CVE-2025-3937 – This vulnerability allows attackers to perform ... (How to Fix)

Q: What is the severity of CVE-2025-3937?

CVE-2025-3937 has a CVSS score of 7.7 (HIGH). This vulnerability allows attackers to perform cryptanalysis on password hashes in Tridium Niagara Framework and Enterprise Security products. Attackers could potentially recover passwords due to insufficient computational effort in the hashing algorithm. This affects all systems running vulnerable versions of these products on Windows, Linux, or QNX operating systems.

📋 TL;DR

This vulnerability allows attackers to perform cryptanalysis on password hashes in Tridium Niagara Framework and Enterprise Security products. Attackers could potentially recover passwords due to insufficient computational effort in the hashing algorithm. This affects all systems running vulnerable versions of these products on Windows, Linux, or QNX operating systems.

💻 Affected Systems

Products:

Tridium Niagara Framework
Tridium Niagara Enterprise Security

Versions: Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11

Operating Systems: Windows, Linux, QNX

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations of affected versions are vulnerable. The vulnerability exists in the password hashing implementation itself.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers successfully crack password hashes, gain unauthorized access to Niagara systems, and potentially compromise building automation/control systems.

🟠

Likely Case

Attackers with access to password hash databases could perform offline password cracking, leading to credential theft and unauthorized access.

🟢

If Mitigated

With strong, unique passwords and proper network segmentation, impact is limited even if hashes are obtained.

🌐 Internet-Facing: HIGH - Internet-facing Niagara instances could have password hashes exposed to attackers.

🏢 Internal Only: MEDIUM - Internal systems still at risk from insider threats or lateral movement attacks.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires access to password hashes (typically through database access or memory dump). The actual cryptanalysis requires computational resources and time depending on password strength.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11

Vendor Advisory: https://docs.niagara-community.com/category/tech_bull

Restart Required: Yes

Instructions:

1. Backup all Niagara configurations and databases. 2. Download the appropriate patched version from Tridium/Honeywell. 3. Stop all Niagara services. 4. Install the update following vendor documentation. 5. Restart services and verify functionality.

🔧 Temporary Workarounds

Enforce Strong Password Policy

all

Require complex, long passwords to increase computational effort for hash cracking

Network Segmentation

all

Isolate Niagara systems from untrusted networks and limit access to necessary personnel only

🧯 If You Can't Patch

Implement strict network access controls and firewall rules to limit exposure
Enable multi-factor authentication where available and enforce password rotation policies

🔍 How to Verify

Check if Vulnerable:

Check Niagara version via web interface (Help > About) or command line: 'niagara info' on Linux/Windows

Check Version:

On Windows: 'niagara info' or check registry. On Linux: 'niagara info' or check /opt/niagara/niagara-version.txt

Verify Fix Applied:

Verify version is 4.14.2u2, 4.15.u1, or 4.10u.11 or later. Check that password hashing algorithm has been updated in security settings.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication attempts
Multiple failed login attempts from single source
Database access logs showing hash extraction

Network Indicators:

Unusual traffic to/from Niagara systems
Port scanning targeting Niagara ports (4911, 1911, 80, 443)

SIEM Query:

source="niagara" AND (event_type="authentication_failure" OR event_type="database_access") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2025-3937

CVSS v3 Score: 7.7 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-916

EPSS Score: 0.04% exploit probability (12.9th percentile)

Published: May 22, 2025

Last Updated: June 4, 2025

🔗 References

https://docs.niagara-community.com/category/tech_bull Permissions Required
https://www.honeywell.com/us/en/product-security#security-notices Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3937, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Niagara by Tridium

Niagara by Tridium

Niagara by Tridium

Niagara Enterprise Security by Tridium

Niagara Enterprise Security by Tridium

Niagara Enterprise Security by Tridium

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Enforce Strong Password Policy

Network Segmentation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities