Attack Chain

1. Attacker gains network access to the targeted system, either through direct connection, misconfigured firewalls, or malware infection.
2. Attacker intercepts network traffic between the B&R Automation Studio client and the OPC-UA or ANSL over TLS server.
3. Attacker redirects the communication to a compromised node under their control, manipulating network routing or name resolution.
4. Attacker generates a maliciously crafted server certificate.
5. The attacker presents the malicious certificate to the B&R Automation Studio client during the TLS handshake.
6. Due to the improper certificate validation, the B&R Automation Studio client accepts the malicious certificate.
7. Attacker intercepts and modifies data exchanged between the client and the legitimate server.
8. The attacker gains the ability to spoof a trusted server, potentially leading to the disclosure of confidential information or alteration of data in transit.

Impact

Successful exploitation of CVE-2025-11043 allows an attacker to perform man-in-the-middle attacks, potentially leading to the disclosure of sensitive data or the manipulation of control system processes. The vulnerability affects ABB B&R Automation Studio users in critical manufacturing and other sectors worldwide. Without proper patching and network segmentation, attackers can gain unauthorized access to ICS communications.

Recommendation

• Upgrade to ABB B&R Automation Studio version 6.5, which addresses CVE-2025-11043.
• Implement network segmentation to minimize network exposure for control system devices, as recommended by CISA.
• Operate B&R Automation Studio within Level 2 of the ABB ICS Cyber Security Reference Architecture to reduce the risk of successful exploitation.
• Monitor network traffic for unexpected redirections or connections to untrusted servers using network connection logs.