Skip to content
.ca
sign in
4 mincritical

ABB B&R Automation Runtime DoS Vulnerability in System Diagnostics Manager (SDM)

ABB B&R Automation Runtime contains a critical Improper Resource Locking vulnerability (CVE-2025-3450) within its System Diagnostics Manager (SDM) component. An unauthenticated, remote attacker can exploit this flaw by sending a specially crafted message over the network to delete data, resulting in a denial-of-service condition that halts the affected system node.

Sens:ImmediateConf:highAnalyzed:2026-05-26Google

Authors: CISA, ABB PSIRT

B&RICSAutomation RuntimeCVE-2025-3450ABB

Source:CISA

IOCs · 1

Detection / HunterGoogle

What Happened

A critical security flaw was discovered in ABB B&R Automation Runtime, a software platform used in industrial control systems worldwide. The vulnerability affects the System Diagnostics Manager (SDM) component and allows an unauthenticated attacker on the network to crash the system by deleting data. This is highly critical because it can halt industrial operations in sectors like energy, manufacturing, and water. Organizations using this software should immediately update to the fixed versions (6.3 or Q4.93) or disable the SDM component if it is not actively needed.

Key Takeaways

  • A critical Improper Resource Locking vulnerability (CVE-2025-3450, CVSS 10.0) exists in the System Diagnostics Manager (SDM) of ABB B&R Automation Runtime.
  • Unauthenticated remote attackers can exploit this flaw to delete data and cause a complete denial-of-service (DoS) condition, halting the system node.
  • The vulnerability is fixed in Automation Runtime versions 6.3 and Q4.93.
  • SDM is disabled by default in AR versions 6.0 and later, but must be manually deactivated in older versions if not required.
  • Mitigations include disabling SDM, implementing mutual TLS (mTLS), and using host-based firewalls to restrict access.

Affected Systems

  • ABB B&R Automation Runtime versions prior to 6.3
  • ABB B&R Automation Runtime versions prior to Q4.93

Vulnerabilities (CVEs)

  • CVE-2025-3450

Attack Chain

An unauthenticated attacker gains network access to a vulnerable ABB B&R Automation Runtime system node. The attacker crafts and sends a specialized message to the System Diagnostics Manager (SDM) component over the network. Due to improper resource locking, the message triggers unauthorized data deletion. This causes the system node to stop functioning, resulting in a complete denial-of-service condition for the industrial controller.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

No specific detection rules or queries are provided in the advisory.

Detection Engineering Assessment

EDR Visibility: None — EDR agents are typically not deployed on embedded ICS/OT controllers running Automation Runtime. Network Visibility: Medium — Network monitoring tools could potentially detect anomalous traffic or malformed requests targeting the SDM webserver port, though encrypted traffic (HTTPS/mTLS) would obscure the payload. Detection Difficulty: Hard — Without specific signatures for the crafted message and given the potential use of TLS, detecting the exploit payload on the wire is difficult. Detection relies heavily on identifying unauthorized access to the SDM interface.

Required Log Sources

  • Network Flow Logs
  • Firewall Logs
  • ICS/OT Asset Management Logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Identify unauthorized or unexpected network connections to the System Diagnostics Manager (SDM) web interface from non-engineering workstations.Network flow logs, firewall logsDeliveryLow to Medium (depending on strictness of network segmentation and baseline of legitimate engineering traffic)

Control Gaps

  • Lack of network segmentation for ICS devices
  • Unrestricted access to SDM web interfaces

Key Behavioral Indicators

  • Unexpected system node reboots or halts
  • Anomalous HTTP/HTTPS requests to the SDM component from untrusted subnets

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Update ABB B&R Automation Runtime to version 6.3, Q4.93, or later.
  • If updating is not immediately possible, deactivate the System Diagnostics Manager (SDM) in the Automation Studio project (especially for AR versions prior to 6.0).

Infrastructure Hardening

  • Ensure ICS/OT control system networks are isolated from business networks and not accessible from the internet.
  • Consider configuring mutual TLS (mTLS) in the Automation Studio project to restrict access to the webserver.
  • Evaluate implementing the Automation Runtime host-based firewall to limit webserver accessibility to trusted IP addresses only.

User Protection

  • Restrict access to the SDM interface to trusted maintenance personnel only, and only enable it for the duration of required tasks.

Security Awareness

  • Educate engineering and maintenance teams on the risks of leaving diagnostic web interfaces exposed on production networks.

MITRE ATT&CK Mapping

  • T0814 - Denial of Service
  • T1498 - Network Denial of Service
  • T0869 - Standard Application Layer Protocol

Related