CVE-2025-3449 identifies a security weakness in the session management of the SDM component within B&R Industrial Automation GmbH's Automation Runtime software, versions before 6.4. The vulnerability stems from the generation of predictable numbers or identifiers (CWE-340), which are used to manage session states. Predictable session identifiers allow an unauthenticated network attacker to potentially hijack active sessions by guessing or calculating valid session tokens. This could lead to unauthorized access to ongoing communications or control commands within industrial automation environments. The Automation Runtime is widely used in industrial control systems (ICS) for managing machinery and processes. The vulnerability's CVSS 4.0 score is 2.3, reflecting low severity due to limited confidentiality and integrity impact, the need for user interaction, and the absence of privilege requirements. No public exploits or patches are currently available, indicating the vulnerability is newly disclosed and not yet weaponized. The affected versions include 6.0 and 4.x, with the issue resolved in version 6.4 and later. The predictable session identifiers could allow attackers to disrupt or manipulate control sessions, potentially impacting operational reliability and safety if exploited in sensitive environments.

For European organizations, especially those in manufacturing, energy, and critical infrastructure sectors relying on B&R Automation Runtime, this vulnerability could enable session hijacking leading to unauthorized control or disruption of industrial processes. Although the CVSS score is low, the operational impact in industrial environments can be significant if attackers manipulate control commands or disrupt communications. Confidentiality and integrity of session data are at risk, potentially leading to unauthorized access or process interference. The vulnerability could also undermine trust in automation systems and cause downtime or safety hazards. The lack of known exploits reduces immediate risk, but the critical nature of affected systems means even low-severity vulnerabilities require prompt attention. European organizations with legacy versions (6.0, 4.x) are particularly vulnerable until patches or updates are applied. The threat is more pronounced in sectors with high automation dependency and where session integrity is critical for operational safety.

1. Upgrade affected B&R Automation Runtime installations to version 6.4 or later as soon as patches become available to eliminate the vulnerability. 2. Implement network segmentation to isolate industrial control systems from general IT networks and limit exposure to unauthenticated attackers. 3. Deploy strict access controls and monitoring on network traffic to detect anomalous session activities indicative of hijacking attempts. 4. Use VPNs or secure tunnels with strong encryption for remote access to automation systems to reduce risk of interception. 5. Conduct regular security audits and penetration testing focused on session management and authentication mechanisms within industrial environments. 6. Educate operational technology (OT) staff on recognizing signs of session hijacking and enforcing best practices for session security. 7. Collaborate with B&R support and cybersecurity vendors for timely updates and threat intelligence related to this vulnerability. 8. Consider implementing additional session validation mechanisms or multi-factor authentication if supported by the automation platform.