Critical Infrastructure Security
Researchers Find Flaws in Tridium Niagara Framework
Vulnerabilities in Honeywell’s smart building middleware could allow hackers to manipulate physical systems or disable security alarms, warn security researchers.
See Also: Beyond Replication & Versioning: Securing S3 Data in the Face of Advanced Ransomware Attacks
Industrial automation giant Honeywell says more than a million instances of its Tridium Niagara Framework exist across the globe – intermediation devices between building systems such as the HVAC system and enterprise applications such as maintenance and monitoring consoles.
Researchers from Nozomi Networks said Wednesday they discovered 13 vulnerabilities in the framework that include a “compelling attack chain.” The cybersecurity company coordinated disclosure with Honeywell, which rolled out patches for the vulnerabilities that individually range from medium-to high-severity on the CVSS scale.
Any attack would need to begin with a hacker already having access to the network. An attack would also depend on the Tridium Niagara customer not encrypting Syslog data, since a key part of the attack path is retrieving the CSRF Token from the logs in order to undertake the very thing the token is meant to prevent – a cross-site forgery attack.
Encryption is enabled by default in most cases but not enabling encryption is not uncommon in legacy environments, where secure logging practices are often overlooked.
With root access to the Tridium Niagara device, attackers could gain persistent control and use it to cause “real-world consequences, impacting safety, productivity and service continuity across sectors like commercial real estate, healthcare, transportation, manufacturing and energy,” Nozomi warned. They might shut down HVAC systems in a hospital, alter lighting controls in a smart building, disable security systems in a manufacturing plant, or tamper with energy distribution (see: The Cybersecurity Bomb Ticking in Smart Buildings).
The vulnerabilities affect multiple versions of the Niagara Framework and Niagara Enterprise Security, including 4.10u10 and earlier, as well as 4.14u1 and earlier.
An attacker’s first step would be to check whether the Niagara Framework transmits CSRF refresh tokens through the get method, since get requests are often logged. With the token retrieved from unencrypted logs, the attacker would forge a cross-site forgery attack to trick a system administrator into causing the content of all incoming HTTP requests and responses to be fully logged.
That expanded set of logs would allow the attacker to extract the administrator’s session token for Java web applications. Obtaining the JSESSIONID token allows the attacker to gain full admin privileges and to create a backdoor. Up until now, the attack chain has taken place on a section of the device known as the Station, the operational component of the Niagara Framework that – as Nozomi describes it – communicates with devices, processes data and provides user interfaces for monitoring and control.
At this stage of the attack, the hacker would download the private keys associated with the device’s TLS certificate, giving full access to the other section of the Niagara Framework-the Platform half or the underlying software environment underpinning the station.
“With control of the Platform, the attacker immediately exploits CVE-2025-3944, vulnerability that provides root-level RCE on the device, achieving complete takeover.
Researchers said Honeywell responded promptly to their findings. It company advised users to upgrade affected systems immediately and follow its hardening guide to enforce encryption, isolate OT networks and monitor for suspicious activity.