# ABB B&R Automation Studio Vulnerable to Man-in-the-Middle Attacks via Certificate Validation Bypass
## The Threat
ABB has disclosed a critical vulnerability in B&R Automation Studio that could allow attackers to intercept and manipulate communications between engineering workstations and automation devices. The vulnerability stems from improper certificate validation in the product's OPC-UA and ANSL over TLS client implementations, potentially enabling attackers to masquerade as trusted servers and inject malicious commands or steal sensitive configuration data.
B&R Automation Studio is widely deployed in critical manufacturing environments worldwide, used to develop and execute automation solutions ranging from control and motion technology to human-machine interfaces (HMI) and safety systems. The vulnerability affects versions before 6.5 and requires network-level access to exploit, but the implications for industrial organizations are significant—particularly those managing connected production lines where unauthorized access could disrupt operations or compromise safety-critical systems.
The core issue is that affected versions do not properly validate SSL/TLS certificates presented by OPC-UA and ANSL servers during the connection handshake. This means an attacker positioned on the network—whether through compromised network infrastructure, rogue WiFi, VPN manipulation, or lateral movement within a corporate network—could present a self-signed or forged certificate that the Automation Studio client would accept without verification. Once the attacker intercepts this connection, they can eavesdrop on communications, modify transmitted data, or inject commands directly into the automation system.
## Severity and Impact
| Metric | Value |
|--------|-------|
| CVE Identifier | CVE-2025-11043 |
| CVSS v3.1 Base Score | 7.4 (HIGH) |
| CVSS Vector String | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/RL:O/RC:C |
| Attack Vector | Network (AV:N) |
| Attack Complexity | High (AC:H) |
| Privileges Required | None (PR:N) |
| User Interaction | None (UI:N) |
| Scope | Unchanged (S:U) |
| Confidentiality Impact | High (C:H) |
| Integrity Impact | High (I:H) |
| Availability Impact | None (A:N) |
| CWE Identifier | CWE-295: Improper Certificate Validation |
| Affected Versions | Automation Studio < 6.5 |
| Fixed Version | Automation Studio 6.5 and later |
The vulnerability's HIGH severity rating reflects a combination of factors. While the attack requires network-level positioning and has high attack complexity (meaning an attacker must successfully intercept and redirect traffic), the vulnerability enables both confidentiality and integrity violations—meaning attackers could both eavesdrop on sensitive automation configurations and modify communications in transit. The lack of authentication requirements and user interaction means exploitation could be fully automated once network access is established.
## Affected Products
ABB B&R Automation Studio:
The vulnerability specifically affects the OPC-UA client and ANSL over TLS client components within these versions when establishing connections to remote servers.
## Mitigations
Immediate Actions:
1. Apply the Patch: Upgrade to ABB B&R Automation Studio version 6.5 or later at the earliest opportunity. ABB has confirmed that version 6.5 resolves the certificate validation vulnerability. Installation procedures are documented in the product's user manual; version identification steps are also provided in the manual.
2. Network Segmentation: Implement ABB's recommended ICS Cyber Security Reference Architecture by operating B&R Automation Studio within Level 2 of their security framework when connecting to Level 1 automation devices. This segregated architecture significantly reduces the risk of successful exploitation by isolating engineering workstations from untrusted networks and implementing strict access controls.
3. Monitor for Suspicious Activity: Review network logs and traffic analysis tools for unusual OPC-UA or ANSL over TLS communication patterns, unexpected certificate warnings, or connections from unfamiliar IP addresses claiming to be automation servers.
4. Restrict Network Access: Limit which systems and network segments can communicate with B&R Automation Studio installations. Use firewall rules to restrict OPC-UA (port 4840) and ANSL over TLS connections to only authorized servers. Implement VPN or secure tunneling for remote engineering sessions.
5. Certificate Pinning (Manual Control): While the patched version should properly validate certificates, consider maintaining a whitelist of known-good server certificates and periodically verifying that engineering workstations are connecting to the correct servers using certificate fingerprinting tools.
Workarounds for Unpatched Systems:
Organizations unable to immediately upgrade should:
## References
---
Bottom Line for Security Teams: This is a textbook man-in-the-middle vulnerability affecting critical infrastructure automation platforms. The HIGH CVSS score and potential for both eavesdropping and command injection make it a priority for any organization running B&R Automation Studio in production environments. Patching to version 6.5 should proceed within your standard critical-patch SLA. Until patched systems are deployed, aggressive network segmentation and monitoring are essential to maintain security posture in manufacturing and critical infrastructure operations.