Critical File System Vulnerability Patched in iba Systems ibaPDA
Take action: Make sure all industrial devices are isolated from the internet and accessible from trusted networks only. Update ibaPDA to version 8.12.1 as soon as possible. In the meantime apply mitigating measures to limit impact.
Learn More
CISA and iba Systems report a security update for its ibaPDA software to fix a critical flaw that allows attackers to perform unauthorized actions on the file system.
The flaw is tracked as CVE-2025-14988 (CVSS score 9.8) and is caused by incorrect permission assignments for critical resources. Attackers can exploit this weakness to read, change, or delete files without proper authorization.
Users should update to ibaPDA version 8.12.1 or newer. Organizations that can't update immediately, should:
- enable User Management in the configuration settings and set a strong password for the admin user.
- use the Server Access Manager to limit connections to the local machine (127.0.0.1) or specific trusted IP addresses
- turn off the option to automatically open ports in the Windows Firewall within the I/O Manager
- manually delete existing rules for the ibaPDA Client and Server and create new ones that only allow verified traffic.
As always, keep industrial control systems off the public internet and use a secure VPN for any required remote access.
