CVE-2025-3450 hits ABB B&R Automation Runtime at CVSS 10
An unauthenticated network attacker can delete SDM data and halt production, no credentials, no complexity, no prior access required.
TL;DR
CISA published ICSA-26-146-04 on CVE-2025-3450, an improper resource locking flaw (CWE-413, CVSS 3.1: 10.0) in the System Diagnostics Manager (SDM) component of ABB B&R Automation Runtime versions before 6.3 and before Q4.93. An unauthenticated, network-adjacent attacker can delete data and trigger a denial-of-service condition, stopping the runtime entirely. Patches are available in versions 6.3 and Q4.93. SDM is disabled by default in Automation Runtime 6.0 and later, but systems below that threshold (or any installation where SDM was manually enabled) require immediate inventory and patching. Affected critical infrastructure sectors include chemical, energy, water and wastewater, healthcare, and critical manufacturing.
The vector string tells the story before you read a word of the advisory: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H. Network-accessible, low complexity, no privileges required, no user interaction, scope changed. The only reason this isn't a full confidentiality-impact score is that SDM's exposure is to availability and integrity, not data exfiltration. For an OT runtime managing production equipment, that is cold comfort, stopping the runtime is the attack.
CVE-2025-3450 affects ABB B&R Automation Runtime across two version lines: anything before 6.3 in the main branch, and anything before Q4.93 in the Q-series branch. B&R's own PSIRT discovered and reported the flaw to CISA; patches are already available in 6.3 and Q4.93. That sequencing (vendor-discovered, vendor-patched, then disclosed) is the favorable scenario. The unfavorable variable is how many production systems are running unpatched versions right now.
What practitioners need to do this week
The first step is inventory, not patching. Organizations with Automation Runtime deployments need to confirm which version is running on each system and whether SDM is enabled. CISA's advisory and B&R's documentation both note that SDM is disabled by default in Automation Runtime 6.0 and later, meaning systems on version 6.x with SDM left at default are not exposed. Systems below 6.0, or any system where SDM was explicitly enabled for remote diagnostics work, are the population at risk.
For those systems, B&R's guidance is to apply the update "at the earliest convenience," which in OT environments translates to: schedule a maintenance window now, not at the next quarterly cycle. The CVSS Environmental and Temporal scoring includes an Exploit Code Maturity of "Unproven" (E:U) and a Remediation Level of "Official Fix" (RL:O), meaning no public exploit code is known and a vendor patch exists. That window narrows over time.
Where immediate patching is operationally impossible, the compensating path is network segmentation: SDM should not be reachable from untrusted network segments under any circumstances. CISA's advisory states explicitly that SDM is not intended to be enabled on systems "located outside properly secured production networks or in facilities lacking adequate physical and logical access controls." If your deployment doesn't meet that bar, disabling SDM entirely is the interim control until the patch can be applied.
The advisory covers deployments worldwide across at least eight critical infrastructure sectors. Defense industrial base operators running B&R controllers in manufacturing or process-control environments should treat this as a priority item alongside their next CMMC assessment cycle, availability loss on a production OT system is a supply chain disruption event, not just a cybersecurity metric.
Published ·Updated ·Deep Fathom