CISA flags B&R PPT30 OPC-UA denial-of-service flaw
The high score matters only where OPC-UA is actually enabled, which is the buried operational filter for this advisory.
TL;DR
CISA published ICSA-26-155-03 for CVE-2025-11482, a CVSS 7.5 flaw in B&R PPT30 Operating System versions before 1.8.0. An unauthenticated network attacker with access to the system network can make the OPC-UA server inaccessible. Contractors and operators using PPT30 in critical manufacturing, energy, transportation, or water environments should update to 1.8.0 or restrict OPC-UA access by firewall and segmentation. The server is disabled by default, so inventory beats panic.
CISA’s advisory is a straightforward industrial control system patch item: B&R PPT30 Operating System before 1.8.0 has an OPC-UA server resource-handling flaw, CVE-2025-11482, that can let an unauthenticated network attacker prevent legitimate users from connecting to the service. B&R fixed the issue in PPT30 Operating System 1.8.0 and says the OPC-UA server is not activated by default. That default matters. Operators who never enabled OPC-UA do not have the same Monday morning problem as operators who use it for production connectivity. For enabled deployments, the work is conventional and immediate: identify PPT30 versions, install 1.8.0, keep OPC-UA disabled unless required, restrict access to trusted IP addresses with the South Firewall or Control Network Firewall, and keep the PPT30 network segmented from business and internet-facing paths.
Published ·Deep Fathom