The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has republished an ABB PSIRT advisory warning that CVE-2025-31115, a high-severity vulnerability in the XZ Utils data compression library, exposes multiple B&R Industrial Automation terminal products to potential compromise. The advisory, originally designated SA26P009 and republished by CISA on June 30, 2026, follows the discovery that the flaw can be exploited to execute arbitrary code or cause denial of service on affected devices, prompting an urgent call for asset owners to apply fixed Terminal OS releases.

The Vulnerability: CVE-2025-31115 in XZ Utils

CVE-2025-31115 resides in the widely used XZ Utils software package, a dependency integrated into countless firmware and operating system distributions for compression and decompression tasks. While technical specifics remain limited in the public advisory, the vulnerability is understood to allow maliciously crafted files to trigger memory corruption or unauthorized code execution during decompression routines. This attack vector is especially dangerous in industrial environments, where compressed data may be transmitted across networks or extracted from untrusted sources.

XZ Utils has historically been considered a robust component, but recent years have exposed critical weaknesses. The discovery of CVE-2024-3094, a sophisticated supply-chain backdoor planted into XZ Utils in early 2024, heightened awareness of the library’s security importance. CVE-2025-31115 represents a more conventional code-level bug, yet its implications for operational technology (OT) networks are profound given the limited patch management cadence and the difficulty of segmenting legacy systems.

Affected Products and the ABB PSIRT Advisory

The advisory from ABB’s Product Security Incident Response Team (PSIRT) specifically identifies B&R Industrial Automation terminal products—including human-machine interface (HMI) panels, industrial PCs, and control terminals—as susceptible. B&R, a subsidiary of ABB, provides automation solutions deployed globally in manufacturing, energy, and critical infrastructure. These terminals often run custom Linux-based operating systems (Terminal OS) that incorporate XZ Utils for various system functions.

According to the advisory, all versions of B&R Terminal OS prior to the latest fixed releases may be vulnerable. CISA’s republication amplifies the message to U.S. critical infrastructure sectors, as the agency’s Industrial Control Systems (ICS) advisories are a key mechanism for alerting asset owners to urgent OT threats. The advisory’s reference number SA26P009 follows ABB’s internal numbering scheme, and the June 30, 2026 republish date indicates both the growing public visibility of the flaw and the coordinated effort to mitigate it.

A Closer Look at the Exploitation Risk

Although the advisory does not disclose detailed proof-of-concept code, exploitation scenarios likely fall into two categories: remote code execution (RCE) through specially crafted archive files, or local privilege escalation if an attacker has already gained limited access to a terminal. In industrial settings, HMIs often maintain persistent network connections to programmable logic controllers (PLCs) and supervisory systems, making any compromise potentially devastating. An attacker who seizes control of an HMI could manipulate process values, issue unsafe commands, or pivot deeper into the OT network.

The vulnerability’s severity is compounded by the fact that XZ Utils is a low-level library; patches must be applied at the OS level rather than through a simple application update. For many B&R terminal users, this means a full Terminal OS upgrade, which requires careful planning, testing, and often a production shutdown window. The operational inertia inherent in 24/7 manufacturing lines means that delayed patching is the norm, not the exception.

B&R’s Response: Fixed Terminal OS Releases

B&R has responded by releasing updated Terminal OS versions that backport the necessary XZ Utils fixes or upgrade the library to a non-vulnerable version. The advisory likely enumerates specific build numbers and instructions for verifying patch status. While the exact versions are not detailed in the public excerpt, the advisory’s emphasis on “fixed Terminal OS re…” suggests that downloadable images or update bundles are available through B&R’s support portal.

Asset owners are urged to consult the official ABB PSIRT advisory for a complete list of affected products and remediation steps. Typical guidance includes:
- Immediately isolating terminals that cannot be patched from untrusted networks.
- Validating the integrity of all compressed files processed on terminals.
- Restricting user permissions to minimize the impact of privilege escalation.
- Deploying the fixed Terminal OS as part of a scheduled maintenance window.

CISA’s Role and the ICS Advisory Ecosystem

CISA’s republication of vendor advisories is a critical function of its ICS-CERT program. By validating and redistributing the information on its own platform, CISA increases the likelihood that asset owners—especially smaller utilities and manufacturers lacking dedicated cybersecurity teams—will become aware of the threat. The agency also maps vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog when active exploitation is detected, though it is unclear whether CVE-2025-31115 has reached that threshold yet.

