Executive Summary
In October 2025, ABB identified a critical vulnerability (CVE-2025-3450) in the System Diagnostics Manager (SDM) component of B&R Automation Runtime versions prior to 6.3 and Q4.93. This flaw allows unauthenticated, network-based attackers to delete data, leading to denial-of-service conditions. The vulnerability stems from improper resource locking within the SDM, potentially causing affected systems to cease operation upon exploitation. ABB has released updates to address this issue and recommends users upgrade to Automation Runtime versions 6.3 or Q4.93 to mitigate the risk. This incident underscores the importance of timely patch management and robust network security practices, especially in critical infrastructure sectors where such vulnerabilities can have significant operational impacts.
Why This Matters Now
The discovery of CVE-2025-3450 highlights the ongoing challenges in securing industrial control systems against network-based attacks. As cyber threats targeting critical infrastructure continue to evolve, organizations must prioritize the implementation of security updates and adhere to best practices to safeguard their operations from potential disruptions.
Attack Path Analysis
An unauthenticated attacker exploited an improper resource locking vulnerability in the System Diagnostics Manager (SDM) of B&R Automation Runtime, leading to unauthorized data deletion and system disruption. The attack did not involve privilege escalation or lateral movement. The attacker established command and control by maintaining unauthorized access to the compromised system. No data exfiltration occurred, but the impact was significant due to the denial of service caused by the system disruption.
Kill Chain Progression
Initial Compromise
Description
An unauthenticated attacker exploited an improper resource locking vulnerability in the SDM component of B&R Automation Runtime, allowing unauthorized data deletion and system disruption.
Related CVEs
CVE-2025-3450
CVSS 10An Improper Resource Locking vulnerability in the SDM component of B&R Automation Runtime versions before 6.3 and before Q4.93 may allow an unauthenticated network-based attacker to delete data causing denial of service conditions.
Affected Products:
B&R Automation Runtime – <6.3, <Q4.93
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Inhibit System Recovery
Execution Guardrails: Mutual Exclusion
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Boundary Protection
Control ID: SC-7
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Industrial Automation
Critical DoS vulnerability in ABB B&R Automation Runtime affects manufacturing control systems, enabling unauthenticated attackers to cause production shutdowns and operational disruption.
Chemicals
Chemical processing facilities using ABB automation systems face severe safety risks from CVE-2025-3450 vulnerability allowing remote attackers to disable critical control infrastructure.
Oil/Energy/Solar/Greentech
Energy sector infrastructure dependent on ABB B&R systems vulnerable to denial-of-service attacks compromising power generation and distribution operational continuity capabilities.
Utilities
Water treatment and power utilities operating ABB automation platforms exposed to CVSS 10 critical vulnerability enabling remote system shutdowns without authentication requirements.
Sources
- ABB B&R Automation Runtime DoS Vulnerability in System Diagnostics Manager (SDM)https://www.cisa.gov/news-events/ics-advisories/icsa-26-146-04Verified
- NVD - CVE-2025-3450https://nvd.nist.gov/vuln/detail/CVE-2025-3450Verified
- ABB Security Advisory SA25P002https://www.br-automation.com/fileadmin/SA25P002-f6a69e61.pdfVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit the SDM vulnerability, thereby reducing the potential for unauthorized data deletion and system disruption.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the SDM vulnerability would likely have been constrained, reducing the potential for unauthorized data deletion and system disruption.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges would likely have been constrained, reducing the potential for unauthorized data deletion and system disruption.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network would likely have been constrained, reducing the potential for unauthorized data deletion and system disruption.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish and maintain command and control channels would likely have been constrained, reducing the potential for unauthorized data deletion and system disruption.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate data would likely have been constrained, reducing the potential for unauthorized data deletion and system disruption.
The attacker's ability to cause a denial of service condition would likely have been constrained, reducing the potential for unauthorized data deletion and system disruption.
Impact at a Glance
Affected Business Functions
- Industrial Control Systems Operations
- Manufacturing Process Control
Estimated downtime: 3 days
Estimated loss: $50,000
n/a
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict access to critical components like the SDM, ensuring only authorized entities can interact with them.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts targeting known vulnerabilities, such as improper resource locking issues.
- • Utilize Multicloud Visibility & Control to monitor and manage network traffic, identifying unauthorized access attempts and potential command and control channels.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic, preventing unauthorized data deletion commands from being executed remotely.
- • Regularly update and patch systems to address known vulnerabilities, reducing the attack surface available to potential attackers.
