CVE-2025-11044
📋 TL;DR
An unauthenticated attacker on the network can exploit a race condition in the ANSL-Server component of B&R Automation Runtime to cause permanent denial-of-service (DoS) conditions on affected devices. This affects B&R Automation Runtime versions prior to 6.5 and prior to R4.93. The vulnerability stems from allocation of resources without proper limits or throttling.
💻 Affected Systems
- B&R Automation Runtime
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Permanent denial-of-service rendering affected industrial control devices completely inoperable, requiring physical replacement or factory reset.
Likely Case
Persistent service disruption requiring manual intervention to restore functionality, potentially causing production downtime in industrial environments.
If Mitigated
Limited impact if network segmentation and access controls prevent unauthorized network access to vulnerable devices.
🎯 Exploit Status
Requires winning a race condition, which adds complexity but is feasible for determined attackers. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 6.5 or R4.93 and later
Vendor Advisory: https://www.br-automation.com/fileadmin/SA25P005-26597bd0.pdf
Restart Required: Yes
Instructions:
1. Download the updated Automation Runtime version 6.5 or R4.93 from B&R support portal. 2. Backup current configuration and programs. 3. Install the update following B&R's upgrade procedures. 4. Restart the automation device. 5. Verify the ANSL-Server component is functioning correctly.
🔧 Temporary Workarounds
Network Segmentation
allIsolate vulnerable devices in separate network segments with strict access controls to prevent unauthorized network access.
Firewall Rules
allImplement firewall rules to restrict access to ANSL-Server ports (typically TCP 4840, 4841 for OPC UA) to only authorized systems.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable devices from untrusted networks
- Deploy intrusion detection systems to monitor for exploitation attempts and anomalous traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check Automation Runtime version via B&R Automation Studio or device web interface. Versions below 6.5 or R4.93 are vulnerable.Check Version:
Check via Automation Studio project properties or device web interface under System InformationVerify Fix Applied:
Verify the installed version is 6.5 or higher, or R4.93 or higher. Test ANSL-Server functionality remains operational under normal load.📡 Detection & Monitoring
Log Indicators:
- ANSL-Server service crashes or restarts
- Resource exhaustion warnings in system logs
- Unusual connection patterns to ANSL-Server ports
Network Indicators:
- Rapid connection attempts to ANSL-Server ports (typically 4840, 4841)
- Unusual traffic patterns suggesting race condition exploitation
SIEM Query:
source="industrial_device" AND (event="service_crash" AND service="ANSL-Server" OR port=4840 OR port=4841 AND connection_count>threshold)