B&R APROL

Plan PatchCVSS 8.8ICS-CERT ICSA-25-093-05Mar 24, 2025

B&R Automation

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

B&R APROL contains multiple privilege escalation and information disclosure vulnerabilities in versions prior to 4.4-00P1. An attacker with local network access could exploit these flaws without authentication to elevate privileges, access sensitive information including stored credentials, or gather confidential data from the system. The vulnerabilities span multiple weakness categories including weak access controls, improper information handling, and insufficient credential protection.

What this means

What could happen

An attacker on the same local network as the B&R APROL system could gain elevated privileges or steal credentials, potentially allowing them to modify process parameters, disable alarms, or shut down operations at the controlled facility.

Who's at risk

Organizations operating B&R APROL automation and process control systems are affected. This includes manufacturing facilities, chemical plants, water treatment systems, and other continuous process industries that use APROL for supervisory control and data acquisition. The vulnerabilities affect all APROL versions prior to 4.4-00P1, regardless of deployment context.

How it could be exploited

An attacker with access to the local network (Ethernet or industrial network) where APROL is deployed could exploit multiple privilege escalation and information disclosure vulnerabilities without authentication. The attacker could extract stored credentials or execute commands with elevated privileges to manipulate the controlled process.

Prerequisites

Network access to the local network segment where APROL is deployed (not remotely exploitable from Internet)
No valid user credentials required for initial exploitation

No authentication required for initial exploitationLow attack complexity (local network access only)High CVSS score (8.8)Multiple privilege escalation and credential disclosure vulnerabilitiesAffects process control systems (potential for physical impact if credentials misused)

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

APROL < 4.4-00P1<4.4-00P1>=4.4-00P1

APROL < 4.4-00P5<4.4-00P5>=4.4-00P1

APROL < 4.4-01<4.4-01>=4.4-00P1

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to APROL systems to only authorized engineering workstations and control network subnets using network firewalls or industrial switches

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate B&R APROL to version 4.4-00P1 or later immediately following vendor maintenance procedures

HARDENINGAfter applying the update, reset all stored credentials and passwords in APROL to invalidate any extracted secrets

Long-term hardening

0/1

HARDENINGEnsure APROL systems are not connected directly to business networks or Internet-facing networks; maintain logical separation from IT infrastructure

CVEs (13)

CVE-2024-45482 CVE-2024-45481 CVE-2024-45480 CVE-2024-8315 CVE-2024-45484 CVE-2024-45483 CVE-2024-8313 CVE-2024-8314 CVE-2024-10206 CVE-2024-10207 CVE-2024-10208 CVE-2024-10210 CVE-2024-10209

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a8d709df-a40f-45fa-ad95-52ef4a92b309

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.