Cyber Security Advisories and Notices

Our goal is to ensure that reported security issues are handled consistently, assessed in a risk-based way, and communicated to customers in a timely and actionable manner. B&R manages cybersecurity vulnerabilities using established industry practices and a structured, transparent process, that has been defined together with ABB and follows a five step vulnerability handling process.

This process describes our first response, our initial triage phase, the root-cause investigation, develop and test remediation measures, and finally communicate the outcome through security advisories. The process is publicly documented and is designed to provide customers with clarity on what to expect at each stage - from initial report to final guidance.

This approach is aligned with recognized product security lifecycle requirements, including IEC 62443-4-1 and the expectations introduced by the EU Cyber Resilience Act (CRA). For customers, this means that vulnerability handling is embedded into our development and maintenance practices, with defined responsibilities, traceable decisions, and repeatable workflows.

How B&R communicates security issues and remediation guidance

When a noteworthy vulnerability affects B&R products, we publish a security advisory that explains, in practical terms:

which products and versions are impacted
how the issue can be understood and assessed, including severity and potential impact
what actions customers should take (for example patches, updates, mitigations, or configuration guidance)
where to find additional supporting information

B&R security advisories are published on this website and are also made available via the ABB Cyber Security alerts and notifications portal. To support proactive monitoring, the ABB portal provides both human-readable and automated notification options:

RSS Feed for customers who want to track newly published advisories in standard newsfeed readers
ROLIE / CSAF feed for customers who want machine-readable advisories that can be consumed by vulnerability management or asset/security tooling.

Using RSS or CSAF-capable software, customers can filter and monitor advisories relevant to their specific B&R products, enabling faster evaluation and response within their own vulnerability management processes.

2026

Release	Description	Document version
2026-02-18	Advisory SA25P007: Update of SQLite version in B&R Automation Studio	1.1
2026-01-29 (Update 2026-02-23)	Advisory SA24P003: B&R PCs vulnerable to PixieFail attack	1.2
2026-01-29	Advisory SA26P001: Insertion of sensitive Information into PVI Logfile	1.0
2026-01-19	Advisory SA25P005: Improper Handling of Flooding conditions on ANSL Server (CSAF)	1.0
2026-01-19	Advisory SA25P004: Automation Studio Insufficient Server Certificate Validation (CSAF)	1.0

2025

Release	Description	Document version
2025-10-07 (Update 2025-10-14)	Advisory SA2025P003: Vulnerabilities in System Diagnostic Manager (SDM) (CSAF)	2.0
2025-10-07	Advisory SA25P002: DoS Vulnerability in System Diagnostics Manager (SDM) (CSAF)	1.0
2025-03-24	Advisory SA24P015: B&R APROL Potential Privilege Escalation and Information Disclosure (CSAF)	1.0
2025-01-15 (Update 2025-01-16)	Advisory SA25P001: Use of insecure algorithm for self-signed certificates in AR and mappView (CSAF)	1.1

2024

Release	Description	Document version
2024-11-27	Advisory SA22P014: Authentication bypass flaw in several mapp components	1.0
2024-08-27 (Update 2024-08-28)	Advisory SA24P014: Multiple vulnerabilities in B&R APROL	1.1
2024-08-09 (Update 2024-08-30)	Advisory SA24P011: Several vulnerabilities in B&R Automation Runtime	1.1
2024-05-14 (Update 2025-06-06)	Advisory SA24P005: Insecure Loading of Code in B&R Products (CSAF)	1.3
2024-04-12	Advisory SA24P002: Impact of LogoFail vulnerability on B&R Industrial PCs and HMI products	1.1
2024-04-10	Advisory SA24P006: B&R APROL - Several vulnerabilities in the Docker Engine	1.1
2024-02-22	Advisory SA23P019: B&R Automation Studio & B&R Technology Guarding - B&R products use insufficient communication encryption	1.0
2024-02-14	Advisory SA24P004: SSH Service vulnerable to Terrapin attack	1.0
2024-02-05 (Update 2024-02-06)	Advisory SA23P018: B&R Automation Runtime - SDM Web interface vulnerable to XSS	1.1
2024-02-05	Advisory SA23P004: B&R Automation Runtime - FTP uses unsecure encryption mechanisms	1.0

