Critical Flaws in Niagara Framework Threaten Smart Buildings and Industrial Systems Worldwide - The Hacker News

Critical Flaws in Niagara Framework Threaten Smart Buildings and Industrial Systems Worldwide Ravie LakshmananJul 28, 2025Vulnerability / Critical Infrastructure Cybersecurity researchers have discovered over a dozen security vulnerabilities impacting Tridium's Niagara Framework that could allow an attacker on the same network to compromise the system under certain circumstances. "These vulnerabilities are fully exploitable if a Niagara system is misconfigured, thereby disabling encryption on a specific network device," Nozomi Networks Labs said in a report published last week. "If chained together, they could allow an attacker with access to the same network — such as through a Man-in-the-Middle (MiTM) position — to compromise the Niagara system." Developed by Tridium, an independent business entity of Honeywell, the Niagara Framework is a vendor-neutral platform used to manage and control a wide range of devices from different manufacturers, such as HVAC, lighting, energy management, and security, making it a valuable solution in building management, industrial automation, and smart infrastructure environments. It consists of two key components: Station, which communicates with and controls connected devices and systems, and Platform, which is the underlying software environment that provides the necessary services to create, manage, and run Stations. The vulnerabilities identified by Nozomi Networks are exploitable should a Niagara system be misconfigured, causing encryption to be disabled on a network device and opening the door to lateral movement and broader operational disruptions, impacting safety, productivity, and service continuity. The most severe of the issues are listed below - CVE-2025-3936 (CVSS score: 9.8) - Incorrect Permission Assignment for Critical Resource CVE-2025-3937 (CVSS score: 9.8) - Use of Password Hash With Insufficient Computational Effort CVE-2025-3938 (CVSS score: 9.8) - Missing Cryptographic Step CVE-2025-3941 (CVSS score: 9.8) - Improper Handling of Windows: DATA Alternate Data Stream CVE-2025-3944 (CVSS score: 9.8) - Incorrect Permission Assignment for Critical Resource CVE-2025-3945 (CVSS score: 9.8) - Improper Neutralization of Argument Delimiters in a Command CVE-2025-3943 (CVSS score: 7.3) - Use of GET Request Method With Sensitive Query Strings Nozomi Networks said it was able to craft an exploit chain combining CVE-2025-3943 and CVE-2025-3944 that could enable an adjacent attacker with access to the network to breach a Niagara-based target device, ultimately facilitating root-level remote code execution. Specifically, the attacker could weaponize CVE-2025-3943 to intercept the anti-CSRF (cross-site request forgery) refresh token in scenarios where the Syslog service is enabled, causing the logs containing the token to be transmitted potentially over an unencrypted channel. Armed with the token, the threat actor can trigger a CSRF attack and lure an administrator into visiting a specially crafted link that causes the content of all incoming HTTP requests and responses to be fully logged. The attacker then proceeds to extract the administrator's JSESSIONID session token and use it to connect to the Niagara Station with full elevated permissions and creates a new backdoor administrator user for persistent access. In the next stage of the attack, the administrative access is abused to download the private key associated with the device's TLS certificate and conduct adversary-in-the-middle (AitM) attacks by taking advantage of the fact that both the Station and Platform share the same certificate and key infrastructure. With control of the Platform, the attacker could leverage CVE-2025-3944 to facilitate root-level remote code execution on the device, achieving complete takeover. Following responsible disclosure, the issues have been addressed in Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. "Because Niagara often connects critical systems and sometimes bridges IoT technology and information technology (IT) networks, it could represent a high-value target," the company said. "Given the critical functions that can be controlled by Niagara-powered systems, these vulnerabilities may pose a high risk to operational resilience and security provided the instance has not been configured per Tridium's hardening guidelines and best practices." The disclosure comes as several memory corruption flaws have been discovered in the P-Net C library, an open-source implementation of the PROFINET protocol for IO devices, that, if successfully exploited, could allow unauthenticated attackers with network access to the targeted device to trigger denial-of-service (DoS) conditions. "Practically speaking, exploiting CVE-2025-32399, an attacker can force the CPU running the P-Net library into an infinite loop, consuming 100% CPU resources," Nozomi Networks said. "Another vulnerability, tracked as CVE-2025-32405, allows an attacker to write beyond the boundaries of a connection buffer, corrupting memory and making the device entirely unusable." The vulnerabilities have been resolved in version 1.0.2 of the library, which was released in late April 2025. In recent months, multiple security defects have also been unearthed in Rockwell Automation PowerMonitor 1000, Bosch Rexroth ctrlX CORE, and Inaba Denki Sangyo's IB-MCT001 cameras that could result in execution of arbitrary commands, device takeover, DoS, information theft, and even remote access of live footage for surveillance. "Successful exploitation of these vulnerabilities could allow an attacker to obtain the product's login password, gain unauthorized access, tamper with product's data, and/or modify product settings," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory for IB-MCT001 flaws. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  critical infrastructure, cybersecurity, encryption, Honeywell, industrial control system, iot security, network security, scada, Tridium, Vulnerability Trending News ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Load More ▼ Popular Resources Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Identity Controls Checklist: Find Missing Protections in Apps Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps