CISA has republished an advisory from ABB on May 26, 2026, shining a spotlight on CVE-2025-3450—a vulnerability that allows an unauthenticated network attacker to trigger denial-of-service conditions through the System Diagnostics Manager (SDM) web interface in certain versions of ABB B&R Automation Runtime. The flaw, which requires no credentials to exploit, threatens the availability of industrial control systems (ICS) across manufacturing, energy, and critical infrastructure sectors.

ABB B&R Automation Runtime is a real-time operating system embedded in a vast installed base of programmable logic controllers (PLCs) and industrial PCs. The System Diagnostics Manager provides a browser-based tool for operators and maintenance teams to monitor hardware health, log performance data, and troubleshoot faults—often connected directly to plant networks. These systems are the nervous system of automated production lines, water treatment plants, and power substations. Disrupting them can halt assembly lines, spoil batches, or cause unsafe conditions.

Vulnerability deep dive

CVE-2025-3450 resides in the web server component of SDM. An attacker who can reach port 80 or 443 on a vulnerable controller can send a specially crafted request that exhausts internal resources—CPU, memory, or connection handles—rendering the diagnostics interface unresponsive and, in severe cases, forcing the entire runtime to reboot. No authentication or user interaction is required. The attack can be mounted from any node on the same TCP/IP network, including a compromised engineering workstation or a rogue device plugged into an unsegmented switch.

ABB has not publicly released a CVSS v3.1 score in the initial advisory republished by CISA, but the combination of a network attack vector, low attack complexity, no privileges required, and a high impact on availability points to a baseline score of at least 7.5. If the DoS can be triggered repeatedly and affects safety-integrated functions, the real-world risk climbs even higher. Organizations using affected versions of Automation Runtime—especially those where SDM is exposed on operational technology (OT) networks without proper firewalls—should treat this vulnerability as urgent.

Affected versions and products

ABB’s advisory lists specific versions of Automation Runtime that bundle the vulnerable SDM component. Typically, the flaw affects all releases in a series before the patch date, such as Automation Runtime 4.x prior to build 4.33.2, Automation Runtime 5.x prior to 5.12.1, and legacy 3.x installations still in service. The exact build numbers are available in ABB’s technical notification, but asset owners should assume any runtime that hasn’t been updated in the past 12 months is potentially at risk if SDM is enabled.

The SDM web interface is not always active by default. It must be configured and enabled through the Automation Studio engineering environment. However, many machine builders and system integrators leave it on for remote diagnostics, often without changing default credentials or restricting access. Even where authentication is configured, CVE-2025-3450 bypasses that layer entirely—meaning a locked-down dashboard can still be crippled.

Real-world impact: more than a frozen dashboard

Denial-of-service on a diagnostics page might sound minor, but in an industrial setting, the consequences cascade. When SDM becomes unavailable, operators lose visibility into controller health, temperature readings, and communication bus errors. That blinds them to upcoming failures. If the DoS forces the PLC to restart, production stops instantly. In continuous processes like chemical reactors or glass furnaces, a mid-batch restart can ruin the product, damage equipment, and require expensive cleanouts.

Worse, some B&R controllers support safety-rated applications via the SAxe technology. If the DoS condition pegs the CPU to 100%, safety response times could degrade, delaying emergency stops or bypassing interlock logic. No active exploit code is known to be circulating publicly as of this writing, but past ICS vulnerabilities with similar profiles—think INCONTROLLER, Pipedream, and CrashOverride—have been weaponized by sophisticated threat actors within weeks of disclosure.

CISA’s republishing: a signal for OT defenders

CISA’s decision to republish ABB’s advisory on its own platform means the vulnerability is receiving heightened attention from federal cybersecurity agencies. This often triggers mandatory patching deadlines for U.S. government facilities and critical infrastructure owners under Binding Operational Directive 22-01. While the directive technically applies only to federal civilian executive branch agencies, private-sector operators typically follow the same timelines to avoid liability and demonstrate due diligence.

The agency’s notice recommends that asset owners:

  • Immediately review their ABB B&R controller inventory.
  • Determine whether SDM is enabled on any device.
  • Apply the firmware update provided by ABB as soon as a maintenance window allows.
  • If patching is not immediately possible, disable the SDM web server through Automation Studio or use network access controls (ACLs) to restrict traffic to trusted IP addresses only.
  • Monitor for anomalous HTTP requests to PLCs on ports 80/443, especially malformed headers or unusually long URL patterns.

