What security vulnerabilities were disclosed in B&R APROL systems?

B&R has disclosed multiple critical security vulnerabilities affecting their APROL system, including: CVE-2024-45480 (CVSS 9.2, code injection), CVE-2024-8313 (CVSS 8.7, exposure of sensitive system information), CVE-2024-10209 (CVSS 8.5, incorrect permission assignment), CVE-2024-45482 (CVSS 8.5, inclusion of functionality from untrusted control sphere), CVE-2024-45481 (CVSS 8.5, incomplete filtering of special elements), CVE-2024-10210 (CVSS 8.4, external control of file name or path), and several others with lower CVSS scores.

What is the most severe vulnerability in the B&R APROL system?

The most severe vulnerability is CVE-2024-45480 with a CVSS score of 9.2. It is an improper control of code generation ('Code Injection') vulnerability in the AprolCreateReport component that allows unauthenticated network-based attackers to read files from the local system.

Which versions of B&R APROL are affected by these vulnerabilities?

Different vulnerabilities affect different versions: All versions prior to 4.4-01 (CVE-2024-45483, CVE-2024-10209); All versions 4.4-00P1 and prior (CVE-2024-45482); All versions 4.4-00P5 and prior (CVE-2024-45481, CVE-2024-45480, CVE-2024-8315, CVE-2024-45484, CVE-2024-8313, CVE-2024-8314, CVE-2024-10206, CVE-2024-10207, CVE-2024-10208, CVE-2024-10210).

Has B&R released patches for these vulnerabilities?

Yes, B&R has released patches for all vulnerabilities and recommends users apply these patches or upgrade to non-vulnerable versions. The fixed versions are: B&R APROL 4.4-01 (fixes CVE-2024-45483 and CVE-2024-10209), B&R APROL 4.4-00P1 and later (fixes CVE-2024-45482), and B&R APROL 4.4-00P5 and later (fixes the remaining vulnerabilities).

What components of the B&R APROL system are affected by these vulnerabilities?

The vulnerabilities affect various components of the APROL system, including the AprolCreateReport component, SNMP component, file system, SSH server, APROL Web Portal, operating system network configuration, GRUB configuration, and session handling.

Advisory

Multiple vulnerabilities in B&R APROL system reported, patch ASAP

published: April 3, 2025

Take action: If you are using B&R APROL, make sure it's isolated from the internet and accessible only from trusted networks. Then plan a comprehensive patch effort and password reset.

Learn More

B&R has disclosed multiple critical security vulnerabilities affecting their APROL system, a control system widely deployed in critical manufacturing sectors worldwide.

Vulnerability summary

CVE-2024-45480 (CVSS score 9.2), an improper control of code generation ('Code Injection') vulnerability in the AprolCreateReport component. This vulnerability allows unauthenticated network-based attackers to read files from the local system.
CVE-2024-8313 (CVSS score 8.7) - Exposure of sensitive system information vulnerabilityaffecting the SNMP component
CVE-2024-10209 (CVSS score 8.5) - Incorrect permission assignment vulnerability in the file system
CVE-2024-45482 (CVSS score 8.5) - Inclusion of functionality from untrusted control sphere vulnerability in the SSH server
CVE-2024-45481 (CVSS score 8.5) - Incomplete filtering of special elements vulnerability in scripts using the SSH server
CVE-2024-10210 (CVSS score 8.4) - External control of file name or path vulnerability in the APROL Web Portal
CVE-2024-45484 (CVSS score 7.2) - Allocation of resources without limits vulnerability in the operating system network configuration
CVE-2024-45483 (CVSS score 7.0) - Missing authentication for critical function vulnerability in the GRUB configuration
CVE-2024-10206 (CVSS score 6.9) - Server-side request forgery vulnerability in the APROL Web Portal
CVE-2024-8315 (CVSS score 6.8) - Improper handling of insufficient permissions vulnerability in scripts
CVE-2024-8314 (CVSS score 5.5) - Exposure of data element to wrong session vulnerability in the session handling
CVE-2024-10207 (CVSS score 5.3) - Server-side request forgery vulnerability in the APROL Web Portal
CVE-2024-10208 (CVSS score 5.1) - Cross-site scripting vulnerability in the APROL Web Portal

Affected Products

B&R APROL: All versions prior to 4.4-01 (CVE-2024-45483, CVE-2024-10209)
B&R APROL: All versions 4.4-00P1 and prior (CVE-2024-45482)
B&R APROL: All versions 4.4-00P5 and prior (CVE-2024-45481, CVE-2024-45480, CVE-2024-8315, CVE-2024-45484, CVE-2024-8313, CVE-2024-8314, CVE-2024-10206, CVE-2024-10207, CVE-2024-10208, CVE-2024-10210)

B&R has released patches for all vulnerabilities and recommends users apply these patches or upgrade to non-vulnerable versions at their earliest convenience. The fixed versions are:

B&R APROL 4.4-01: Fixes CVE-2024-45483 and CVE-2024-10209
B&R APROL 4.4-00P1 and later: Fixes CVE-2024-45482
B&R APROL 4.4-00P5 and later: Fixes CVE-2024-45481, CVE-2024-45480, CVE-2024-8315, CVE-2024-45484, CVE-2024-8313, CVE-2024-8314, CVE-2024-10206, CVE-2024-10207, CVE-2024-10208, and CVE-2024-10210

As some of the vulnerabilities affect credential confidentiality, B&R recommends changing all secrets/passwords after applying the update. The process to install updates and identify the installed product version is described in the user manual.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities were reported to CISA by ABB PSIRT.

Multiple vulnerabilities in B&R APROL system reported, patch ASAP

Read More
Critical authentication bypass in Güralp Systems seismic monitoring …
Critical File System Vulnerability Patched in iba Systems …
Samsung MagicINFO 9 server flaw actively exploited
Multiple critical flaws reported in mySCADA myPRO product
Rockwell ThinManager Critical Vulnerabilities expose Industrial Interfaces