On May 5, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) republished an advisory originally issued by ABB, drawing fresh attention to a critical denial-of-service (DoS) vulnerability in B&R Automation Runtime. Tracked as CVE-2025-11044, the flaw enables an unauthenticated attacker to disrupt industrial control systems (ICS) with nothing more than network access. The fix is available in Automation Runtime versions 6.5 and R4.93, and the agency is urging critical infrastructure operators to patch immediately.

This isn't a routine IT update. Automation Runtime is the core execution engine inside B&R industrial controllers – the brains behind factory floors, process plants, and energy grids. A successful exploit doesn't steal data or escalate privileges; it crashes the runtime, halting automated processes and potentially triggering costly downtime or unsafe conditions.

What Is B&R Automation Runtime?

B&R, an ABB company since 2017, specializes in industrial automation hardware and software. Its Automation Runtime operating system runs on controllers like the X20 and X90 series, as well as on industrial PCs that often rely on Windows or a real-time kernel. The runtime interprets compiled control logic, manages I/O, and handles fieldbus communication – making it indispensable for real-time machine control.

Engineers write programs in B&R’s Automation Studio IDE, then deploy them to targets running Automation Runtime. From packaging machines to hydroelectric turbines, these systems operate continuously for years. Downtime is measured in lost revenue per minute, and in some sectors, a process stoppage can endanger workers or the environment.

CVE-2025-11044: Unauthenticated Network DoS

According to the advisory, CVE-2025-11044 exists in all versions of Automation Runtime prior to 6.5 and prior to R4.93 – two historical version lines that track separate product evolutions. An unauthenticated attacker with network access to a vulnerable controller can send a malicious payload that triggers a crash, forcing the runtime into a non-responsive state. The exact mechanism hasn't been publicly detailed, but the fact that no credentials are required makes any exposed system a target.

Industrial control networks were once air-gapped by default, but modern Industry 4.0 initiatives have blurred the perimeter. Many B&R controllers now sit on segmented corporate LANs or even connect indirectly to the internet via remote access gateways. The advisory doesn't clarify whether the attack requires TCP, UDP, or a specific port, but the term “network attacker” suggests the vector is accessible over standard IP connections.

CISA assigned the vulnerability a CVSS v4 score of 6.9 (Medium), which might downplay the real-world impact. In ICS environments, availability is paramount. A DoS that forces a safety controller offline can cascade into emergency shutdowns, physical damage, or regulatory violations. Organizations using these systems in chemical, water, or energy sectors should treat this as a high-severity issue regardless of the score.

Products Known to Be Affected

ABB has confirmed that Automation Runtime is the vulnerable component, meaning any B&R controller running a version below the patched releases is at risk. This includes, but is not limited to:

  • Automation PC 910/2200 – Windows-based industrial PCs often used for HMI and soft-PLC tasks.
  • X20/X67 I/O system controllers – Modular PLCs widely deployed in machine building.
  • X90 mobile controllers – Ruggedized units for mobile machinery and off-highway vehicles.
  • Panel PC 800/2100 – Multifunction HMI panels with integrated logic control.
  • SafeLOGIC controllers – Safety-rated CPUs for SIL2/SIL3 applications.

Because Automation Runtime abstracts the hardware, any product that boots into this OS is susceptible unless updated. Industrial PCs running full Windows 10 or 11 with the runtime installed could also be impacted, blurring the line between OT and IT security responsibilities.

The Real-World Risk to Operations

To exploit CVE-2025-11044, an attacker needs connectivity. In many plants, that connectivity already exists. Machine builders often leave ports like Telnet, FTP, or B&R’s own PVI (Process Visualization Interface) open for remote diagnostics. A Shodan search for B&R services reveals thousands of exposed devices globally, though many require authentication for write operations. A DoS vulnerability that works without credentials, however, changes the threat model entirely.

An organized attack could systematically crash dozens of controllers across a production line, halting output for hours or days. Even a single packet flood from a misconfigured switch or a stray network scan could inadvertently trigger the bug. Given that many factories lack robust change management, patching often gets delayed, leaving windows of exposure that stretch into months or years.

