Cybersecurity researchers have discovered over a dozen security vulnerabilities impacting Tridium’s Niagara Framework that could allow an attacker on the same network to compromise the system under certain circumstances.
“These vulnerabilities are fully exploitable if a Niagara system is misconfigured, thereby disabling encryption on a specific network device,” Nozomi Networks Labs said in a report published last week. “If chained together, they could allow an attacker with access to the same network — such as through a Man-in-the-Middle (MiTM) position — to compromise the Niagara system.”
Developed by Tridium, an independent business entity of Honeywell, the Niagara Framework is a vendor-neutral platform used to manage and control a wide range of devices from different manufacturers, such as HVAC, lighting, energy management, and security, making it a valuable solution in building management, industrial automation, and smart infrastructure environments.
It consists of two key components: Platform, which is the underlying software environment that provides the necessary services to create, manage, and run Stations, and Station, which communicates with and controls connected devices and systems.
The vulnerabilities identified by Nozomi Networks are exploitable should a Niagara system be misconfigured, causing encryption to be disabled on a network device and opening the door to lateral movement and broader operational disruptions, impacting safety, productivity, and service continuity.
The most severe of the issues are listed below –
- CVE-2025-3936 (CVSS score: 9.8) – Incorrect Permission Assignment for Critical Resource
- CVE-2025-3937 (CVSS score: 9.8) – Use of Password Hash With Insufficient Computational Effort
- CVE-2025-3938 (CVSS score: 9.8) – Missing Cryptographic Step
- CVE-2025-3941 (CVSS score: 9.8) – Improper Handling of Windows: DATA Alternate Data Stream
- CVE-2025-3944 (CVSS score: 9.8) – Incorrect Permission Assignment for Critical Resource
- CVE-2025-3945 (CVSS score: 9.8) – Improper Neutralization of Argument Delimiters in a Command
- CVE-2025-3943 (CVSS score: 7.3) – Use of GET Request Method With Sensitive Query Strings
Nozomi Networks said it was able to craft an exploit chain combining CVE-2025-3943 and CVE-2025-3944 that could enable an adjacent attacker with access to the network to breach a Niagara-based target device, ultimately facilitating root-level remote code execution.
Specifically, the attacker could weaponize CVE-2025-3943 to intercept the anti-CSRF (cross-site request forgery) refresh token in scenarios where the Syslog service is enabled, causing the logs containing the token to be transmitted potentially over an unencrypted channel.
Armed with the token, the threat actor can trigger a CSRF attack and lure an administrator into visiting a specially crafted link that causes the content of all incoming HTTP requests and responses to be fully logged. The attacker then proceeds to extract the administrator’s JSESSIONID session token and use it to connect to the Niagara Station with full elevated permissions and creates a new backdoor administrator user for persistent access.
In the next stage of the attack, the administrative access is abused to download the private key associated with the device’s TLS certificate and conduct adversary-in-the-middle (AitM) attacks by taking advantage of the fact that both the Station and Platform share the same certificate and key infrastructure.
With control of the Platform, the attacker could leverage CVE-2025-3944 to facilitate root-level remote code execution on the device, achieving complete takeover. Following responsible disclosure, the issues have been addressed in Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.
“Because Niagara often connects critical systems and sometimes bridges IoT technology and information technology (IT) networks, it could represent a high-value target,” the company said.
“Given the critical functions that can be controlled by Niagara-powered systems, these vulnerabilities may pose a high risk to operational resilience and security provided the instance has not been configured per Tridium’s hardening guidelines and best practices.”
The disclosure comes as several memory corruption flaws have been discovered in the P-Net C library, an open-source implementation of the PROFINET protocol for IO devices, that, if successfully exploited, could allow unauthenticated attackers with network access to the targeted device to trigger denial-of-service (DoS) conditions.
“Practically speaking, exploiting CVE-2025-32399, an attacker can force the CPU running the P-Net library into an infinite loop, consuming 100% CPU resources,” Nozomi Networks said. “Another vulnerability, tracked as CVE-2025-32405, allows an attacker to write beyond the boundaries of a connection buffer, corrupting memory and making the device entirely unusable.”
The vulnerabilities have been resolved in version 1.0.2 of the library, which was released in late April 2025.
In recent months, several security defects have also been unearthed in Rockwell Automation PowerMonitor 1000, Bosch Rexroth ctrlX CORE, and Inaba Denki Sangyo’s IB-MCT001 cameras that could result in execution of arbitrary commands, device takeover, DoS, information theft, and even remotely access live footage for surveillance.
“Successful exploitation of these vulnerabilities could allow an attacker to obtain the product’s login password, gain unauthorized access, tamper with product’s data, and/or modify product settings,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory for IB-MCT001 flaws.
