runZero to join Dragos, creating an industry-transforming security platform backed by $4B Accenture investment. More

runZero CAASM

On This Page:

  1. Latest Tridium Niagara vulnerabilities
  2. What is the impact?
  3. Are updates or workarounds available?
  4. How to find potentially vulnerable systems with runZero

How to find Tridium Niagara instances on your network

Matthew Kienow
|
Updated

Latest Tridium Niagara vulnerabilities #

Tridium (a Honeywell company) has disclosed ten vulnerabilities in certain versions of Niagara Framework and Niagara Enterprise Security.

  • The use of a password hash with insufficient computational effort leaves the system susceptible to cryptanalysis by an adversary. This vulnerability has been designated CVE-2025-3937 and has been rated high with a CVSS score of 7.7.
  • Incorrect permission assignment for critical system resources may allow an adversary to manipulate sensitive files, potentially leading to unauthorized data alteration, system instability, or privilege escalation. This vulnerability has been designated CVE-2025-3944 and has been rated high with a CVSS score of 7.2.
  • Argument delimiters are not properly neutralized potentially allowing an adversary to inject argument and control the executed command. This vulnerability has been designated CVE-2025-3945 and has been rated high with a CVSS score of 7.2.
  • A critical cryptographic step was omitted or incorrectly performed undermining the security strength and leaves the system susceptible to cryptanalysis by an adversary. This vulnerability has been designated CVE-2025-3938 and has been rated medium with a CVSS score of 6.8.
  • Incorrect permission assignment for a critical resource may be exploited allowing an adversary to bypass intended access control security levels, potentially leading to unauthorized access, modification, or deletion of a security-critical resource. This vulnerability has been designated CVE-2025-3936 and has been rated medium with a CVSS score of 6.5.
  • Improper handling of the Windows ::DATA Alternate Data Stream (ADS) may allow an adversary to manipulate input data, potentially leading to unexpected application behavior. This vulnerability has been designated CVE-2025-3941 and has been rated medium with a CVSS score of 5.4.
  • Through observable discrepancies in system responses when processing cryptographic operations or sensitive data, this vulnerability leaves the system susceptible to cryptanalysis by an adversary. This vulnerability has been designated CVE-2025-3939 and has been rated medium with a CVSS score of 5.3.
  • Incorrect or insufficient use of an input validation framework allows an adversary to manipulate input data, circumventing intended security checks and potentially leading to other issues. This vulnerability has been designated CVE-2025-3940 and has been rated medium with a CVSS score of 5.3.
  • Improper neutralization of untrusted input when writing data to log files may allow an adversary to inject malicious data into log entries. This vulnerability has been designated CVE-2025-3942 and has been rated medium with a CVSS score of 4.3.
  • The anti-CSRF refresh token appears within HTTP GET request query strings allowing an adversary to potentially capture the sensitive parameter and perform parameter injection attacks. This vulnerability has been designated CVE-2025-3943 and has been rated medium with a CVSS score of 4.1.

The following versions are affected

  • Niagara Framework and Niagara Enterprise Security versions 0 through 4.10.10 (4.10u10)
  • Niagara Framework and Niagara Enterprise Security versions 0 through 4.14.1 (4.14u1)
  • Niagara Framework and Niagara Enterprise Security versions 0 through 4.15

What is the impact? #

A proposed exploit chain involving two of these vulnerabilities (CVE-2025-3943CVE-2025-3944) carries a prerequisite that the Niagara system has been misconfigured, disabling encryption on a Niagara device. This misconfiguration should produce a warning on the security dashboard, which would need to remain unaddressed by system administrators. Successful exploitation of these vulnerabilities, under specific conditions, could enable an adjacent adversary to compromise both the Station and Platform environments, and achieve arbitrary code execution on the device.

Are updates or workarounds available? #

Users are encouraged to update to the latest version as quickly as possible:

  • Niagara Framework and Niagara Enterprise Security to version 4.10.11 (4.10u11) and later releases
  • Niagara Framework and Niagara Enterprise Security to version 4.14.2 (4.14u2) and later releases
  • Niagara Framework and Niagara Enterprise Security to version 4.15.1 (4.15u1) and later releases

How to find potentially vulnerable systems with runZero #

From the Asset Inventory, use the following query to locate potentially vulnerable assets:

os:Tridium hw:Niagara

Written by Matthew Kienow

Matthew Kienow is a software engineer and security researcher. Matthew previously worked on the Recog recognition framework, AttackerKB as well as Metasploit's MSF 5 APIs. He has also designed, built, and successfully deployed many secure software solutions; however, often he enjoys breaking them instead. He has presented his research at various security conferences including DerbyCon, Hack In Paris, and CarolinaCon. His research has been cited by CSO, Threatpost and SC Magazine.

More about Matthew Kienow
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Explore more runZero

Product
Announcing runZero 4.9: Unmask attack paths and segmentation gaps with advanced topology and deep OT device intelligence
With runZero 4.9, visualize attacker lateral movement, harden network choke points, gain deep OT telemetry to secure converged environments, and more.
Read More
Webcasts
runZero Hour, Ep. 30: Segmentation - stop assuming & start verifying with runZero 4.9
See runZero 4.9 in action! Join HD Moore and Tod Beardsley to learn how interactive attack path mapping and advanced OT intelligence expose hidden...
Watch Now
Product Videos
runZero 4.9: Advanced topology, attack path mapping, & deep OT intelligence
With runZero 4.9, visualize attacker lateral movement, harden network choke points, gain deep OT telemetry to secure converged environments, and more.
Watch Now
runZero Perspective
Dawn of the apex agentic adversary
When agentic AI can weaponize exploits in seconds, visibility is everything. Stop the predator with runZero’s exposure management for the AI-attack...
Read More
Webcasts
Defending in the shadow era: when the CVE feed goes dark
HD Moore walks through the three eras of vulnerability management: the predictable cycles era, the triage ara of AI-scale discovery, and now the...
Watch Now
Webcasts
runZero Hour, Ep. 31: The New Rules of Risk: EPSS v5 and Agentic Adversaries
In this episode, learn how your security team can use EPSS v5 to inform daily risk decisions in a world increasingly targeted by the apex agentic...
Watch Now
Webcasts
Beyond the Zero-Day: Mapping the network attackers actually see
Breaches are inevitable. Learn from HD Moore how attackers exploit the seams between IT, IoT, and OT networks — and how to fix the segmentation...
Watch Now
Podcasts
Risky Biz Interview: Navigating the AI vibe shift with HD Moore
runZero Founder and CEO HD Moore drops by in this week's Risky Biz sponsor interview to talk about the concerning AI vibe shift and what to do...
Watch Now

See Results in Minutes

See & secure your total attack surface. Even the unknowns & unmanageable.

Try runZero for Free
runZero CAASM
© Copyright 2026 runZero, Inc. All Rights Reserved