CVE-2025-3941 CRITICAL

Published: 2025-05-22 | Last Modified: 2025-06-04 | Status: Analyzed

Description

Improper Handling of Windows ::DATA Alternate Data Stream vulnerability in Tridium Niagara Framework on Windows, Tridium Niagara Enterprise Security on Windows allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.

Additional Descriptions (1)

Manejo inadecuado de la vulnerabilidad Windows ::DATA Alternate Data Stream en Tridium Niagara Framework para Windows, Tridium Niagara Enterprise Security para Windows permite la manipulación de datos de entrada. Este problema afecta a Niagara Framework: versiones anteriores a la 4.14.2, 4.15.1 y 4.10.11; Niagara Enterprise Security: versiones anteriores a la 4.14.2, 4.15.1 y 4.10.11. Tridium recomienda actualizar a Niagara Framework y Enterprise Security a las versiones 4.14.2u2, 4.15.u1 o 4.10u.11.

CVSS Metrics

Base Score: 9.8 (CRITICAL)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector	NETWORK
Attack Complexity	LOW
Privileges Required	NONE
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	HIGH
Integrity Impact	HIGH
Availability Impact	HIGH

Source: [email protected]

Type: Primary

Exploitability Score: 3.9

Impact Score: 5.9

Weaknesses

Source	Type	Description
[email protected]	Secondary	en CWE-69
[email protected]	Primary	en CWE-706

Affected Products

Vendor	Product	Version	Update	Type
tridium	niagara	4.10u10	<built-in method update of dict object at 0x7c3c2ab11200>	Application
tridium	niagara	4.14u1	<built-in method update of dict object at 0x7c3c32d53ac0>	Application
tridium	niagara	4.15	<built-in method update of dict object at 0x7c3c2975b480>	Application
tridium	niagara_enterprise_security	4.10u10	<built-in method update of dict object at 0x7c3c29759280>	Application
tridium	niagara_enterprise_security	4.14u1	<built-in method update of dict object at 0x7c3bf397b180>	Application
tridium	niagara_enterprise_security	4.15	<built-in method update of dict object at 0x7c3bf3979a40>	Application

Affected Configurations

Operator: OR

Vulnerable	CPE
Yes	`cpe:2.3:a:tridium:niagara:4.10u10:::::::*`
Yes	`cpe:2.3:a:tridium:niagara:4.14u1:::::::*`
Yes	`cpe:2.3:a:tridium:niagara:4.15:::::::*`
Yes	`cpe:2.3:a:tridium:niagara_enterprise_security:4.10u10:::::::*`
Yes	`cpe:2.3:a:tridium:niagara_enterprise_security:4.14u1:::::::*`
Yes	`cpe:2.3:a:tridium:niagara_enterprise_security:4.15:::::::*`

Operator: OR

Vulnerable	CPE
No	`cpe:2.3:o:microsoft:windows:-:::::::*`

References

https://docs.niagara-community.com/category/tech_bull
Source: [email protected]

Permissions Required
https://www.honeywell.com/us/en/product-security#security-notices
Source: [email protected]

Vendor Advisory