CVE-2025-3448
📋 TL;DR
A reflected cross-site scripting (XSS) vulnerability in B&R Automation Runtime's System Diagnostics Manager allows remote attackers to inject and execute arbitrary JavaScript code in victims' browsers. This affects users of B&R Automation Runtime versions before 6.4, potentially compromising their sessions and enabling further attacks.
💻 Affected Systems
- B&R Automation Runtime
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals session cookies, performs actions as authenticated user, redirects to malicious sites, or installs malware via drive-by downloads.
Likely Case
Session hijacking, credential theft, or defacement of the SDM interface.
If Mitigated
Limited impact if input validation and output encoding are enforced, or if the SDM is not exposed to untrusted users.
🎯 Exploit Status
Exploitation requires user interaction (e.g., clicking a malicious link), but no authentication is needed to trigger the XSS payload.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 6.4 or later
Vendor Advisory: https://www.br-automation.com/fileadmin/SA25P003-178b6a20.pdf
Restart Required: No
Instructions:
1. Download and install B&R Automation Runtime version 6.4 or later from the vendor. 2. Follow vendor-specific installation procedures for industrial control systems. 3. Verify the update applied successfully.
🔧 Temporary Workarounds
Input Validation and Output Encoding
allImplement server-side input validation and output encoding for all user inputs in the SDM interface to sanitize malicious scripts.
Not applicable; requires code changes or configuration adjustments.
Web Application Firewall (WAF)
allDeploy a WAF with XSS protection rules to block malicious requests targeting the SDM.
Not applicable; configure WAF policies to filter XSS payloads.
🧯 If You Can't Patch
- Isolate the SDM interface to a restricted network segment, limiting access to trusted users only.
- Implement Content Security Policy (CSP) headers to restrict script execution sources in the SDM web interface.
🔍 How to Verify
Check if Vulnerable:
Check the B&R Automation Runtime version; if it is below 6.4, the system is vulnerable. Review SDM logs for suspicious input patterns.Check Version:
Refer to B&R Automation Runtime documentation for version query commands (e.g., using system diagnostics or command-line tools specific to the platform).Verify Fix Applied:
Confirm the installed version is 6.4 or higher via the system's version check command or interface.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests with script tags or JavaScript payloads in query parameters to SDM endpoints.
- Multiple failed login attempts or session anomalies following suspicious requests.
Network Indicators:
- HTTP traffic containing malicious scripts in URLs or POST data directed at SDM ports.
- Unexpected redirects or outbound connections from SDM sessions.
SIEM Query:
Example: 'source="SDM" AND (url="*<script>*" OR url="*javascript:*")'