IM
IronMonkey Threat Research
‹ Back to ICS Advisories

XZ Utils vulnerability impacting B&R Products

HIGH
CVSS 7.5
Date 2026-06-10T00:30:00+00:00
Source abb-psirt
Published by ABB PSIRT

// Description

An update is available that resolves vulnerability in the product versions listed as affected in the advisory. An attacker who successfully exploited this vulnerability could cause the product to stop or corrupt memory data.

// Vulnerabilities (1)

CVE ID CVSS Score Severity Description
CVE-2025-31115 7.5 high
CVE-2025-31115. XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on the null pointer plus an offset. Applications and libraries that use the lzma_stream_decoder_mt function are affected. The bug has been fixed in XZ Utils 5.8.1, and the fix has been committed to the v5.4, v5.6, v5.8, and master branches in the xz Git repository. No new release packages will be made from the old stable branches, but a standalone patch is available that applies to all affected releases.

// Affected Products (4)

Vendor Product Asset Type Purdue Level Firmware
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--

// Remediations (4)

Patch: The problem is corrected in the following product versions: Product Terminal OS Version - PPC310
The problem is corrected in the following product versions: Product Terminal OS Version - PPC3100 1.8.1 - C50 1.8.0 - C80 1.8.0 - FT50 1.8.1 - MT50 1.8.1 - T30 1.8.0 - T80 1.8.0 - T50 1.8.1 B&R recommends that customers apply the update at earliest convenience. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual.
Mitigation: Refer to section “General security recommendations” for further advise on how to keep your system se
Refer to section “General security recommendations” for further advise on how to keep your system secure
Mitigation: Only build and run applications from trusted sources.
Only build and run applications from trusted sources.
Mitigation: Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel onl
Limit access to the interactive shell of the additional GNU/Linux subssytem to trusted personnel only.

// References