CVE-2024-45480 B&R Industrial Automation CVE debrief

Who should care

Organizations running B&R APROL, especially operators, engineers, and administrators responsible for OT/ICS environments where APROL systems are network-reachable or support report-generation workflows.

Technical summary

The advisory describes an improper control of code generation ('Code Injection') weakness in AprolCreateReport affecting B&R APROL versions earlier than 4.4-00P5. The provided CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N (8.6 HIGH), indicating network attackability with no privileges or user interaction required and a confidentiality-focused impact. The CSAF record states the outcome may include reading files from the local system.

Defensive priority

High. The issue is network-reachable, unauthenticated, and affects confidentiality of local files, so affected APROL installations should be prioritized for patching or upgrade.

Recommended defensive actions

• Upgrade B&R APROL to a non-vulnerable version at the earliest convenience, per vendor guidance.
• Use the vendor user manual to confirm the installed APROL version before remediation.
• After applying the update, rotate any secrets or passwords that may have been exposed, as recommended in the advisory.
• Review network exposure for APROL systems and reduce unnecessary access where feasible.
• Follow CISA and vendor industrial control systems defensive guidance for segmentation, monitoring, and defense-in-depth.

Evidence notes

All core facts are taken from the supplied CISA CSAF advisory and its cited vendor references. The advisory names B&R APROL < 4.4-00P5, the AprolCreateReport component, the code injection weakness, and the potential for an unauthenticated network attacker to read local files. The supplied metadata also includes CVSS 8.6 and the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. No exploit-in-the-wild, KEV, or ransomware claims are included because none were provided.

Official resources