Vulnerabilities in Tridium’s Niagara Framework

Cybersecurity researchers have discovered over a dozen security vulnerabilities impacting Tridium’s Niagara Framework that could allow an attacker on the same network to compromise the system under certain circumstances.

Background on Niagara Framework

Developed by Tridium, an independent business entity of Honeywell, the Niagara Framework is a vendor-neutral platform used to manage and control a wide range of devices from different manufacturers, such as HVAC, lighting, energy management, and security. It is a valuable solution in building management, industrial automation, and smart infrastructure environments.

Technical Details of Vulnerabilities

The vulnerabilities identified by Nozomi Networks are exploitable should a Niagara system be misconfigured, causing encryption to be disabled on a network device and opening the door to lateral movement and broader operational disruptions. The most severe of the issues include:

• CVE-2025-3936 (CVSS score: 9.8) – Incorrect Permission Assignment for Critical Resource
• CVE-2025-3937 (CVSS score: 9.8) – Use of Password Hash With Insufficient Computational Effort
• CVE-2025-3938 (CVSS score: 9.8) – Missing Cryptographic Step
• CVE-2025-3941 (CVSS score: 9.8) – Improper Handling of Windows: DATA Alternate Data Stream
• CVE-2025-3944 (CVSS score: 9.8) – Incorrect Permission Assignment for Critical Resource
• CVE-2025-3945 (CVSS score: 9.8) – Improper Neutralization of Argument Delimiters in a Command
• CVE-2025-3943 (CVSS score: 7.3) – Use of GET Request Method With Sensitive Query Strings

Exploit Chain and Potential Impact

Nozomi Networks said it was able to craft an exploit chain combining CVE-2025-3943 and CVE-2025-3944 that could enable an adjacent attacker with access to the network to breach a Niagara-based target device, ultimately facilitating root-level remote code execution. This could allow an attacker to intercept the anti-CSRF refresh token, trigger a CSRF attack, and gain full elevated permissions on the device. The attacker could then download the private key associated with the device’s TLS certificate and conduct adversary-in-the-middle (AitM) attacks.

Disclosure and Remediation

Following responsible disclosure, the issues have been addressed in Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. Nozomi Networks emphasizes that because Niagara often connects critical systems and sometimes bridges IoT technology and information technology (IT) networks, it could represent a high-value target. Therefore, these vulnerabilities may pose a high risk to operational resilience and security if the instance has not been configured per Tridium’s hardening guidelines and best practices.

Related Vulnerabilities in Other Systems

The disclosure comes as several memory corruption flaws have been discovered in the P-Net C library, an open-source implementation of the PROFINET protocol for IO devices. These vulnerabilities, if successfully exploited, could allow unauthenticated attackers with network access to the targeted device to trigger denial-of-service (DoS) conditions. Specifically, exploiting CVE-2025-32399 could force the CPU running the P-Net library into an infinite loop, consuming 100% CPU resources, while CVE-2025-32405 allows an attacker to write beyond the boundaries of a connection buffer, corrupting memory and making the device entirely unusable. The vulnerabilities have been resolved in version 1.0.2 of the library.

Conclusion

In recent months, several security defects have also been unearthed in Rockwell Automation PowerMonitor 1000, Bosch Rexroth ctrlX CORE, and Inaba Denki Sangyo’s IB-MCT001 cameras that could result in execution of arbitrary commands, device takeover, DoS, information theft, and even remotely access live footage for surveillance. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) notes that successful exploitation of these vulnerabilities could allow an attacker to obtain the product’s login password, gain unauthorized access, tamper with product’s data, and/or modify product settings. Therefore, it is crucial for operators of these systems to apply the necessary patches and follow best practices to secure their infrastructure.