CISA flags CVE-2025-11482 in B&R PPT30 OPC-UA server
The operational risk sits in optional services that become production dependencies the moment operators enable OPC-UA in an OT network.
TL;DR
CISA issued ICSA-26-155-03 for CVE-2025-11482, a CVSS 7.5 resource-exhaustion flaw in B&R PPT30 Operating System versions before 1.8.0. Unauthenticated network attackers can make the optional OPC-UA server unavailable in worldwide deployments across commercial facilities, critical manufacturing, energy, transportation, and water and wastewater. Contractors, MSPs and C3PAOs supporting PPT30 should install 1.8.0 or disable and firewall OPC-UA. B&R reported no known exploitation when the advisory was issued; CISA set no patch deadline.
CISA’s advisory is a straight operational-technology patch item, with one useful limit: the vulnerable OPC-UA server on B&R PPT30 is optional and is not activated by default. That does not make the finding harmless. In PPT30 Operating System versions before 1.8.0, CVE-2025-11482 lets an unauthenticated attacker with network access exhaust resources and prevent legitimate users from using the OPC-UA service. For plants, utilities, transportation operators and their contractors, MSPs and assessors, the Monday work is inventory first: find PPT30 devices, confirm whether OPC-UA is enabled, install 1.8.0 where it is enabled, and restrict access to trusted IP addresses through the South Firewall or Control Network Firewall. B&R said it had not received reports of exploitation when the advisory issued. CISA also gives no patch-by date, which means the risk decision lands where it usually does in OT: on the owner of a production network that dislikes outages until a vulnerability creates one.
Published ·Deep Fathom