B&R Automation Runtime Vulnerabilities in System Diagnostic Manager (SDM)

MonitorCVSS 6.1sa25p003Oct 7, 2025

B&R Automation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

B&R Automation Runtime versions prior to 6.4 contain vulnerabilities in the System Diagnostic Manager (SDM) web interface. An attacker with network access to SDM could conduct cross-site scripting (XSS) or session hijacking attacks, allowing them to execute code in the context of a user's browser session or take over an authenticated session. The vulnerabilities are exploitable via reflected XSS and improper random number generation for session tokens. SDM is disabled by default in Automation Runtime 6 but may be enabled by users who require remote diagnostics or maintenance capabilities.

What this means

What could happen

An attacker with network access to the System Diagnostic Manager could hijack a user's browser session or execute code in the browser, potentially allowing them to modify controller settings or steal sensitive operational data.

Who's at risk

This affects organizations running B&R Automation Runtime controllers with the System Diagnostic Manager (SDM) enabled. At-risk sites include manufacturing plants, water treatment facilities, and electric utilities that use B&R controllers for process automation and have SDM enabled for remote diagnostics or maintenance.

How it could be exploited

An attacker on the network sends a specially crafted request to the System Diagnostic Manager web interface. If a legitimate user is accessing SDM in their browser at the same time, the attacker can inject malicious code that runs in the user's session (reflected XSS) or steal the user's session token, allowing the attacker to impersonate that user and issue commands to the Automation Runtime controller.

Prerequisites

Network access to the System Diagnostic Manager web interface port
System Diagnostic Manager (SDM) enabled on the Automation Runtime controller
A legitimate user actively using the SDM web interface in their browser

remotely exploitableno authentication requiredlow complexityaffects industrial control systems

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

Automation Runtime <6.4<6.46.4

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable System Diagnostic Manager (SDM) on production controllers unless explicitly required for troubleshooting

HARDENINGRestrict network access to the System Diagnostic Manager port to trusted engineering workstations and maintenance networks only using firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Automation Runtime to version 6.4 or later

Long-term hardening

0/1

HARDENINGDo not enable SDM on controllers located outside secured production networks without implementing additional physical and logical access controls

CVEs (3)

CVE-2025-3449 CVE-2025-3448 CVE-2025-11498

View full ABB PSIRT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/071aabd4-8974-4ec1-8f2f-471c88fe6c9a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.