Critical vulnerabilities in Tridium’s Niagara Framework®, a widely-used software platform that connects and manages diverse devices in building automation, industrial control systems, and smart infrastructure environments.
These vulnerabilities, if exploited under specific conditions, could allow attackers to compromise entire Niagara systems and collect sensitive network data, potentially affecting critical infrastructure across industries including healthcare, manufacturing, and energy sectors.
The vulnerabilities were initially discovered in Niagara Framework version 4.13, but Tridium has confirmed that multiple versions remain affected, including Niagara Framework and Niagara Enterprise Security version 4.10u10 and earlier, as well as version 4.14u1 and earlier.
Among the 13 identified issues, researchers consolidated five vulnerabilities into two CVEs, resulting in ten distinct Common Vulnerabilities and Exposures (CVE) identifiers with CVSS scores ranging from 4.1 to 7.7.
The most severe vulnerability, CVE-2025-3937, involves the use of password hashes with insufficient computational effort and carries a CVSS score of 7.7.
Other critical issues include incorrect permission assignments for critical resources (CVE-2025-3944 and CVE-2025-3936) and argument injection vulnerabilities (CVE-2025-3945).
These vulnerabilities are fully exploitable when Niagara systems are misconfigured with encryption disabled on specific network devices, a configuration that produces warnings on the security dashboard.
Multiple Vulnerabilities in Tridium Niagara
Security researchers have identified a compelling attack chain that demonstrates how these vulnerabilities can be chained together for maximum impact.
The attack begins with CVE-2025-3943, which exposes CSRF tokens through GET requests in the /ord endpoint.
When administrators interact with the Niagara Workbench, Content Security Policy (CSP) violation reports containing anti-CSRF tokens are logged and potentially transmitted over unencrypted Syslog channels.
An attacker positioned to perform Man-in-the-Middle attacks can intercept these tokens from network traffic and use them to forge CSRF attacks, escalating logging levels to capture administrator session IDs.
The attack chain continues with CVE-2025-3944, which allows authenticated attackers with administrative privileges to overwrite the /etc/dhcpd/dhcpd.conf file on QNX-based Niagara systems, enabling arbitrary code execution with root privileges through dhcpd.conf hooks.
This sophisticated attack sequence can result in lateral movement across networks, operational disruptions to critical building automation systems, and complete device compromise including both Station and Platform environments.
The potential consequences extend beyond digital assets to real-world safety and service continuity impacts.
Enhanced Security Measures
Tridium has responded swiftly to these discoveries by issuing a comprehensive security advisory and releasing patches to address all identified vulnerabilities.
Organizations using vulnerability detection capabilities like Nozomi Networks Guardian can identify vulnerable assets and potential exploitation attempts.
The company’s product security team has published detailed guidance urging asset owners and operators to immediately update affected Niagara installations to the latest patched versions.
Security experts recommend implementing additional protective measures including network segmentation to limit system exposure and continuous monitoring of network traffic for suspicious activity related to Niagara devices.
Given Niagara’s critical role in infrastructure management, taking prompt remediation action is essential to maintain operational integrity and protect against potential attacks targeting these newly disclosed vulnerabilities.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
