B&R Automation Runtime Vulnerabilities in System Diagnostic Manager (SDM)

Monitor6.1sa25p003Oct 7, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

A vulnerability exists in the System Diagnostic Manager (SDM) component of B&R Automation Runtime versions prior to 6.4 that could allow remote attackers to hijack user sessions or execute code in the context of a logged-in user's browser session. The vulnerability stems from insufficient input validation and cross-site scripting (CWE-79) and cryptographic weakness (CWE-340) issues. SDM is disabled by default in Automation Runtime 6 but is commonly enabled on systems for diagnostic and commissioning purposes.

What this means

What could happen

An attacker could hijack a user's SDM session or execute code within that session, allowing them to interact with the Automation Runtime controller as if they were the logged-in engineer. This could lead to unauthorized changes to controller settings, firmware, or process logic.

Who's at risk

B&R Automation Runtime controllers with SDM enabled. This primarily affects discrete manufacturing facilities (packaging, assembly), batch processing plants, and infrastructure automation where B&R controllers manage equipment sequencing or process control. Any facility using SDM for remote diagnostics or commissioning is at risk.

How it could be exploited

An attacker with network access to the System Diagnostic Manager interface (SDM, typically port 80/443) sends a crafted request that exploits the XSS/insufficient input validation vulnerability. If a user is logged into SDM in a browser on the same network, the attacker's payload executes in that session context, allowing session hijacking or code execution.

Prerequisites

Network access to the SDM web interface port (typically HTTP/HTTPS)
System Diagnostic Manager (SDM) must be enabled on the Automation Runtime controller
A valid user must have an active SDM session in a web browser on the same network

remotely exploitableno authentication requiredlow complexityrequires user interaction (active session)affects production system remote access

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

Automation Runtime <6.4<6.46.4

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable System Diagnostic Manager (SDM) on production controllers if not actively used for maintenance

HARDENINGRestrict network access to SDM ports (typically 80/443) to authorized engineering workstations using firewall rules or network segmentation

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Automation Runtime to version 6.4 or later on affected controllers

Long-term hardening

0/1

HARDENINGEnsure SDM is only accessible from properly secured production networks with strong physical and logical access controls

CVEs (3)

CVE-2025-3449 CVE-2025-3448 CVE-2025-11498

View full ABB PSIRT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/071aabd4-8974-4ec1-8f2f-471c88fe6c9a