MidnightBSD

Advisories for tridium

CVE-2012-3024 MEDIUM

Tridium Niagara AX Framework through 3.6 uses predictable values for (1) session IDs and (2) keys, which might allow remote attackers to bypass authentication via a brute-force attack.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-287,

Products Affected

Vendor Product Version
tridium niagara_ax *
CVE-2012-3025 MEDIUM

The default configuration of Tridium Niagara AX Framework through 3.6 uses a cleartext base64 format for transmission of credentials in cookies, which allows remote attackers to obtain sensitive information by sniffing the network.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-522,

Products Affected

Vendor Product Version
tridium niagara_ax *
CVE-2012-4027 MEDIUM

Directory traversal vulnerability in Tridium Niagara AX Framework allows remote attackers to read files outside of the intended images, nav, and px folders by leveraging incorrect permissions, as demonstrated by reading the config.bog file.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
tridium niagara_ax *
CVE-2012-4028 HIGH

Tridium Niagara AX Framework does not properly store credential data, which allows context-dependent attackers to bypass intended access restrictions by using the stored information for authentication.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-522,

Products Affected

Vendor Product Version
tridium niagara_ax *
CVE-2012-4701 HIGH

Directory traversal vulnerability in Tridium Niagara AX 3.5, 3.6, and 3.7 allows remote attackers to read sensitive files, and consequently execute arbitrary code, by leveraging (1) valid credentials or (2) the guest feature.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-22,

Products Affected

Vendor Product Version
tridium niagara_ax 3.6
tridium niagara_ax 3.7
tridium niagara_ax 3.5
CVE-2017-16744 MEDIUM

A path traversal vulnerability in Tridium Niagara AX Versions 3.8 and prior and Niagara 4 systems Versions 4.4 and prior installed on Microsoft Windows Systems can be exploited by leveraging valid platform (administrator) credentials.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,CWE-22,

Products Affected

Vendor Product Version
tridium niagara_ax_framework *
tridium niagara *
CVE-2017-16748 HIGH

An attacker can log into the local Niagara platform (Niagara AX Framework Versions 3.8 and prior or Niagara 4 Framework Versions 4.4 and prior) using a disabled account name and a blank password, granting the attacker administrator access to the Niagara system.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-287,CWE-287,

Products Affected

Vendor Product Version
tridium niagara_ax_framework *
tridium niagara *
CVE-2018-18985 LOW

Tridium Niagara Enterprise Security 2.3u1, all versions prior to 2.3.118.6, Niagara AX 3.8u4, all versions prior to 3.8.401.1, Niagara 4.4u2, all versions prior to 4.4.93.40.2, and Niagara 4.6, all versions prior to 4.6.96.28.4 a cross-site scripting vulnerability has been identified that may allow a remote attacker to inject code to some web pages affecting confidentiality.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,CWE-79,

Products Affected

Vendor Product Version
tridium niagara_ax_framework *
tridium niagara_enterprise_security *
tridium niagara_enterprise_security 2.3u1
tridium niagara 4.4u2
tridium niagara *
tridium niagara_ax_framework 3.8u4
CVE-2019-13528 LOW

A specific utility may allow an attacker to gain read access to privileged files in the Niagara AX 3.8u4 (JACE 3e, JACE 6e, JACE 7, JACE-8000), Niagara 4.4u3 (JACE 3e, JACE 6e, JACE 7, JACE-8000), and Niagara 4.7u1 (JACE-8000, Edge 10).

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.4 MEDIUM CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N 0.8 3.6

CVSS 2.0

Severity: LOW

Problem Type: CWE-285,NVD-CWE-noinfo,

Products Affected

Vendor Product Version
tridium niagara4 4.4u3
tridium niagara4 4.7u1
tridium niagara_ax 3.8u4
CVE-2020-14483 LOW

A timeout during a TLS handshake can result in the connection failing to terminate. This can result in a Niagara thread hanging and requires a manual restart of Niagara (Versions 4.6.96.28, 4.7.109.20, 4.7.110.32, 4.8.0.110) and Niagara Enterprise Security (Versions 2.4.31, 2.4.45, 4.8.0.35) to correct.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L 2.8 1.4

CVSS 2.0

Severity: LOW

Problem Type: CWE-1088,NVD-CWE-Other,

Products Affected

Vendor Product Version
tridium niagara 4.8.0.110
tridium niagara 4.6.96.28
tridium niagara 4.7.109.20
tridium niagara 4.7.110.32
tridium niagara_enterprise_security 2.4.31
tridium niagara_enterprise_security 2.4.45
tridium niagara_enterprise_security 4.8.0.35
CVE-2025-3936

