CVE-2025-11498 is a vulnerability classified under CWE-1236, which pertains to improper neutralization of formula elements in CSV files generated by the System Diagnostics Manager (SDM) component of B&R Industrial Automation GmbH's Automation Runtime software. Versions prior to 6.4, including 6.0 and 4, are affected. The vulnerability allows a remote attacker to inject malicious formula data into CSV files by crafting a malicious link that, when clicked by a user, results in the generation of a CSV file containing harmful formulas. These formulas can be executed when the CSV file is manually opened in spreadsheet applications such as Microsoft Excel or LibreOffice Calc, potentially leading to data manipulation, unauthorized command execution, or information disclosure. The attack vector requires no authentication or privileges but depends on user interaction (clicking the link and opening the file). The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, but user interaction needed. The vulnerability is notable in industrial automation environments where Automation Runtime is deployed for system diagnostics and control, making it a potential vector for supply chain or operational disruption attacks. No patches or exploits are currently publicly available, but the risk remains due to the nature of formula injection attacks in CSV files.

For European organizations, especially those in manufacturing, industrial automation, and critical infrastructure sectors, this vulnerability could lead to significant operational risks. Exploitation could result in unauthorized data manipulation or execution of malicious commands via spreadsheet formula injection, potentially disrupting automated processes or corrupting diagnostic data. This could impair system monitoring, cause erroneous operational decisions, or facilitate further compromise within industrial control systems. Given the reliance on B&R Automation Runtime in European industrial environments, the vulnerability could affect production continuity and safety. Additionally, the need for user interaction means social engineering could be leveraged to target employees, increasing the risk of successful exploitation. While no known exploits exist yet, the medium severity and ease of exploitation through phishing-like tactics warrant proactive mitigation to prevent potential operational and reputational damage.

1. Upgrade B&R Automation Runtime to version 6.4 or later, where this vulnerability is addressed. 2. Implement strict email and web filtering to block or flag suspicious links that could deliver malicious CSV files. 3. Educate employees, especially those in operational technology and engineering roles, about the risks of opening CSV files from untrusted sources and the dangers of clicking unknown links. 4. Configure spreadsheet applications to disable automatic formula execution or enable protected view modes for files originating from the internet or untrusted locations. 5. Employ content sanitization tools or scripts to scan and neutralize formula elements in CSV files before they are processed or imported into critical systems. 6. Monitor network traffic and system logs for unusual activities related to CSV file generation and access. 7. Develop incident response plans specific to industrial automation environments to quickly address any suspected exploitation.