CVE-2025-7390 is a critical vulnerability identified in the Softing Industrial Automation GmbH OPC UA C++ SDK version 6.40. The flaw stems from improper certificate validation (CWE-295) in the OPC UA HTTPS server implementation. Specifically, when the server endpoint is configured to allow only secure communication, a malicious client can bypass the client certificate trust check. This means that the server fails to properly verify the authenticity and trustworthiness of client certificates during the TLS handshake, allowing an attacker to impersonate a trusted client without possessing a valid certificate. The vulnerability is network exploitable (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making it highly accessible for remote attackers. The impact is severe, with high confidentiality and integrity consequences (C:H/I:H/A:N), as unauthorized clients can gain access to sensitive industrial automation data or manipulate control commands. Given the critical CVSS score of 9.1, exploitation could lead to unauthorized disclosure of sensitive information and unauthorized control over industrial processes. The vulnerability affects the OPC UA C++ SDK version 6.40, a widely used software development kit for implementing OPC UA servers and clients in industrial automation environments. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that affected organizations should prioritize mitigation and monitoring. OPC UA (Open Platform Communications Unified Architecture) is a key protocol in industrial control systems (ICS) for secure and reliable data exchange between devices and control systems. This vulnerability undermines the fundamental security guarantees of OPC UA, potentially exposing critical infrastructure to cyberattacks.

For European organizations, especially those operating in critical infrastructure sectors such as manufacturing, energy, utilities, and transportation, this vulnerability poses a significant risk. OPC UA is widely adopted in European industrial automation environments due to its interoperability and security features. Exploitation could allow attackers to bypass authentication controls, leading to unauthorized access to control systems, data leakage, or manipulation of industrial processes. This could result in operational disruptions, safety hazards, financial losses, and damage to reputation. Given the increasing digitalization and Industry 4.0 initiatives across Europe, the reliance on OPC UA-based systems is growing, amplifying the potential impact. Furthermore, regulatory frameworks such as NIS2 Directive and GDPR emphasize the protection of critical infrastructure and personal data, making exploitation of this vulnerability a compliance risk as well. The lack of known exploits currently provides a window for proactive defense, but the critical severity demands immediate attention to prevent potential targeted attacks.

1. Immediate mitigation should include disabling or restricting OPC UA HTTPS endpoints that rely solely on client certificate authentication until a patch or update is available. 2. Implement network segmentation and strict firewall rules to limit access to OPC UA servers only to trusted network segments and known clients. 3. Employ additional layers of authentication and authorization at the application level to compensate for the certificate validation weakness. 4. Monitor network traffic for anomalous connections or unexpected client certificates attempting to connect to OPC UA servers. 5. Engage with Softing Industrial Automation GmbH for updates on patches or security advisories and apply them promptly once released. 6. Conduct a thorough inventory of all OPC UA deployments using the affected SDK version and prioritize remediation efforts based on criticality. 7. Consider deploying intrusion detection/prevention systems (IDS/IPS) tuned for OPC UA protocol anomalies. 8. Educate operational technology (OT) and IT security teams about this vulnerability to enhance vigilance and incident response readiness.