B&R Automation Studio Update of SQLite version
Act Now9.8SA25P007Feb 18, 2026
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
B&R Automation Studio versions prior to 6.5 contain vulnerabilities in an outdated SQLite component (CWE-197, CWE-122, CWE-119, CWE-787, CWE-476, CWE-286, CWE-416, CWE-190, CWE-754, CWE-674, CWE-125, CWE-20, CWE-200, CWE-120). These memory corruption and input validation flaws could enable unauthorized access, data exposure, or remote code execution. Although no active exploitation of B&R Studio was observed, the underlying SQLite vulnerabilities present potential attack vectors.
What this means
What could happen
An attacker with network access to B&R Automation Studio could execute arbitrary code or access sensitive data through SQLite vulnerabilities, potentially compromising engineering workstations and project data that controls industrial processes.
Who's at risk
Engineering teams and plant staff who use B&R Automation Studio to develop, configure, and deploy logic on B&R industrial controllers and PLCs in manufacturing, water treatment, power distribution, and other automated facilities.
How it could be exploited
An attacker sends a malicious input to B&R Automation Studio that exploits memory corruption or input validation flaws in the embedded SQLite library. If the workstation running Studio is reachable from the network and processes untrusted project files or network requests, the attacker could run arbitrary code with the privileges of the Studio application.
Prerequisites
- Network access to the machine running B&R Automation Studio
- User opens or processes malicious project files or network data in Studio
- B&R Automation Studio version prior to 6.5 is installed
remotely exploitableno authentication requiredlow complexityhigh EPSS score (51.9%)affects engineering workstations that control physical processes
Exploitability
High exploit probability (EPSS 51.9%)
Affected products (1)
ProductAffected VersionsFix Status
B&R Automation Studio <6.5<6.56.5
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate B&R Automation Studio to version 6.5 or later
CVEs (25)
CVE-2025-6965CVE-2025-3277CVE-2023-7104CVE-2022-35737CVE-2020-15358CVE-2020-13632CVE-2020-13631CVE-2020-13630CVE-2020-13435CVE-2020-13434CVE-2020-11656CVE-2020-11655CVE-2019-19646CVE-2019-19645CVE-2019-8457CVE-2018-20506CVE-2018-20505CVE-2018-20346CVE-2018-8740CVE-2017-10989CVE-2016-6153CVE-2015-6607CVE-2015-5895CVE-2015-3717CVE-2015-3416
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f72b9c0c-43d8-4a67-bd8a-131c28a03ada