Critical Flaws (CVSS 9.8) in Honeywell’s Niagara Framework Expose Smart Buildings & Industrial Systems to Root Access

Cybersecurity experts have identified more than a dozen critical vulnerabilities within the Niagara Framework—a platform developed by Tridium, a subsidiary of Honeywell. This technology is extensively deployed in the automation and management of smart buildings, industrial installations, and critical infrastructure, encompassing systems such as ventilation, lighting, power distribution, and security. These vulnerabilities can be fully exploited under certain conditions—most notably, when systems are misconfigured or lack encryption on one or more network devices.

The Niagara Framework comprises two primary components. The first, Station, manages interactions with connected devices and systems. The second, Platform, is the software environment that oversees the operation and orchestration of stations. The vulnerabilities discovered affect both the overarching management structure and the underlying security mechanisms.

According to Nozomi Networks Labs, if an attacker gains access to the same local network as a vulnerable deployment, it is possible to chain together a series of exploits that ultimately lead to full system compromise. The threat becomes particularly grave when the attacker adopts a man-in-the-middle (MitM) posture. In one attack scenario, if encryption is disabled, service tokens—including anti-CSRF tokens—may be exposed via Syslog logs. These tokens can then be leveraged to forge administrative requests and capture the administrator’s session token, JSESSIONID.

Once armed with privileged access to the station’s management interface, the attacker can create a new administrative account, securing a persistent foothold within the system. From there, they can extract the TLS certificate’s private key—shared across both Station and Platform components—opening the door to adversary-in-the-middle (AitM) attacks capable of intercepting and manipulating network traffic. In the final stage of this attack chain, vulnerability CVE-2025-3944 can be invoked to achieve remote code execution as root, resulting in total device takeover.

Among the most severe vulnerabilities are:

• CVE-2025-3936 – Improper access control over critical resources (CVSS 9.8)
• CVE-2025-3937 – Use of weak password hashing algorithms (CVSS 9.8)
• CVE-2025-3938 – Absence of cryptographic operations (CVSS 9.8)
• CVE-2025-3941 – Improper handling of Windows DATA streams (CVSS 9.8)
• CVE-2025-3945 – Improper neutralization of command-line parameters (CVSS 9.8)
• CVE-2025-3943 – Transmission of sensitive parameters via HTTP GET method (CVSS 7.3)
• CVE-2025-3944 – Recurrent privilege assignment flaw (CVSS 9.8)

All issues have been addressed in the patched releases of Niagara Framework versions 4.14.2u2, 4.15.u1, and 4.10u.11. The company emphasizes that such systems often serve as a bridge between information technology (IT) and operational technology (OT) networks, playing a pivotal role in critical infrastructure. Misconfiguration of these systems can gravely undermine both reliability and security.

In parallel, severe vulnerabilities were also discovered in P-Net, an open-source implementation of the PROFINET protocol. These flaws permit unauthenticated attackers to trigger denial-of-service conditions. According to CVE-2025-32399, an attacker can force a CPU into an infinite loop, consuming 100% of its resources. Another flaw, CVE-2025-32405, allows for a buffer overflow that corrupts device memory. Both issues have been resolved in library version 1.0.2, released in April 2025.

Ultimately, even the most flexible and sophisticated control systems become vulnerable when their resilience relies not on architecture, but on assumptions of proper configuration. Security begins not with code, but with discipline.