows logged in user to issue improper queries without logging. This issue affects: Secomea GateManager versions prior to 9.7.

  • CVE-2022-25782May 4, 2022
    risk 0.00cvss epss 0.00

    Improper Handling of Insufficient Privileges vulnerability in Web UI of Secomea GateManager allows logged in user to access and update privileged information. This issue affects: Secomea GateManager versions prior to 9.7.

Page 1 of 2