👾 Join us August 4–10 in Las Vegas for Hacker Summer Camp! Learn More

On This Page:

  1. Latest Tridium Niagara vulnerabilities
  2. What is the impact?
  3. Are updates or workarounds available?
  4. How to find potentially vulnerable systems with runZero

How to find Tridium Niagara instances on your network

Matthew Kienow
|
Updated

Latest Tridium Niagara vulnerabilities #

Tridium (a Honeywell company) has disclosed ten vulnerabilities in certain versions of Niagara Framework and Niagara Enterprise Security.

  • The use of a password hash with insufficient computational effort leaves the system susceptible to cryptanalysis by an adversary. This vulnerability has been designated CVE-2025-3937 and has been rated high with a CVSS score of 7.7.
  • Incorrect permission assignment for critical system resources may allow an adversary to manipulate sensitive files, potentially leading to unauthorized data alteration, system instability, or privilege escalation. This vulnerability has been designated CVE-2025-3944 and has been rated high with a CVSS score of 7.2.
  • Argument delimiters are not properly neutralized potentially allowing an adversary to inject argument and control the executed command. This vulnerability has been designated CVE-2025-3945 and has been rated high with a CVSS score of 7.2.
  • A critical cryptographic step was omitted or incorrectly performed undermining the security strength and leaves the system susceptible to cryptanalysis by an adversary. This vulnerability has been designated CVE-2025-3938 and has been rated medium with a CVSS score of 6.8.
  • Incorrect permission assignment for a critical resource may be exploited allowing an adversary to bypass intended access control security levels, potentially leading to unauthorized access, modification, or deletion of a security-critical resource. This vulnerability has been designated CVE-2025-3936 and has been rated medium with a CVSS score of 6.5.
  • Improper handling of the Windows ::DATA Alternate Data Stream (ADS) may allow an adversary to manipulate input data, potentially leading to unexpected application behavior. This vulnerability has been designated CVE-2025-3941 and has been rated medium with a CVSS score of 5.4.
  • Through observable discrepancies in system responses when processing cryptographic operations or sensitive data, this vulnerability leaves the system susceptible to cryptanalysis by an adversary. This vulnerability has been designated CVE-2025-3939 and has been rated medium with a CVSS score of 5.3.
  • Incorrect or insufficient use of an input validation framework allows an adversary to manipulate input data, circumventing intended security checks and potentially leading to other issues. This vulnerability has been designated CVE-2025-3940 and has been rated medium with a CVSS score of 5.3.
  • Improper neutralization of untrusted input when writing data to log files may allow an adversary to inject malicious data into log entries. This vulnerability has been designated CVE-2025-3942 and has been rated medium with a CVSS score of 4.3.
  • The anti-CSRF refresh token appears within HTTP GET request query strings allowing an adversary to potentially capture the sensitive parameter and perform parameter injection attacks. This vulnerability has been designated CVE-2025-3943 and has been rated medium with a CVSS score of 4.1.

The following versions are affected

  • Niagara Framework and Niagara Enterprise Security versions 0 through 4.10.10 (4.10u10)
  • Niagara Framework and Niagara Enterprise Security versions 0 through 4.14.1 (4.14u1)
  • Niagara Framework and Niagara Enterprise Security versions 0 through 4.15

What is the impact? #

A proposed exploit chain involving two of these vulnerabilities (CVE-2025-3943CVE-2025-3944) carries a prerequisite that the Niagara system has been misconfigured, disabling encryption on a Niagara device. This misconfiguration should produce a warning on the security dashboard, which would need to remain unaddressed by system administrators. Successful exploitation of these vulnerabilities, under specific conditions, could enable an adjacent adversary to compromise both the Station and Platform environments, and achieve arbitrary code execution on the device.

Are updates or workarounds available? #

Users are encouraged to update to the latest version as quickly as possible:

  • Niagara Framework and Niagara Enterprise Security to version 4.10.11 (4.10u11) and later releases
  • Niagara Framework and Niagara Enterprise Security to version 4.14.2 (4.14u2) and later releases
  • Niagara Framework and Niagara Enterprise Security to version 4.15.1 (4.15u1) and later releases

How to find potentially vulnerable systems with runZero #

From the Asset Inventory, use the following query to locate potentially vulnerable assets:

os:Tridium hw:Niagara

Written by Matthew Kienow

Matthew Kienow is a software engineer and security researcher. Matthew previously worked on the Recog recognition framework, AttackerKB as well as Metasploit's MSF 5 APIs. He has also designed, built, and successfully deployed many secure software solutions; however, often he enjoys breaking them instead. He has presented his research at various security conferences including DerbyCon, Hack In Paris, and CarolinaCon. His research has been cited by CSO, Threatpost and SC Magazine.

More about Matthew Kienow
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Explore more

Watch Now • On Demand
Vulnerability management is broken: what's the fix?

HD Moore and Omdia analyst Rik Turner discuss why traditional vulnerability management is struggling in modern IT infrastructures, why CVEs don’t tell the full story, and why prioritization alone isn’t enough to close critical security gaps.

Watch Now
runZero Hour, Episode 17
The State of Vuln Management, Our Approach, and a Deep Dive into New Risk Findings
On this special edition of runZero Hour, join VP of Security Research Tod Beardsley and Security Research Director Rob King for a deep dive into the future of exposure management.
Watch Now
Product Release
Tackling the New Era of Exposure Management
Fixing what’s broken with legacy tools and overcoming decades-old problems requires a new approach. Dive into how we do it at runZero.
Read More
Webcast
The Unreasonable Effectiveness of Inside Out Attack Surface Management
HD Moore, founder of runZero (and previously Metasploit), presents new research that will forever redefine how you approach attack surface management.
Watch Now

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.

Try runZero for Free
© Copyright 2025 runZero, Inc. All Rights Reserved