CVE-2024-10208 B&R Industrial Automation GmbH CVE debrief

Who should care

OT/ICS operators using B&R APROL, especially administrators of the APROL Web Portal; security teams responsible for patching, account hygiene, and access control around authenticated web interfaces.

Technical summary

The advisory describes an improper neutralization of input during web page generation in the APROL Web Portal. The provided CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating network reachability, low attack complexity, required user interaction, and low confidentiality/integrity impact. Affected scope in the supplied source is B&R APROL <4.4-00P5.

Defensive priority

Medium. Patch or upgrade soon, and prioritize systems where the APROL Web Portal is reachable by multiple authenticated users or exposed across less-trusted network segments.

Recommended defensive actions

• Apply the vendor patch or upgrade B&R APROL to a non-vulnerable version as soon as practical.
• Use the user manual to confirm the installed product version before and after remediation.
• After updating, change secrets/passwords as recommended by the vendor because the advisory notes credential confidentiality impacts.
• Review access to the APROL Web Portal and ensure only authorized users and networks can reach it.
• Follow CISA and vendor industrial-control-system defense-in-depth guidance for additional hardening.

Evidence notes

This debrief is based on the CISA CSAF source for ICSA-25-093-05 and the vendor references listed in that advisory. The supplied CVE published and modified timestamps are both 2025-03-24 UTC. The provided enrichment does not list the CVE in CISA KEV.

Official resources