CVE-2025-3943 is a medium-severity vulnerability identified in the Tridium Niagara Framework and Niagara Enterprise Security products, which run on Windows, Linux, and QNX platforms. The vulnerability is categorized under CWE-598, which pertains to the use of the GET request method with sensitive query strings. Specifically, this issue arises because sensitive parameters are transmitted via HTTP GET requests, embedding them in the URL query string. This practice can lead to parameter injection risks and potential exposure of sensitive information through logs, browser history, or network monitoring. The affected versions include Niagara Framework versions prior to 4.14.2, 4.15.1, and 4.10.11, as well as corresponding versions of Niagara Enterprise Security. The vulnerability allows an attacker with low privileges (PR:L) and requiring user interaction (UI:R) to inject parameters, potentially manipulating the behavior of the application or exposing sensitive data. The CVSS v3.1 score is 4.1, reflecting a medium severity with network attack vector (AV:N), low attack complexity (AC:L), partial privileges required, and user interaction needed. The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. Confidentiality impact is low, with no impact on integrity or availability. No known exploits are currently in the wild. Tridium recommends upgrading to patched versions 4.14.2u2, 4.15.u1, or 4.10u.11 to remediate this issue.

For European organizations, this vulnerability poses a moderate risk primarily to operational technology (OT) and building management systems that rely on the Niagara Framework. Since these systems often control critical infrastructure such as HVAC, energy management, and security systems in commercial buildings, universities, hospitals, and industrial facilities, exploitation could lead to unauthorized disclosure of sensitive configuration parameters or credentials. Although the integrity and availability impacts are rated as none, parameter injection could facilitate further attacks or unauthorized access if combined with other vulnerabilities or misconfigurations. The exposure of sensitive query strings could also lead to compliance issues under GDPR if personal or sensitive data is inadvertently leaked. The requirement for user interaction and partial privileges somewhat limits the attack surface, but insider threats or phishing attacks could leverage this vulnerability. Given the widespread use of Niagara Framework in European smart buildings and industrial environments, the vulnerability could affect a broad range of sectors including manufacturing, healthcare, and public infrastructure.

European organizations should prioritize upgrading affected Niagara Framework and Niagara Enterprise Security installations to the patched versions 4.14.2u2, 4.15.u1, or 4.10u.11 as recommended by Tridium. Beyond patching, organizations should audit their use of HTTP methods in their Niagara deployments to ensure sensitive data is not transmitted via GET requests. Implementing strict input validation and sanitization on all parameters can reduce injection risks. Network segmentation and access controls should be enforced to limit exposure of Niagara systems to only trusted users and networks. Monitoring and logging should be enhanced to detect unusual parameter injection attempts or suspicious user interactions. Additionally, educating users about the risks of interacting with untrusted links or phishing attempts can reduce the likelihood of exploitation requiring user interaction. Finally, organizations should review their logging and monitoring policies to ensure sensitive query strings are not inadvertently stored in logs or exposed in browser histories.