CVE-2025-11043 – An improper certificate validation vulnerabilit... (How to Fix)

📋 TL;DR

An improper certificate validation vulnerability in OPC-UA and ANSL over TLS clients in Automation Studio allows attackers to intercept and manipulate data exchanges. This affects Automation Studio versions before 6.5, potentially impacting industrial control systems using these communication protocols.

💻 Affected Systems

Products:

Automation Studio

Versions: All versions before 6.5

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Requires OPC-UA or ANSL over TLS client functionality to be enabled

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete interception and manipulation of industrial control data leading to process disruption, equipment damage, or safety incidents

🟠

Likely Case

Data interception allowing reconnaissance, data theft, or injection of false data into industrial processes

🟢

If Mitigated

Limited impact due to network segmentation and proper certificate validation

🌐 Internet-Facing: LOW with brief explanation

🏢 Internal Only: HIGH with brief explanation

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Man-in-the-middle position required on network path between clients

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5 or later

Vendor Advisory: https://www.br-automation.com/fileadmin/SA25P004-4f45197f.pdf

Restart Required: Yes

Instructions:

1. Download Automation Studio 6.5 or later from BR Automation website
2. Install the update following vendor instructions
3. Restart affected systems and applications

🔧 Temporary Workarounds

Network Segmentation

all

Isolate Automation Studio systems from untrusted networks

Certificate Pinning

all

Configure clients to only accept specific trusted certificates

🧯 If You Can't Patch

Implement strict network segmentation to isolate Automation Studio systems
Use VPN tunnels for all OPC-UA and ANSL over TLS communications

🔍 How to Verify

Check if Vulnerable:

Check Automation Studio version in Help > About menu

Check Version:

Not applicable - check via GUI

Verify Fix Applied:

Verify version is 6.5 or later and test certificate validation

📡 Detection & Monitoring

Log Indicators:

Certificate validation failures
Unexpected connection resets

Network Indicators:

Unusual TLS handshake patterns
MITM detection alerts

SIEM Query:

source="automation_studio" AND (event_type="certificate_error" OR event_type="connection_reset")

📊 Metadata

CVE ID: CVE-2025-11043

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-295

EPSS Score: 0.02% exploit probability (3.5th percentile)

Published: January 19, 2026

Last Updated: January 26, 2026

🔗 References

https://www.br-automation.com/fileadmin/SA25P004-4f45197f.pdf

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11043, you might also want to check these: