HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Critical Session Hijack and Code Execution Vulnerabilities (CVE‑2025‑3449/3448/11498) in ABB B&R Automation Runtime

ABB B&R Automation Runtime versions before 6.4 contain three critical flaws that enable unauthenticated attackers to take over web sessions or run code in the victim's browser context. The issue affects energy‑sector control systems worldwide, creating a supply‑chain risk for any organization that relies on ABB automation services.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 cisa.gov
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
cisa.gov

Multiple Critical Vulnerabilities (CVE‑2025‑3449, CVE‑2025‑3448, CVE‑2025‑11498) in ABB B&R Automation Runtime Enable Session Hijacking and Code Execution

What It Is – ABB B&R Automation Runtime versions prior to 6.4 contain three independent flaws: a predictable identifier generation issue (CVE‑2025‑3449), a cross‑site scripting weakness (CVE‑2025‑3448), and improper CSV formula handling (CVE‑2025‑11498). An unauthenticated network attacker can hijack an existing web session or run arbitrary code in the context of the victim’s browser.

Exploitability – The vulnerabilities are publicly disclosed and a vendor‑provided fix is available. No public exploit code has been observed, but the attack surface (web‑based HMI) makes exploitation feasible for motivated actors. CVSS v3.1 base score is 6.1 (moderate), but the combined impact on industrial control environments raises the practical severity.

Affected Products – ABB B&R Automation Runtime < 6.4 (all releases before version 6.4).

TPRM Impact

  • Compromise of a control‑system runtime can cascade to downstream suppliers that rely on ABB B&R for automation services.
  • Session takeover may allow attackers to manipulate process parameters, leading to production downtime or safety incidents.
  • The issue spans worldwide deployments, exposing multinational supply chains in the energy sector.

Recommended Actions

  • Deploy the ABB‑issued patch for Automation Runtime ≥ 6.4 immediately.
  • Conduct an inventory of all ABB B&R Automation Runtime instances and verify version compliance.
  • Segment HMI/web‑interface traffic from corporate networks and enforce strict access controls.
  • Enable logging of web‑session activity and monitor for anomalous commands or unexpected CSV uploads.
  • Update third‑party risk registers to reflect the new vulnerability and reassess vendor risk scores.

Source: CISA Advisory – ICSA‑26‑141‑04

📰 Original Source
https://www.cisa.gov/news-events/ics-advisories/icsa-26-141-04

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →