CISA has re-published an advisory from ABB on May 5, 2026, warning industrial operators that B&R Automation Studio versions prior to 6.5 contain a critical certificate validation flaw. The vulnerability, tracked as CVE-2025-11043, allows an attacker with network access to perform man-in-the-middle (MITM) attacks against engineering workstations communicating with industrial controllers. This exposes sensitive data and opens the door to malicious manipulation of automation processes.

The flaw resides in the way Automation Studio handles server certificates during TLS connections for OPC UA and ANSL protocols. Instead of properly verifying the authenticity of the server, the client blindly trusts any certificate presented, leaving no defense against impersonation. ABB and CISA urge immediate upgrading to version 6.5 or later to eliminate the risk.

Understanding the CVE-2025-11043 Vulnerability

ABB’s B&R Automation Studio is a widely used engineering environment for programming and configuring industrial automation systems. Typically running on Windows-based workstations, it communicates with programmable logic controllers (PLCs), drives, and I/O modules over industrial networks. Two key protocols anchoring these interactions are OPC Unified Architecture (OPC UA) and the Automation Network Service Protocol (ANSL). Both support TLS encryption to secure data in transit. However, the effectiveness of TLS hinges on rigorous certificate validation. Without it, the encryption becomes worthless against an active adversary. CVE-2025-11043 breaks that trust chain.

OPC UA, a standard for industrial interoperability, depends on X.509 certificates for mutual authentication. When an Automation Studio OPC UA client connects to a server—say, a PLC or SCADA gateway—it must validate the server’s certificate against a trusted root, check revocation status, and ensure the certificate matches the intended hostname. If any step fails, the connection should be aborted. Automation Studio prior to 6.5 skipped these checks, simply accepting any certificate presented. The same weak validation applied to ANSL-over-TLS connections, a proprietary protocol used for direct communication with B&R devices. An attacker positioned between the workstation and the target device can present a self-signed or rogue certificate and intercept or alter all traffic.

Technical Deep Dive: Where Certificate Validation Fails

TLS relies on a public key infrastructure (PKI) to establish trust. During the handshake, the server sends its certificate chain. The client must:

  • Verify the certificate signature against a trusted CA root.
  • Check the certificate’s validity period and revocation status.
  • Confirm that the certificate’s Subject or Subject Alternative Name matches the server’s identity.

Automation Studio’s flawed implementation either omitted these steps entirely or allowed a bypass. ABB’s advisory does not disclose the exact programming error, but the result is clear: no meaningful authentication occurs. This is not a subtle cryptographic bug—it is a fundamental omission, akin to leaving the front door wide open while locking the windows.

An attacker with access to the same network segment as the engineering workstation can employ ARP spoofing, DNS poisoning, or other redirection techniques to become a man-in-the-middle. When the workstation initiates a TLS connection to, say, an OPC UA server at 192.168.1.10, the attacker intercepts the traffic, presents a fake certificate, and establishes two separate encrypted sessions: one with the workstation and one with the real server. The attacker sees all credentials, process values, and commands in plaintext. They can also modify data on the fly—injecting false sensor readings, altering setpoints, or triggering unsafe states.

Attack Scenarios in Industrial Environments

Industrial control systems (ICS) often run for years without updates, and network segmentation is frequently lax. An attacker who has already gained a foothold in the IT network—through phishing or a compromised VPN—can pivot to the OT side via a jump host. If an engineer’s Automation Studio workstation is dual-homed or VLAN hopping is possible, the MITM attack becomes trivial. Even air-gapped systems are not immune if a compromised USB drive introduces malware that performs the attack locally.

Once an attacker controls the communication between Automation Studio and a PLC, the consequences scale from data theft to production sabotage. They could:

  • Exfiltrate intellectual property: Steal process recipes, design files, and network maps.
  • Manipulate physical processes: Send malicious commands that cause equipment damage, product defects, or safety incidents.
  • Deploy ransomware: Encrypt PLC programs and demand payment to restore operations.
  • Establish persistent backdoors: Alter firmware or logic to enable future attacks.

Because Automation Studio is the primary development tool, compromising it effectively grants full control over the entire automation system.

Affected Versions and Remediation

ABB’s advisory confirms that all releases of B&R Automation Studio earlier than version 6.5 are vulnerable. The fix is included in version 6.5, released in early 2026. CISA’s re-publication on May 5, 2026, signals that many installations remain unpatched and actively targeted.

