What are the Tridium Niagara Framework security vulnerabilities?

Researchers at Nozomi Networks Labs discovered multiple security vulnerabilities in Tridium's widely-deployed Niagara Framework that could allow attackers to achieve complete system compromise when chained together. Ten CVEs were identified with CVSS scores ranging from 4.1 to 9.8, affecting the middleware platform that connects IoT devices including HVAC systems, lighting controls, energy management, and security systems.

What are the most critical vulnerabilities in the Niagara Framework?

The most critical vulnerabilities include CVE-2025-3937 (Use of Password Hash with Insufficient Computational Effort), CVE-2025-3944 (Incorrect Permission Assignment for Critical Resource), and CVE-2025-3945 (Improper Neutralization of Argument Delimiters in a Command), all with CVSS scores ranging from 7.2 to 9.8. These vulnerabilities can be chained together for complete system compromise.

What is the complete list of CVEs affecting Tridium Niagara Framework?

The ten CVEs are: CVE-2025-3937 (CVSS 7.7-9.8), CVE-2025-3944 (CVSS 7.2-9.8), CVE-2025-3945 (CVSS 7.2-9.8), CVE-2025-3938 (CVSS 6.8-9.8), CVE-2025-3936 (CVSS 6.5-9.8), CVE-2025-3941 (CVSS 5.4-9.8), CVE-2025-3940 (CVSS 5.3-9.8), CVE-2025-3942 (CVSS 4.3-7.5), CVE-2025-3943 (CVSS 4.1-7.5), and CVE-2025-3939 (CVSS 5.3).

Who discovered the Tridium Niagara Framework vulnerabilities?

The vulnerabilities were discovered by researchers at Nozomi Networks Labs, a cybersecurity research organization that specializes in operational technology (OT) and IoT security. They conducted comprehensive security research on the Tridium Niagara Framework and responsibly disclosed the vulnerabilities to allow for proper patching.

What systems are at risk from these Tridium vulnerabilities?

Systems at risk include building automation systems, HVAC controls, lighting management systems, energy management platforms, security systems, and other IoT devices that rely on the Tridium Niagara Framework for connectivity and management. Any organization using Tridium's middleware platform should assess their exposure and apply patches immediately.

Advisory

Multiple vulnerabilities reported in Tridium Niagara Framework

Q: Are patches available for the Niagara Framework vulnerabilities?

Yes, Tridium has issued patches for all identified vulnerabilities. The company strongly urges asset owners and operators to update affected Niagara installations to the latest patched versions immediately to protect against potential exploitation of these security flaws.

Q: What should organizations do to protect against these Niagara Framework vulnerabilities?

Organizations should immediately update affected Niagara installations to the latest patched versions, implement network segmentation to limit system exposure, and review encryption configurations to ensure all network communications are properly secured. These steps will help mitigate the risk of exploitation through the discovered vulnerabilities.

published: July 25, 2025

Take action: If you use Tridium Niagara Framework systems (common in HVAC, lighting, and building automation), check to confirm that the system is isolated from the internet and accessible only from trusted networks. Then plan an update to the latest patched versions. Also check for proper encrypted communication between Tridium Niagara and all other components to prevent interception of sensitive data.

Learn More

Researchers at Nozomi Networks Labs are reporting multiple security vulnerabilities in Tridium's widely-deployed Niagara Framework that could allow attackers to achieve complete system compromise when chained together.

The Tridium Niagara Framework, developed by Tridium (a Honeywell company), serves as a middleware platform connecting IoT devices including HVAC systems, lighting controls, energy management, and security systems.

Vulnerabilities summary:

CVE-2025-3937 (CVSS score varies from 7.7 to 9.8) - Use of Password Hash with Insufficient Computational Effort
CVE-2025-3944 (CVSS score varies from 7.2 to 9.8) - Incorrect Permission Assignment for Critical Resource
CVE-2025-3945 (CVSS score varies from 7.2 to 9.8) - Improper Neutralization of Argument Delimiters in a Command
CVE-2025-3938 (CVSS score varies from 6.8 to 9.8) - Missing Cryptographic Step
CVE-2025-3936 (CVSS score varies from 6.5 to 9.8) - Incorrect Permission Assignment for Critical Resource
CVE-2025-3941 (CVSS score varies from 5.4 to 9.8) - Improper Handling of Windows DATA Alternate Data Stream
CVE-2025-3940 (CVSS score varies from 5.3 to 9.8) - Improper Use of Validation Framework
CVE-2025-3942 (CVSS score varies from 4.3 to 7.5) - Improper Output Neutralization for Logs
CVE-2025-3943 (CVSS score varies from 4.1 to 7.5) - Use of GET Request Method with Sensitive Query Strings
CVE-2025-3939 (CVSS score 5.3) - Observable Response Discrepancy

Researchers demonstrated an attack chain combining CVE-2025-3943 and CVE-2025-3944 that enables adjacent attackers to achieve complete system compromise. The attack begins with intercepting anti-CSRF refresh tokens transmitted through GET requests, which are logged and potentially sent over unencrypted channels via Syslog. Attackers then escalate logging levels, hijack administrator sessions, steal TLS certificates, and exploit CVE-2025-3944 to execute arbitrary code with root privileges.

Tridium issued patches for all identified vulnerabilities. The company strongly urges asset owners and operators to update affected Niagara installations to the latest patched versions, implement network segmentation to limit system exposure and review encryption configurations to ensure all network communications are properly secured.

Multiple vulnerabilities reported in Tridium Niagara Framework

Read More
Juniper patches critical authentication bypass vulnerability in its …
Critical flaws reported in mySCADA myPRO manager and …
Critical Vulnerabilities in SWITCH EV Charging Platform Allow …
Rockwell Automation fixes critical flaw in AADvance Standalone …
KiloView Encoder Account Takeover Vulnerability