CVE-2025-11043

An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions before 6.5 could allow an unauthenticated attacker on the network to position themselves to intercept and interfere with data exchanges.

CVSS v3 7.4 HIGH

7.4^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.br-automation.com/fileadmin/SA25P004-4f45197f.pdf

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de validación de certificado incorrecta en el cliente OPC-UA y el cliente ANSL sobre TLS utilizada en versiones de Automation Studio anteriores a la 6.5 podría permitir a un atacante no autenticado en la red posicionarse para interceptar e interferir con los intercambios de datos.

19 Jan 2026, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-19 16:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-11043

Mitre link : CVE-2025-11043

CVE.ORG link : CVE-2025-11043

JSON object : View

Products Affected

No product.

CWE

CWE-295

Improper Certificate Validation

{"id": "CVE-2025-11043", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cybersecurity@ch.abb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.2}], "cvssMetricV40": [{"type": "Secondary", "source": "cybersecurity@ch.abb.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-01-19T16:15:52.873", "references": [{"url": "https://www.br-automation.com/fileadmin/SA25P004-4f45197f.pdf", "source": "cybersecurity@ch.abb.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "cybersecurity@ch.abb.com", "description": [{"lang": "en", "value": "CWE-295"}]}], "descriptions": [{"lang": "en", "value": "An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions before 6.5 could allow an unauthenticated attacker on the network to position themselves to intercept and interfere with data exchanges."}, {"lang": "es", "value": "Una vulnerabilidad de validaci\u00f3n de certificado incorrecta en el cliente OPC-UA y el cliente ANSL sobre TLS utilizada en versiones de Automation Studio anteriores a la 6.5 podr\u00eda permitir a un atacante no autenticado en la red posicionarse para interceptar e interferir con los intercambios de datos."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "cybersecurity@ch.abb.com"}