Remediation steps:

  1. Upgrade Automation Studio to version 6.5 or later. This is the only complete mitigation. The new version enforces proper certificate validation for both OPC UA and ANSL-over-TLS clients.
  2. If immediate upgrading is not possible, apply network-level compensating controls:
    - Isolate engineering workstations in a dedicated VLAN with strict access control lists.
    - Disable ANSL and OPC UA over untrusted networks unless absolutely necessary.
    - Enforce mutual TLS with pre-shared keys if supported by the devices.
    - Monitor for ARP spoofing anomalies and rogue DHCP servers.
  3. Audit existing installations to identify all instances of Automation Studio on the network. Inventory the versions and prioritize those that communicate with safety-critical controllers.

No official workarounds within the software exist short of updating. Relying solely on network segmentation is risky because internal adversaries or misconfigurations can undermine it.

Why This Matters for Windows-Based OT Environments

Automation Studio runs natively on Windows, which is the dominant OS for engineering workstations in industrial settings. A compromised Windows host can serve as a launchpad for lateral movement into the OT domain. CVE-2025-11043 exemplifies the class of vulnerabilities that blur the line between IT and OT security. Traditional IT defenses—antivirus, EDR, firewalls—often provide limited visibility into proprietary industrial protocols like ANSL. Yet, the underlying flaw is a familiar programming mistake: trusting the network without verification. Windows administrators managing these systems must treat Automation Studio like any other critical application: patch it promptly and restrict its network exposure.

Moreover, Windows’ built-in TLS libraries (schannel) are not at fault here. Automation Studio implements its own certificate handling, which means standard OS patches do not fix this issue. Only the vendor-supplied update addresses it. This increases the burden on ICS asset owners, who must track third-party software vulnerabilities separately from Microsoft’s Patch Tuesday.

The Larger Picture: Certificate Validation Shortcomings in ICS

CVE-2025-11043 is not an isolated incident. Over the past decade, multiple ICS vendors have been caught with similar flaws. OPC UA, despite its security design, relies on correct implementation. Poor certificate management has plagued deployments, leading to widespread use of self-signed certificates and disabled security features. In many plants, OPC UA is run in “None” security mode precisely because engineers found certificate configuration too complex. ABB’s bug effectively reverts any TLS-encrypted connection to that insecure state, undoing the security that administrators believed was in place.

This vulnerability also highlights the dangers of proprietary protocols like ANSL. When security auditing tools cannot inspect these protocols, vulnerabilities can persist for years. ANSL is specific to B&R hardware, and its implementation details are not publicly documented, making it harder for third-party researchers to discover flaws. The fact that ABB addressed both OPC UA and ANSL in the same patch suggests a systemic oversight in their TLS stack.

Recommendations for Asset Owners and Windows Administrators

Defenders should take immediate action to identify and mitigate CVE-2025-11043. Key steps include:

  • Asset Discovery: Scan networks for Windows hosts with Automation Studio installed. Use software inventory tools or check for the presence of BR.ANSL.Lib.dll and OPC UA client components.
  • Patch Prioritization: Apply version 6.5 to all engineering workstations, especially those connected to safety instrumented systems or critical production lines.
  • Network Monitoring: Deploy network detection and response (NDR) solutions that can parse OPC UA and detect certificate anomalies. Look for unexpected TLS handshake failures or mismatched certificates.
  • Credential Hygiene: Assume that credentials exchanged over vulnerable connections have been compromised. Force password changes for all PLC and SCADA accounts accessible from patched workstations.
  • Principle of Least Privilege: Restrict the network paths between engineering workstations and controllers. Use firewalls to block ANSL (TCP port 11159 by default) and OPC UA (typically port 4840) except where explicitly required.

CISA’s Known Exploited Vulnerabilities catalog does not yet list CVE-2025-11043 as of this writing, but the agency’s advisory dissemination indicates active concern. Given the simplicity of the exploit, proof-of-concept code is likely already circulating in threat actor communities.

Looking Ahead

The revelation of CVE-2025-11043 serves as a stern reminder that security must be baked into industrial software from the earliest design stages. Relying on developers to correctly implement every TLS check is a recipe for disaster. Automated testing frameworks and formal verification could have caught this error. As more industrial protocols adopt standard web technologies, the attack surface grows, but so does the availability of robust, well-tested libraries. ABB’s eventual fix hopefully incorporates a hardened TLS stack that undergoes regular security audits.

For Windows enthusiasts and IT professionals tasked with securing OT environments, the lesson is clear: never assume that a green padlock icon means the connection is truly safe. Verify that applications do their own certificate validation correctly, especially when they operate in critical infrastructure. Apply patches rapidly, segment ruthlessly, and always plan for when, not if, a vulnerability like CVE-2025-11043 emerges.