Cybersecurity researchers have discovered 13 serious security flaws in the Niagara Framework, a platform used to control smart building systems around the world. This framework, developed by Tridium, a Honeywell company, connects and manages critical building functions like HVAC, lighting, elevators, energy meters, and security systems.
The impact of these flaws is massive. Niagara is used in over a million systems globally across commercial buildings, airports, hospitals, data centers, factories, and even government facilities. If hackers take advantage of these vulnerabilities, they could gain access to building infrastructure and cause serious damage.
The vulnerabilities affect Niagara Framework and Niagara Enterprise Security versions 4.10u10 and earlier, as well as 4.14u1 and earlier. Tridium has confirmed the issues and released patches. These flaws were responsibly reported by Nozomi Networks Labs and later verified by Tridium.
Among the 13 flaws, 10 have been given official CVE identifiers. Some of the most critical ones include CVE-2025-3937, which relates to weak password hashing, CVE-2025-3944, which involves incorrect permission settings, and CVE-2025-3945, an argument injection flaw that could allow command execution.
The real danger lies in how attackers could chain these vulnerabilities together. For example, if a system is using unencrypted Syslog, which is still common, an attacker could intercept log data and extract a CSRF token. That token can then be misused to trick an admin into executing malicious actions.
Once the attacker gets hold of the JSESSIONID, which is the session ID for an admin, they can gain full administrative control over the system. At this point, they can modify building settings, disable alarms, or manipulate HVAC and lighting systems without any alerts being raised.
Going even deeper, attackers could extract private TLS keys from the system. These keys are used to secure communications. With these in hand, a hacker could decrypt sensitive data or impersonate the system securely. One of the vulnerabilities, CVE-2025-3944, even allows them to execute system commands by injecting them into a DHCP configuration file.
If this entire attack chain is executed, the attacker can achieve root-level access to the system. This is the highest level of control over a device’s operating system. At that point, they can install malware, maintain persistent access, or even shut down critical building systems entirely.
Tridium has urged all users to update to the latest patched version of Niagara as soon as possible. They also strongly recommend encrypting all logging services like Syslog, isolating building automation systems from IT networks, limiting administrator access, and following their official hardening guidelines to reduce risks.
These vulnerabilities are a reminder that flaws in smart building software can lead to real-world consequences. It’s no longer just about data theft. When attackers can gain control of physical systems like lights, elevators, and air conditioning, the risk includes safety hazards, financial losses, and major disruptions. Organizations using Niagara must act quickly to secure their systems.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
