{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2025-11498/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":4.2,"id":"CVE-2025-3449"},{"cvss":6.1,"id":"CVE-2025-3448"},{"cvss":6.1,"id":"CVE-2025-11498"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Automation Runtime"],"_cs_severities":["medium"],"_cs_tags":["ics","xss","session hijacking","csv injection","cve-2025-3449","cve-2025-3448","cve-2025-11498"],"_cs_type":"advisory","_cs_vendors":["ABB","B\u0026R"],"content_html":"\u003cp\u003eABB B\u0026amp;R Automation Runtime versions before 6.4 are affected by multiple vulnerabilities within the System Diagnostics Manager (SDM) component. These vulnerabilities include predictable number generation (CVE-2025-3449), reflected cross-site scripting (XSS) (CVE-2025-3448), and improper neutralization of formula elements in a CSV file (CVE-2025-11498). Successful exploitation of these vulnerabilities could allow an unauthenticated, network-based attacker to take over an already established session or execute arbitrary JavaScript code within the context of a user\u0026rsquo;s browser. The SDM is disabled by default but if enabled, is not intended to be enabled on active systems outside secured production networks. This impacts the Energy sector globally.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable ABB B\u0026amp;R Automation Runtime instance running a version prior to 6.4 with SDM enabled.\u003c/li\u003e\n\u003cli\u003eFor CVE-2025-3449, the attacker exploits the predictable number generation vulnerability in the SDM component to predict session identifiers.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the predicted session identifier to hijack an existing, valid session, gaining unauthorized access to the SDM interface.\u003c/li\u003e\n\u003cli\u003eFor CVE-2025-3448, the attacker crafts a malicious URL containing a reflected XSS payload targeting the SDM component.\u003c/li\u003e\n\u003cli\u003eThe attacker lures a legitimate user into clicking the malicious URL, potentially through phishing or social engineering.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser executes the attacker-controlled JavaScript code within the context of the SDM web application.\u003c/li\u003e\n\u003cli\u003eThe attacker can perform actions on behalf of the user or steal sensitive information accessible through the SDM interface.\u003c/li\u003e\n\u003cli\u003eFor CVE-2025-11498, the attacker crafts a malicious link.\u003c/li\u003e\n\u003cli\u003eThe user clicks the link, a CSV file is downloaded and the user would need to manually open it.\u003c/li\u003e\n\u003cli\u003eThe attacker can inject formula data into a generated CSV file.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities could allow attackers to hijack existing sessions or execute arbitrary JavaScript code within a user\u0026rsquo;s browser. This could lead to information disclosure, unauthorized control of the Automation Runtime system, and potential disruption of industrial processes. While the SDM is disabled by default, systems with SDM enabled are at risk. There is no mention of number of victims. This impacts the Energy sector.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade ABB B\u0026amp;R Automation Runtime to version 6.4 or later to remediate CVE-2025-3449, CVE-2025-3448, and CVE-2025-11498.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, ensure the System Diagnostic Manager (SDM) is disabled.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access controls to limit exposure of Automation Runtime systems.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious URL patterns indicative of XSS attempts targeting the SDM, using a rule similar to the \u0026ldquo;Detect ABB B\u0026amp;R Automation Runtime CVE-2025-3448 XSS Attempt\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eTrain users to recognize and avoid suspicious links to mitigate CVE-2025-11498.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-21T16:10:27Z","date_published":"2026-05-21T16:10:27Z","id":"https://feed.craftedsignal.io/briefs/2026-05-br-automation/","summary":"ABB B\u0026R Automation Runtime versions before 6.4 are vulnerable to predictable number generation (CVE-2025-3449), reflected XSS (CVE-2025-3448), and CSV injection (CVE-2025-11498), potentially allowing attackers to hijack sessions or execute arbitrary code in a user's browser context.","title":"ABB B\u0026R Automation Runtime Multiple Vulnerabilities","url":"https://feed.craftedsignal.io/briefs/2026-05-br-automation/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2025-11498","version":"https://jsonfeed.org/version/1.1"}