# Race Condition in ABB Automation Runtime Enables Permanent Denial of Service Attacks


## The Threat


ABB has disclosed a critical vulnerability in its B&R Automation Runtime that allows unauthenticated network attackers to permanently disable industrial control systems through a carefully timed race condition. The flaw, tracked as CVE-2025-11044, resides in the ANSL-Server component and enables attackers to exhaust system resources without limits, rendering affected devices inoperable.


The vulnerability is particularly concerning because it requires no authentication or user interaction—a network-adjacent attacker can trigger the exploitation directly. While the company notes that shorter application cycle times increase the likelihood of successful exploitation, the underlying condition affects all vulnerable versions globally. This poses a significant risk to manufacturers, utilities, and other critical infrastructure operators who rely on B&R Automation Runtime for industrial operations.


ABB has released patched versions and emphasizes that customers should upgrade immediately. However, the advisory acknowledges that the vulnerability's exploitability varies across different deployment configurations, and provides interim mitigations for organizations unable to patch quickly. The issue underscores the importance of strict network segmentation and traffic monitoring in critical infrastructure environments.


## Severity and Impact


| Attribute | Details |

|-----------|---------|

| CVE Identifier | CVE-2025-11044 |

| CVSS v3.1 Score | 6.8 (MEDIUM) |

| CVSS Vector String | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/RL:O/RC:C |

| CWE Identifier | CWE-770: Allocation of Resources Without Limits or Throttling |

| Attack Vector | Network |

| Attack Complexity | High |

| Authentication Required | None |

| User Interaction | None |

| Scope | Changed |

| Confidentiality Impact | None |

| Integrity Impact | None |

| Availability Impact | High |

| Affected Component | ANSL-Server |

| Impact Type | Permanent Denial of Service |


## Affected Products


ABB B&R Automation Runtime is available in two generation lines. Both are affected by this vulnerability:


Automation Runtime 6 (Generation 6):

  • Versions prior to 6.5 are vulnerable
  • Fixed in version 6.5 and later

    • Automation Runtime 4 (Generation 4):

  • Versions prior to R4.93 are vulnerable
  • Fixed in version R4.93 and later

    • Organizations should check their deployed versions immediately using the procedure described in the user manual. Mixed deployments of both generation lines require updating each product line to its respective patched version.


    ## Mitigations


    ### Immediate Actions


    Vendor Fix (Recommended): The most effective mitigation is upgrading to patched versions immediately:

  • Automation Runtime 6.5 or later
  • Automation Runtime R4.93 or later

    • ABB recommends applying updates at the earliest opportunity, with installation procedures documented in the product user manual.


    ### Interim Mitigations for Legacy Deployments


    For organizations unable to transition to patched versions immediately, ABB provides several compensating controls:


    Application Configuration: Adjusting cycle times in customer applications can reduce exploitation likelihood. B&R determined that shorter cycle times increase the probability of successful race condition exploitation, so extending cycle times where operationally feasible provides protection. However, this is not a complete fix and should be considered a temporary measure only.


    Network Segmentation: B&R Automation Runtime is designed to operate at Level 1 of the ABB ICS Cyber Security Reference Architecture. Exploitation from outside this level requires attackers to bypass the Control Network Firewall. Organizations should:


  • Implement strict firewall rules limiting network access to ANSL-Server
  • Restrict maximum concurrent connections to the ANSL-Server component
  • Cap data traffic to the ANSL-Server at no more than 80% of the measured peak traffic value during normal operations
  • Monitor for anomalous connection patterns or traffic spikes

    • Pre-Deployment Testing: Before commissioning systems or after deploying mitigations, test the maximum load capacity of applications under the target Automation Runtime version. This establishes baseline performance and helps detect resource exhaustion attempts.


    ### Defense in Depth Approach


    ABB recommends implementing its Defense in Depth principles for B&R products:

  • Test application performance thoroughly before production deployment
  • Maintain documentation of normal traffic baselines
  • Implement monitoring for abnormal connection counts or resource utilization
  • Maintain network segmentation between operational technology and corporate networks
  • Keep detailed logs of ANSL-Server activity for incident investigation

    • ## References


  • ABB Security Advisory: ABB PSIRT official disclosure
  • CVE Record: CVE-2025-11044
  • CISA Notification: ABB PSIRT reported this vulnerability to the Cybersecurity and Infrastructure Security Agency
  • Product Documentation: ABB B&R Automation Runtime user manual (version identification and update procedures)

    • ---


    ### Recommendations for Security Teams


    Immediate priorities:

    1. Inventory all B&R Automation Runtime deployments and document current versions

    2. Prioritize upgrading systems to patched versions (6.5+ or R4.93+)

    3. For systems unable to patch immediately, implement firewall rate limiting and traffic caps on ANSL-Server

    4. Review current network segmentation between control networks and external connectivity


    Ongoing protection:

  • Include B&R Automation Runtime in regular patch management processes
  • Monitor ABB PSIRT for additional advisories
  • Conduct periodic load testing to maintain baseline performance documentation
  • Review firewall traffic controls quarterly to ensure rate limits remain appropriate for operational needs