CVE-2025-11482 B&R Industrial Automation GmbH CVE debrief

Who should care

Organizations operating PPT30 industrial control systems, critical infrastructure operators using OPC-UA communications, OT security teams, and asset owners in manufacturing, energy, or process industries where PPT30 is deployed

Technical summary

The OPC-UA Server in PPT30 Operating System versions before 1.8.0 fails to implement proper resource limits or throttling mechanisms. An unauthenticated attacker can exploit this weakness by sending crafted network requests that consume excessive server resources, resulting in permanent service unavailability for legitimate users. The attack requires no privileges, no user interaction, and is exploitable over the network with low attack complexity. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H) confirms network attack vector with high availability impact and no confidentiality or integrity effects.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade PPT30 Operating System to version 1.8.0 or later to remediate the vulnerability
• Implement network segmentation to restrict OPC-UA Server access to authorized systems only
• Deploy rate limiting and connection throttling at network perimeter for OPC-UA services
• Monitor for anomalous connection patterns or resource exhaustion indicators on OPC-UA Server instances
• Review and apply vendor security advisory SA25P006 for additional mitigation guidance

Evidence notes

Vulnerability description and CVSS vector sourced from NVD record. Vendor attribution inferred from contact email '[email protected]' in source references with low confidence requiring review. CPE criteria not yet populated in source data.

Official resources