ABB B&R Automation Studio Plagued by Multiple SQLite Vulnerabilities
**ABB** has issued a security advisory addressing multiple vulnerabilities affecting **ABB B&R Automation Studio** versions prior to 6.5. The vulnerabilities, stemming from an outdated third-party component (**SQLite**), could potentially lead to unauthorized access, data exposure, or remote code execution.
Multiple vulnerabilities have been identified in **ABB B&R Automation Studio** versions prior to 6.5, stemming from an outdated third-party **SQLite** component. While no successful exploitation has been observed during testing, these vulnerabilities pose a significant risk to industrial control systems.
### Affected Versions
The following versions are affected:
* B&R Automation Studio <6.5
* B&R Automation Studio 6.5
These versions are susceptible to a range of issues tracked under the following **CVE** identifiers:
* **CVE-2025-6965**
* **CVE-2025-3277**
* **CVE-2023-7104**
* **CVE-2022-35737**
* **CVE-2020-15358**
* **CVE-2020-13632**
* **CVE-2020-13631**
* **CVE-2020-13630**
* **CVE-2020-13435**
* **CVE-2020-13434**
* **CVE-2020-11656**
* **CVE-2020-11655**
* **CVE-2019-19646**
* **CVE-2019-19645**
* **CVE-2019-8457**
* **CVE-2018-20506**
* **CVE-2018-20505**
* **CVE-2018-20346**
* **CVE-2018-8740**
* **CVE-2017-10989**
* **CVE-2016-6153**
* **CVE-2015-6607**
* **CVE-2015-5895**
* **CVE-2015-3717**
* **CVE-2015-3416**
### Vulnerability Details
The identified vulnerabilities encompass a range of critical issues, including:
* Numeric Truncation Error
* Heap-based Buffer Overflow
* Improper Restriction of Operations within Memory Bounds
* Out-of-bounds Write
* NULL Pointer Dereference
* Incorrect User Management
* Use After Free
* Integer Overflow or Wraparound
* Improper Check for Unusual Conditions
* Uncontrolled Recursion
* Out-of-bounds Read
* Improper Input Validation
* Exposure of Sensitive Information
* Classic Buffer Overflow
Specific examples include **CVE-2025-6965**, a numeric truncation error in **SQLite** versions before 3.50.2, and **CVE-2025-3277**, an integer overflow in **SQLite**'s `concat_ws()` function leading to a heap buffer overflow.
### Impact
Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized access to systems, expose sensitive data, or execute arbitrary code remotely, potentially disrupting critical infrastructure operations.
### Mitigation
**ABB** has released an update that replaces the outdated third-party component. Users of affected versions are strongly advised to upgrade to the latest version of **ABB B&R Automation Studio** to mitigate these risks.
[View CSAF](https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-141-03.json)
### Background
* **Critical Infrastructure Sectors:** Energy
* **Countries/Areas Deployed:** Worldwide
* **Company Headquarters Location:** Switzerland