This advisory surfaces at a time when regulators and the ICS community are debating mandatory incident reporting and minimum security standards for OT environments. The U.S. Cybersecurity and Infrastructure Security Agency’s own Cyber Performance Goals for critical infrastructure stress patching high-severity vulnerabilities within risk-informed timeframes. With CVE-2025-31115, the clock is already ticking for operators who rely on B&R terminals.

The Wider XZ Utils Security Challenge

The XZ Utils library has evolved from a niche compression tool into a fundamental building block of modern Linux distributions. From containers to embedded firmware, its presence is so pervasive that a single vulnerability can cascade across thousands of product lines. The B&R advisory is only the most recent example; it follows a pattern where vulnerabilities in ubiquitous open-source components disrupt industrial supply chains.

For ICS asset owners, this underscores the need for software bill of materials (SBOM) visibility into the components embedded in their devices. A terminal’s operating system may list “XZ Utils” as a package but not reveal whether it’s a vulnerable version. In practice, identifying every instance of a vulnerable library across an entire plant floor often requires specialized scanning tools and manual asset inventories.

Patching Realities in Industrial Environments

Applying the B&R Terminal OS fix is not as straightforward as clicking “update.” The industrial control world operates under strict change management procedures intended to prevent unplanned downtime. Every patch must be qualified in a test environment that accurately mirrors the production configuration—a challenge when many OT systems are custom-configured over years of incremental changes. Furthermore, security patches may introduce regressions that disrupt real-time control loops, making operators wary of rushing remediation.

This tension creates a window of opportunity for attackers. Even after a patch is released, months can pass before it is deployed broadly. During that period, threat actors may reverse-engineer the vulnerability from the patch itself or from early public disclosures. The advisory’s republication by CISA typically occurs after enough operators have been privately notified, but it also signals that the information has moved from a controlled channel to a broader audience, raising the urgency.

Guidance for B&R Terminal Users

For any organization using B&R industrial terminals, the immediate steps are clear:
1. Determine whether your Terminal OS version is affected by referencing the advisory’s affected-versions list.
2. If affected, download the fixed OS image from B&R’s support site and begin testing in a staging environment.
3. Engage your OT security team to assess whether any interim mitigations—such as network segmentation or access controls—can be implemented without waiting for the patch.
4. Schedule the patch deployment during the next available maintenance window, ensuring that operational downtime is minimized.
5. After patching, verify that the XZ Utils package version has been updated and that no other dependencies were broken.

If direct patching is impossible due to platform end-of-life or custom firmware, consider compensating controls such as application whitelisting, stricter ingress filtering, and continuous monitoring for abnormal HMI behavior.

Supply Chain Lessons from CVE-2025-31115

The B&R advisory is a textbook illustration of a third-party component vulnerability propagating through the industrial supply chain. ABB and its subsidiary are not themselves the original developers of XZ Utils, yet they must scramble to patch and notify customers. This dynamic reinforces the value of coordinated vulnerability disclosure (CVD) and the need for OEMs to track upstream dependencies and maintain active communication with their customers.

The incident also highlights the ongoing challenge of securing open-source software in operational technology. While open-source libraries accelerate innovation and reduce costs, they also inherit whatever vulnerabilities emerge from the community maintainers. For ICS vendors, rigorous regression testing and a dedicated PSIRT are no longer optional—they are fundamental obligations.

Looking Ahead: What to Expect

With the advisory now public and attracting CISA’s attention, security researchers will undoubtedly analyze the patch to understand the precise mechanism of CVE-2025-31115. It is possible that exploit code will surface on repositories like GitHub or Exploit-DB, increasing the risk for laggard patchers. Organizations that fail to act within the next 30–60 days may find themselves facing active exploitation attempts, as has been the case with many previously cataloged ICS vulnerabilities.

The broader ICS community should also anticipate further XZ Utils-related advisories across other vendors. The library’s ubiquity means B&R is unlikely to be the only affected product line. Asset owners who have not yet completed a dependency analysis for all their OT endpoints should prioritize doing so now, treating CVE-2025-31115 as a catalyst for a overdue software inventory exercise.

In the end, the most effective defense is a proactive patch management program that balances safety and security imperatives. For B&R terminal users, the path forward is well-defined but demands immediate attention. The fixed Terminal OS release is the definitive solution; every day of delay widens the gap through which a determined attacker might slip.