CVE-2025-3941
📋 TL;DR
This vulnerability allows attackers to manipulate input data through improper handling of Windows ::DATA Alternate Data Streams in Tridium Niagara Framework and Enterprise Security on Windows systems. It affects Niagara Framework and Niagara Enterprise Security versions before 4.14.2, 4.15.1, and 4.10.11. Organizations using these vulnerable versions on Windows platforms are at risk.
💻 Affected Systems
- Tridium Niagara Framework
- Tridium Niagara Enterprise Security
📦 What is this software?
Niagara by Tridium
Niagara by Tridium
Niagara by Tridium
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate system data to cause service disruption, modify configuration files, or potentially execute arbitrary code with the privileges of the Niagara service account.
Likely Case
Data manipulation leading to configuration changes, service disruption, or unauthorized access to sensitive information stored in alternate data streams.
If Mitigated
Limited impact with proper network segmentation and access controls, potentially only affecting non-critical data streams.
🎯 Exploit Status
Exploitation requires understanding of Windows Alternate Data Streams and access to manipulate input data
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.14.2u2, 4.15.u1, or 4.10u.11
Vendor Advisory: https://docs.niagara-community.com/category/tech_bull
Restart Required: Yes
Instructions:
1. Download the patched version from Tridium/Honeywell official sources. 2. Backup current configuration and data. 3. Install the patched version following vendor documentation. 4. Restart Niagara services. 5. Verify functionality post-upgrade.
🔧 Temporary Workarounds
Restrict File System Access
windowsLimit Niagara service account permissions to only necessary directories and files
Use Windows ACLs to restrict Niagara service account to minimal required directories
Network Segmentation
allIsolate Niagara systems from untrusted networks and users
Configure firewall rules to restrict access to Niagara systems
🧯 If You Can't Patch
- Implement strict access controls and network segmentation to limit exposure
- Monitor for unusual file system activity and Niagara service behavior
🔍 How to Verify
Check if Vulnerable:
Check Niagara Framework version in Niagara AX Supervisor or through version files in installation directoryCheck Version:
Check Niagara version through Supervisor interface or examine version.txt in Niagara installation directoryVerify Fix Applied:
Verify installed version matches patched versions (4.14.2u2, 4.15.u1, or 4.10u.11)📡 Detection & Monitoring
Log Indicators:
- Unusual file system access patterns
- Unexpected Niagara service restarts
- Configuration changes not initiated by administrators
Network Indicators:
- Unusual network traffic to Niagara systems
- Unauthorized access attempts to Niagara services
SIEM Query:
Search for Niagara service account accessing unusual file paths or performing unexpected file operations