Industrial automation giant **B&R** has issued an advisory regarding a critical vulnerability in its **PPT30 Operating System**, specifically affecting the **OPC-UA server**. The flaw, tracked as **CVE-2025-11482**, is an 'Allocation of Resources Without Limits or Throttling' (CWE-770) issue that could lead to a permanent denial of service. ### The Vulnerability: CVE-2025-11482 **CVE-2025-11482** allows an unauthenticated, network-based attacker to make the **OPC-UA server** of affected **B&R PPT30 Operating System** products inaccessible. The vulnerability stems from the server's insufficient handling of resources, allowing an attacker to exhaust them by sending specific malicious messages. This prevents legitimate users from interacting with the service, effectively shutting down critical operational capabilities. ### Affected Systems and Broader Impact The vulnerability specifically impacts **B&R PPT30 Operating System** versions prior to 1.8.0, including version 1.8.0 itself. The **PPT30 Operating System** serves as the firmware for **B&R PPT30 hardware products**, which are deployed worldwide across vital sectors. These include: * Commercial Facilities * Critical Manufacturing * Energy * Transportation Systems * Water and Wastewater The widespread deployment in these critical infrastructure sectors means that successful exploitation could have severe consequences, disrupting essential services and operations. ### Exploitation Scenario An attacker could exploit **CVE-2025-11482** by gaining network access to an affected system node. This could be achieved either directly, through a misconfigured or compromised firewall, or by installing malicious software on a system node or infecting the network. Once network access is established, the attacker can send specially crafted messages to trigger the resource exhaustion, causing the **OPC-UA server** to become unresponsive. ### Recommendations for Robust Defense **CISA**, which received the vulnerability report from **ABB PSIRT**, emphasizes the importance of implementing robust cybersecurity strategies for industrial control systems (ICS) to mitigate such risks. IT security professionals and organizations operating **B&R PPT30 Operating System** devices should prioritize the following defensive measures: * **Minimize Network Exposure**: Ensure all control system devices and systems are not directly accessible from the internet. Limit network exposure to the absolute minimum required for operations. * **Network Segmentation**: Place control system networks and remote devices behind firewalls and isolate them from broader business networks. This creates a defense-in-depth strategy, hindering an attacker's lateral movement. * **Secure Remote Access**: When remote access is indispensable, utilize secure methods such as Virtual Private Networks (VPNs). Crucially, ensure VPNs are regularly updated to the latest versions and recognize that their security is contingent on the security of connected devices. * **Physical Protection**: Implement physical security measures for process control systems to prevent unauthorized direct access. * **Impact Analysis and Risk Assessment**: Conduct thorough impact analyses and risk assessments before deploying any defensive measures to understand potential operational implications. * **Proactive Monitoring and Reporting**: Continuously monitor ICS assets for suspected malicious activity. Organizations observing such incidents should follow established internal procedures and report findings to **CISA** for broader correlation and response efforts. **B&R** discovered this vulnerability through its own security analysis and, as of the advisory's issuance, had not received reports of exploitation in the wild. However, proactive patching and adherence to recommended security practices are paramount to protect critical infrastructure from this and similar threats.