2023

Release	Description	Document version
2023-07-26	Advisory SA23P013: B&R Automation Runtime - SYN Flooding Vulnerability in Portmapper	1.0
2023-05-31 (Update 2023-08-09)	Advisory SA23P011: B&R APROL - Abuse SLP based traffic for amplification attack	1.1
2023-04-14	Advisory SA23P002: Several Issues in B&R VC4 Visualization	1.0
2023-02-27 (Update 2024-03-06)	Advisory SA22P011: Vulnerable TigerVNC Version used in B&R Products	1.1
2023-02-15 (Update 2023-04-17)	Advisory SA22P001: Impact of Insyde UEFI Boot Issues on B&R Products	1.2
2023-02-14	Advisory SA22P024: Reflected Cross-Site Scripting Vulnerabilities in SDM	1.0
2023-01-30 (Update 2023-02-03)	Advisory SA22P016: Several Issues in APROL Database	1.1

2022

Number	Description	Document version
04/2022 (Update 2023-02-08)	Advisory: Impact of Vulnerability in WIBU CodeMeter Runtime to B&R Products	1.2
03/2022	Notice: INCONTROLLER	1.0
02/2022 (Update 2024-06-24)	Advisory: A flaw in Chainsaw component of Log4j can lead to code execution	1.1
01/2022	Advisory: RCE through Project Upload from Target ("Evil PLC Attack")	1.2

2021

Number	Description	Document version
15/2021	Notice: Log4Shell - Impact on B&R Products	1.1
14/2021	Advisory: Vulnerabilities in B&R Automation Studio and PVI Windows Services	1.0
13/2021	Advisory: Number:Jack in B&R Products	1.0
12/2021	Advisory: RCE Vulnerability in Automation Studio	1.0
11/2021	Advisory: ZipSlip Vulnerability in Automation Studio Project Import	1.0
10/2021 (Updated 2024-05-14)	Advisory: DLL Hijacking Vulnerability in Automation Studio	1.1
09/2021	Notice: INFRA:HALT - Impact on B&R Products	1.0
08/2021	Advisory: Denial of service vulnerability on Automation Runtime webserver	1.0
07/2021	Advisory: Denial of Service vulnerability in B&R Industrial Automation PROFINET IO Device	1.0
06/2021	Advisory: Stack crash in B&R Industrial Automation X20 EthernetIP Adapter	1.0
05/2021	Advisory: Multiple Vulnerabilities in AR NTP Service	1.0
04/2021	Advisory: Amnesia33- Impact on B&R Products	1.1
03/2021	Advisory: NAME:WRECK Impact on Automation Runtime and ARwin	1.1
02/2021	Advisory: Denial-of-Service Vulnerability handling PROFINET DCE-RPC Network Packets	1.0
01/2021	Advisory: B&R Products affected by WIBU CodeMeter Vulnerabilities	1.1

2020

Number	Description	Version
01/2020	Advisory: Automation Runtime SNMP Authentication and Authorization Weakness	1.0
02/2020	Advisory: TPM-Fail	1.1
03/2020	Advisory: Multiple Vulnerabilities in Automation Studio	1.1
04/2020	Advisory: Automation Runtime TFTP Service DoS Vulnerability	1.1
05/2020	Notice: Ripple20 – Impact on B&R Products	1.0
06/2020	Advisory: Multiple Vulnerabilities in SiteManager and GateManager	1.0
07/2020	Advisory: Multiple Vulnerabilities in GateManager	1.0

2019

Number	Description	Document version
2019_02	VxWorks RPC Buffer Overflow Vulnerability CVE-2019-9865	1.0
2019_01	VxWorks IPnet Vulnerabilities	1.1