Critical Vulnerabilities Discovered in Tridium’s Niagara Framework
Cybersecurity experts have recently identified multiple security vulnerabilities within Tridium’s Niagara Framework, a widely used platform for managing diverse building management systems. This alarming discovery unveils potential risks that could allow unauthorized individuals on the same network to compromise connected systems if they take advantage of specific configurations.
Understanding the Niagara Framework
The Niagara Framework, created by Tridium, an autonomous business entity under Honeywell, serves as a vendor-neutral platform for controlling a variety of devices from different manufacturers. This includes systems for heating, ventilation, air conditioning (HVAC), lighting, energy management, and security. Due to its flexibility and comprehensive capabilities, it is particularly valuable in sectors like building management, industrial automation, and smart infrastructure.
Core Components of Niagara
The framework primarily consists of two components:
- Station: This element communicates with and manages the connected devices and systems.
- Platform: As the foundational software environment, it provides essential services to create, manage, and operate Stations effectively.
Exploitability of Vulnerabilities
According to a report from Nozomi Networks Labs, the identified vulnerabilities become significantly exploitable when a Niagara system is misconfigured, notably when encryption on specific network devices is disabled. This misconfiguration opens avenues for lateral movement within the network, leading to larger operational disruptions. Such breaches could severely impact safety, productivity, and stability.
High-Risk Issues Highlighted
The vulnerabilities uncovered include several with critical implications, each assigned a high Common Vulnerability Scoring System (CVSS) score. The most severe vulnerabilities include:
- CVE-2025-3936: Incorrect Permission Assignment for Critical Resource (CVSS score: 9.8)
- CVE-2025-3937: Insufficient Computational Effort for Password Hashing (CVSS score: 9.8)
- CVE-2025-3938: Missing Cryptographic Step (CVSS score: 9.8)
- CVE-2025-3941: Improper Handling of Windows Alternate Data Stream (CVSS score: 9.8)
- CVE-2025-3944: Incorrect Permission Assignment for Critical Resource (CVSS score: 9.8)
- CVE-2025-3945: Improper Neutralization of Command Argument Delimiters (CVSS score: 9.8)
- CVE-2025-3943: Sensitive Query Strings in GET Request Method (CVSS score: 7.3)
Nozomi Networks demonstrated that by chaining certain vulnerabilities (specifically CVE-2025-3943 and CVE-2025-3944), an attacker with access to the same network could breach a device powered by the Niagara system, leading to root-level remote code execution.
Mechanism of the Attack
The potential attack scenario begins with leveraging CVE-2025-3943 to intercept a crucial anti-CSRF (cross-site request forgery) refresh token in situations where the Syslog service is enabled. If logs containing the token are transmitted over an unencrypted channel, hackers can capitalize on this lapse.
With the captured token, an attacker can execute a CSRF attack, tricking an administrator into clicking a specially crafted link. This link would log all incoming HTTP request and response content, allowing the attacker to extract the administrator’s JSESSIONID session token. With this token, they may access the Niagara Station with elevated permissions and establish a new backdoor user for persistent access.
Advancing the Attack
Once administrative access is obtained, the attacker could download the private key associated with the device’s TLS certificate. From there, they could execute man-in-the-middle (AitM) attacks, exploiting the shared certificate and key infrastructure of both Station and Platform.
With complete control over the Platform, the attacker could then utilize CVE-2025-3944 to achieve root-level remote code execution, effectively taking over the entire system. After a responsible disclosure process, Tridium addressed these issues in update versions of the Niagara Framework and Enterprise Security.
The Importance of Configuration and Security Measures
Experts emphasize that because Niagara often interconnects critical systems and serves as a bridge between Internet of Things (IoT) and information technology (IT) networks, it stands out as a high-value target for attackers. The risks associated with these vulnerabilities could severely threaten operational continuity and resilience, especially in installations that do not adhere to Tridium’s security hardening guidelines.
Related Vulnerabilities in Other Systems
This disclosure follows the identification of memory corruption flaws in the P-Net C library, which could allow unauthorized attackers to trigger denial-of-service (DoS) conditions on targeted devices. Nozomi Networks noted that attackers could exploit specific flaws in the library to consume CPU resources entirely.
Additionally, several security flaws in devices such as Rockwell Automation’s PowerMonitor 1000 and Bosch Rexroth’s ctrlX CORE have surfaced recently, each posing various threats, including unauthorized data access and command executions.
Overall, the importance of maintaining stringent security practices and adhering to system hardening guidelines is underscored by these discoveries in Tridium’s Niagara Framework and other connected devices.