Incorrect Permission Assignment for Critical Resource vulnerability in Tridium Niagara Framework on Windows, Tridium Niagara Enterprise Security on Windows allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
psirt@honeywell.com 6.5 MEDIUM CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 2.0 4.0

Products Affected

Vendor Product Version
tridium niagara 4.15
tridium niagara 4.10u10
tridium niagara 4.14u1
tridium niagara_enterprise_security 4.10u10
tridium niagara_enterprise_security 4.14u1
tridium niagara_enterprise_security 4.15
CVE-2025-3937

Use of Password Hash With Insufficient Computational Effort vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
psirt@honeywell.com 7.7 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 3.1 4.0

Products Affected

Vendor Product Version
tridium niagara 4.15
tridium niagara 4.10u10
tridium niagara 4.14u1
tridium niagara_enterprise_security 4.10u10
tridium niagara_enterprise_security 4.14u1
tridium niagara_enterprise_security 4.15
CVE-2025-3938

Missing Cryptographic Step vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@honeywell.com 6.8 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N 2.3 4.0
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
tridium niagara 4.15
tridium niagara 4.10u10
tridium niagara 4.14u1
tridium niagara_enterprise_security 4.10u10
tridium niagara_enterprise_security 4.14u1
tridium niagara_enterprise_security 4.15
CVE-2025-3939

Observable Response Discrepancy vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@honeywell.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4
nvd@nist.gov 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 3.9 1.4

Products Affected

Vendor Product Version
tridium niagara 4.15
tridium niagara 4.10u10
tridium niagara 4.14u1
tridium niagara_enterprise_security 4.10u10
tridium niagara_enterprise_security 4.14u1
tridium niagara_enterprise_security 4.15
CVE-2025-3940

Improper Use of Validation Framework vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
psirt@honeywell.com 5.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 3.9 1.4

Products Affected

Vendor Product Version
tridium niagara 4.15
tridium niagara 4.10u10
tridium niagara 4.14u1
tridium niagara_enterprise_security 4.10u10
tridium niagara_enterprise_security 4.14u1
tridium niagara_enterprise_security 4.15
CVE-2025-3941

Improper Handling of Windows ::DATA Alternate Data Stream vulnerability in Tridium Niagara Framework on Windows, Tridium Niagara Enterprise Security on Windows allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11.Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@honeywell.com 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 2.8 2.5
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
tridium niagara 4.15
tridium niagara 4.10u10
tridium niagara 4.14u1
tridium niagara_enterprise_security 4.10u10
tridium niagara_enterprise_security 4.14u1
tridium niagara_enterprise_security 4.15
CVE-2025-3942

Improper Output Neutralization for Logs vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Input Data Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@honeywell.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 2.8 1.4
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N 3.9 3.6

Products Affected

Vendor Product Version
tridium niagara 4.15
tridium niagara 4.10u10
tridium niagara 4.14u1
tridium niagara_enterprise_security 4.10u10
tridium niagara_enterprise_security 4.14u1
tridium niagara_enterprise_security 4.15
CVE-2025-3943

Use of GET Request Method With Sensitive Query Strings vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Parameter Injection. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6
psirt@honeywell.com 4.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N 2.3 1.4

Products Affected

Vendor Product Version
tridium niagara 4.15
tridium niagara 4.10u10
tridium niagara 4.14u1
tridium niagara_enterprise_security 4.10u10
tridium niagara_enterprise_security 4.14u1
tridium niagara_enterprise_security 4.15
CVE-2025-3944

Incorrect Permission Assignment for Critical Resource vulnerability in Tridium Niagara Framework on QNX, Tridium Niagara Enterprise Security on QNX allows File Manipulation. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9
psirt@honeywell.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9

Products Affected

Vendor Product Version
tridium niagara 4.15
tridium niagara 4.10u10
tridium niagara 4.14u1
tridium niagara_enterprise_security 4.10u10
tridium niagara_enterprise_security 4.14u1
tridium niagara_enterprise_security 4.15
CVE-2025-3945

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Tridium Niagara Framework on QNX, Tridium Niagara Enterprise Security on QNX allows Command Delimiters. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
psirt@honeywell.com 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
tridium niagara 4.15
tridium niagara 4.10u10
tridium niagara 4.14u1
tridium niagara_enterprise_security 4.10u10
tridium niagara_enterprise_security 4.14u1
tridium niagara_enterprise_security 4.15