How to Mitigate CVE-2025-11044

ABB has released remediated versions: Automation Runtime 6.5 and Automation Runtime R4.93. Installing these updates is the primary countermeasure. However, updating a live industrial controller is rarely as simple as clicking “Install” during a lunch break. Validation testing on a backup system is essential to avoid introducing new problems that could stop production.

Until patching is complete, asset owners should implement these defensive layers:

  • Network segmentation – Place all industrial controllers behind firewalls that deny unsolicited inbound traffic from IT or guest networks. Use IEC 62443 zones and conduits to isolate safety and process-critical segments.
  • Access control lists (ACLs) – Restrict access to B&R default ports (e.g., 11159/TCP for PVI, 4000/TCP for SNMP, 21/TCP for FTP if enabled) so that only trusted engineering workstations can reach them.
  • Disable unused services – Turn off diagnostic interfaces, web servers, and other listening services that aren't essential for operation.
  • Monitor for anomalous traffic – Deploy OT-aware intrusion detection systems (IDS) to flag bursts of packets aimed at controller IP addresses.
  • Apply network hardening – Follow B&R’s secure deployment guides, including the use of VPNs for remote connections and disabling default accounts.

CISA’s Recommendations for Critical Infrastructure

CISA’s advisory (ICSA-26-125-01) reiterates standard OT security practices: assume compromise, minimize network exposure, and segment relentlessly. It also references the NIST SP 800-82 guide for industrial control system security and urges organizations to report incidents to CISA’s 24/7 operations center. The agency emphasizes that even medium-severity vulnerabilities in ICS must be treated with urgency because the consequences of exploitation extend far beyond data loss.

Additionally, CISA recommends:

  • Conducting a thorough inventory of all B&R controllers, including firmware and runtime versions.
  • Risk-ranking assets based on process criticality to prioritize patching.
  • Testing patches in a staging environment that mirrors the live setup.
  • Having a rollback plan in case a patch introduces instability.

These steps are labor-intensive, especially for facilities with hundreds of controllers. But the alternative – an unplanned production outage – almost always carries higher costs.

OT Patching: A Persistent Challenge

Vulnerabilities like CVE-2025-11044 highlight the tension between IT-style vulnerability management and OT operational constraints. Industrial plants often run validated configurations that cannot be altered without re-validation, which requires co-ordination with process engineers, quality control, and sometimes regulators. As a result, the median time to patch in OT environments stretches well into months, if not years.

The 2025 SANS OT/ICS Cybersecurity Survey found that 34% of respondents cited “operational disruption risk” as the primary barrier to patching. Another 28% pointed to “lack of visibility into asset firmware versions.” Automation Runtime fits right into that blind spot: its version numbers aren’t always prominent in network scans, and many sites discover the runtime’s vintage only after an incident.

For Windows-centric IT teams supporting OT, the automation runtime is a foreign element. It isn’t updated via Windows Update or WSUS; it requires ABB’s Automation Studio toolchain and possibly a physical local connection. Bridging that gap demands closer collaboration between IT security, automation engineers, and the equipment vendor.

What’s Next: Industry Response and Looking Ahead

ABB has not reported any active exploitation of CVE-2025-11044 in the wild, but the republishing by CISA often signals an elevated threat – either because of proof-of-concept availability or because the agency observed reconnaissance targeting the affected systems. Regardless, the window is open, and threat actors know it.

For the ICS community, this advisory is a reminder that traditional perimeter defenses are insufficient. The Purdue model’s strict separation of IT and OT is eroding under digital transformation pressures, and every new connection broadens the attack surface. Asset owners should leverage this event to re-evaluate how they segment automation networks and whether their patch management workflows can respond to critical advisories within 72 hours – an expectation set by many government agencies.

The path forward is clear: patch to Automation Runtime 6.5 or R4.93, harden network controls, and treat industrial controllers with the same vigilance once reserved for domain controllers. In an era where a single packet can send a production line dark, the cost of inaction is measured in hours of silence.