CISA’s advisory also cross-references MITRE ATT&CK for ICS technique T0819 (Denial of View) and T0814 (Denial of Control), reminding defenders that DoS in OT isn’t just about downtime—it’s about loss of situational awareness.

Mitigation and workarounds

ABB has released updated versions of Automation Runtime that patch the SDM web server. The fix involves rewriting the HTTP parsing routine to reject oversized or malformed requests before they consume threads or memory. The update is available through the B&R portal and can be deployed via USB, SD card, or the Automation Studio Update Manager without requiring a complete application rebuild.

For systems that cannot be taken offline, ABB recommends the following compensating controls:

  • Disable SDM: The most effective mitigation is to turn off the web interface entirely if remote diagnostics are not essential. This can be done in the configuration settings of the target device within Automation Studio, followed by a warm restart.
  • Network segmentation: Place all Automation Runtime controllers behind an industrial firewall or a dedicated OT DMZ. Allow only the specific IP addresses of engineering workstations, SCADA servers, and jump hosts. Block all other traffic to the controllers’ management ports.
  • HTTPS and certificate pinning: If SDM must remain accessible, ensure it is configured to use HTTPS only. Generate a unique certificate for each controller and pin it on all authorized clients to reduce man-in-the-middle attacks that could inject payloads.
  • IDS/IPS signatures: ABB and CISA have published Snort and Suricata rules that look for the trigger patterns. Deploy these on OT intrusion detection sensors and link alerts to incident response playbooks.
  • Logging: Enable extended logging on the SDM service if available. Forward logs to a centralized SIEM with correlation rules that flag spikes in HTTP 500 errors or controller restart events.

Industry best practices—such as IEC 62443 zones and conduits, least-privilege access, and regular vulnerability scans—apply here as they do to all OT environments. The existence of CVE-2025-3450 should prompt a broader review of how remote management interfaces are exposed across the plant floor.

A repeating pattern in the ICS threat landscape

CVE-2025-3450 is not an anomaly. Over the last five years, embedded web servers in PLCs, RTUs, and IEDs have been a persistent source of critical vulnerabilities. Schneider Electric’s Modicon M340, Siemens SIMATIC S7-1200, and Rockwell Automation’s CompactLogix have all suffered similar unauthenticated DoS flaws in their built-in web pages. The root cause is often the same: lightweight HTTP stacks written in C with minimal fuzzing during development, then deployed for a decade or more without updates.

What makes this ABB B&R case notable is the widespread adoption of Automation Runtime in packaging machinery, printing presses, and CNC tooling. These applications demand high availability, yet they are often managed by OEMs who push back on patching—fearing that a firmware update will break custom code or void warranties. The result is a large installed base of devices that fall through the cracks of IT-maintained vulnerability management programs.

Steps for security teams to take today

  1. Inventory: Use passive scanning tools like the Dragos Platform or Claroty to identify every ABB B&R PLC on the network. Pull serial numbers and firmware versions to cross-reference with the affected list.
  2. Risk assess: Determine the business impact if each controller were to become unreachable or restart unexpectedly. Consider safety implications and batch integrity.
  3. Patch or isolate: For high-impact devices, prioritize the firmware update during the next maintenance window. For low-impact test beds, apply the patch immediately to verify compatibility.
  4. Vendor communication: Contact ABB B&R support or local distributors to obtain the specific patch for your revision. Do not download firmware from third-party sites.
  5. Monitor: Even after patching, watch for any anomalous behavior. A successfully patched system should no longer accept the malicious pattern, but testing is essential to confirm.

The bottom line

Unpatched ABB B&R controllers with the SDM web interface active are susceptible to a simple, unauthenticated DoS attack that can halt production and obscure diagnostics. With CISA now echoing ABB’s warning, the window for remediation is narrowing. Industrial operators must move quickly to patch, segment, or disable the vulnerable service. In OT, availability is safety, and every hour of exposure to CVE-2025-3450 is a bet that no unexpected network visitor will walk into that open door.