CVE-2024-10210 B&R Industrial Automation GmbH CVE debrief

Who should care

Organizations running B&R APROL, especially teams responsible for the APROL Web Portal, OT operations, and industrial control system security. Prioritize this if authenticated users have access to the portal or if the environment relies on sensitive local file data.

Technical summary

The advisory describes an External Control of File Name or Path issue in the APROL Web Portal. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N, which indicates remote network reachability, required authentication, no user interaction, high confidentiality impact, and low integrity impact. The affected product is listed as B&R APROL < 4.4-00P5 in the CSAF record.

Defensive priority

High. This is a remote, authenticated issue with high confidentiality impact, and the vendor advises patching or upgrading at the earliest convenience.

Recommended defensive actions

• Apply the vendor patch or upgrade to a non-vulnerable B&R APROL version as soon as practical.
• Use the vendor manual to confirm the installed APROL version before and after remediation.
• After updating, change passwords and other secrets referenced by the vendor advisory.
• Review who can authenticate to the APROL Web Portal and restrict access to only required operators and systems.
• Follow the linked CISA and B&R industrial-control-system defense-in-depth guidance for layered protections.

Evidence notes

Primary evidence comes from the CISA CSAF advisory ICSA-25-093-05 for CVE-2024-10210, which identifies the flaw as an External Control of File Name or Path issue in the APROL Web Portal and lists the affected product as B&R APROL < 4.4-00P5. The advisory also includes vendor remediation guidance to patch or upgrade and to change passwords/secrets afterward. Official reference links from CISA and B&R were used as the evidence corpus; no unsupported exploitation claims are included.

Official resources