Can You Disable Power, Ventilation, and Fire Safety with a Single Exploit? Absolutely. And the World Isn’t Ready.
Niagara Framework is Cracking. The Cybersecurity of Smart Buildings Is in Question.
Niagara Framework is Cracking. The Cybersecurity of Smart Buildings Is in Question.
Cybersecurity experts have uncovered over a dozen critical vulnerabilities in the Niagara Framework—a platform developed by Tridium, a subsidiary of Honeywell. This technology is widely used to manage and automate systems in smart buildings, industrial installations, and infrastructure, including ventilation, lighting, energy supply, and security systems. Under certain conditions—especially if the system is misconfigured and lacks encryption—these vulnerabilities can be fully exploited by an attacker.
The Niagara Framework consists of two main components:
- Station – responsible for interacting with connected devices and systems.
- Platform – the software shell that launches and manages the stations.
The discovered flaws affect both the control architecture and the security mechanisms of the platform.
According to Nozomi Networks Labs, if an attack originates from the same local network where a vulnerable system resides, it is possible to chain multiple exploits to seize full control. This becomes particularly dangerous when the attacker assumes a Man-in-the-Middle (MitM) position. One attack scenario involves unencrypted traffic, where system tokens, including anti-CSRF tokens, are leaked via Syslog logs. These tokens can be reused to forge administrator requests and extract the session token (JSESSIONID).
Once the attacker gains privileged access to the Station’s management interface, they can:
- Create a new admin account.
- Establish a persistent backdoor.
- Extract the private TLS certificate key, shared by both Station and Platform components.
This opens the door to MitM attacks, allowing traffic interception and tampering. The final stage may involve exploitation of CVE-2025-3944, which enables remote code execution as root, resulting in complete takeover of the device.
Notable Vulnerabilities Include:
- CVE-2025-3936 – Improper access control to critical resources (CVSS 9.8)
- CVE-2025-3937 – Use of weak password hashing (CVSS 9.8)
- CVE-2025-3938 – Missing cryptographic step in communication (CVSS 9.8)
- CVE-2025-3941 – Incorrect handling of Windows DATA streams (CVSS 9.8)
- CVE-2025-3945 – Inadequate command-line parameter sanitization (CVSS 9.8)
- CVE-2025-3943 – Sensitive data exposure via GET method (CVSS 7.3)
- CVE-2025-3944 – Repeated privilege mismanagement (CVSS 9.8)
All issues have been patched in the following Niagara Framework versions:
- 4.14.2u2
- 4.15.u1
- 4.10u.11
Tridium reminds users that such systems often bridge IT and OT networks, playing a critical role in infrastructure management. Misconfigurations can jeopardize the reliability and safety of the entire environment.
But That’s Not All...
Simultaneously, dangerous vulnerabilities were also found in P-Net, an open-source implementation of the PROFINET protocol. These flaws allow unauthenticated attackers to trigger Denial of Service (DoS):
- CVE-2025-32399 – Forces the processor into an infinite loop, consuming 100% CPU.
- CVE-2025-32405 – Buffer overflow allowing memory corruption.
Both issues were fixed in P-Net v1.0.2, released in April 2025.
This incident proves once again that even the most powerful and flexible automation platforms are vulnerable if their security relies on configuration assumptions, rather than robust architectural safeguards.
