IM
IronMonkey Threat Research
‹ Back to ICS Advisories

B&R PPT30 Operating System

HIGH
CVSS 7.5
Date 2026-06-04T06:00:00+00:00
Source cisa-csaf
Published by CISA

// Description

B&R is aware of a vulnerability in the product versions listed as affected in the advisory. An attacker who successfully exploits this vulnerability could make the OPC-UA server of the product inaccessible.

// Vulnerabilities (1)

CVE ID CVSS Score Severity Description
CVE-2025-11482 7.5 high
CVE-2025-11482. An Allocation of Resources Without Limits or Throttling vulnerability in the OPC-UA Server used in PPT30 Operating System versions before 1.8.0 may be used by an unauthenticated network-based at-tacker to permanently prevent legitimate users from interacting with the service.

// Remediations (4)

Patch: The problem is corrected in the following product versions: PPT30 Operating System 1.8.0. The OP
The problem is corrected in the following product versions: PPT30 Operating System 1.8.0. The OPC-UA server is not activated by default. B&R recommends that customers with the OPC-UA Server enabled to install the update at their earliest opportunity. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual.
Mitigation: The optional OPC-UA server is not activated by default. The OPC-UA server shall only be activated, i
The optional OPC-UA server is not activated by default. The OPC-UA server shall only be activated, if required. PPT30 products are intended to operate at Levels 1 and 2 of the ABB ICS Cyber Security Reference Architecture. To restrict access to the OPC-UA server exclusively to trusted IP addresses, configure the South Firewall and/or the Control Network Firewall accordingly, and properly segment the network where the PPT30 operates. Additionally, ensure that the physical network interfaces assigned to the same logical network as the PPT30 are accessible only to authorized personnel. Refer to section “General security recommendations” for further advise on how to keep your system secure.
Mitigation: The optional OPC-UA server is not activated by default. The OPC-UA server shall only be activated, i
The optional OPC-UA server is not activated by default. The OPC-UA server shall only be activated, if required. PPT30 products are intended to operate at Levels 1 and 2 of the ABB ICS Cyber Security Reference Architecture. To restrict access to the OPC-UA server exclusively to trusted IP addresses, configure the South Firewall and/or the Control Network Firewall accordingly, and properly segment the network where the PPT30 operates. Additionally, ensure that the physical network interfaces assigned to the same logical network as the PPT30 are accessible only to authorized personnel. Refer to section “General security recommendations” for further advise on how to keep your system secure.
Patch: The problem is corrected in the following product versions: PPT30 Operating System 1.8.0 The OPC-U
The problem is corrected in the following product versions: PPT30 Operating System 1.8.0 The OPC-UA server is not activated by default. B&R recommends that customers with the OPC-UA Server enabled to install the update at their earliest opportunity. The process to install updates is described in the user manual. The step to identify the installed product version is described in the user manual.

// References