Description
Use of GET Request Method With Sensitive Query Strings vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Parameter Injection. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.
Product(s):
- TRIDIUM > niagara 1.*.*
- TRIDIUM > niagara 3.*.*
- +28 additional
Question to Ask Vendors:
- Have you upgraded all instances of Tridium Niagara to versions 4.14.2, 4.15.1, or 4.10.11 to mitigate the risk of the multiple vulnerabilities including CVE-2025-3936, CVE-2025-3937, CVE-2025-3938, CVE-2025-3939, CVE-2025-3940, CVE-2025-3941, CVE-2025-3942, CVE-2025-3943, CVE-2025-3944, and CVE-2025-3945?
- Can you confirm if you have implemented the best practices described in the Niagara Hardening Guide to minimize system attack surface and misconfigurations, specifically in relation to the improper permission assignments and insecure use of cryptographic functions?
- Have you enabled logging and alerting for suspicious activity such as unauthorized configuration changes, failed authentication attempts, or unusual input/output patterns to address the logging weaknesses identified in the vulnerabilities?
- Can you confirm if you have applied strict input validation and output encoding across the application to prevent injection and log forging attacks, as part of your remediation measures for the flawed validation and input handling mechanisms?
Recommended Actions:
- Apply Hardening Guidelines: Implement the best practices described in the Niagara Hardening Guide to minimize system attack surface and misconfigurations.
- Audit User Accounts: Review and validate the list of users authorized to access the Niagara environment. Revoke unused or unauthorized accounts and enforce least-privilege principles.
- Enforce Code Signing: Require digital signing of all third-party modules and program objects prior to deployment, ensuring code integrity and origin validation.
- Enhance Cryptographic Hygiene: Verify that strong password hashing algorithms (e.g., bcrypt, PBKDF2) are used. Rotate credentials stored under weak conditions and enforce computationally intensive authentication policies.
- Monitor System Behavior: Enable logging and alerting for suspicious activity such as unauthorized configuration changes, failed authentication attempts, or unusual input/output patterns.
- Restrict Physical Access: Ensure that only trained and trusted personnel have physical access to Niagara-connected systems, including any device reachable through Ethernet interfaces.
- Review and Harden Permissions: Audit file and directory permissions across all operating systems (Windows, Linux, QNX). Restrict access to sensitive configuration and executable files, especially those tied to authentication, encryption, or system behavior.
- Sanitize Input and Logging: Apply strict input validation and output encoding across the application to prevent injection and log forging attacks. Ensure that logs do not expose sensitive or exploitable information.
- Secure Remote Connections: If remote access is enabled, require use of VPNs or other secure communication methods to protect the connection to the Niagara environment.
- Upgrade Affected Systems: Immediately upgrade Niagara Framework and Niagara Enterprise Security to patched versions 4.14.2u2, 4.15.1u1, or 4.10.11u to remediate all identified vulnerabilities, including issues related to access control, cryptographic implementation, logging, and input validation.
- Utilize Security Dashboard: Continuously monitor the Niagara Security Dashboard for active warnings, misconfigurations, or indicators of compromise. Address flagged issues without delay.
References:
- https://nvd.nist.gov/vuln/detail/CVE-2025-3936
- https://nvd.nist.gov/vuln/detail/CVE-2025-3937
- https://nvd.nist.gov/vuln/detail/CVE-2025-3938
- https://nvd.nist.gov/vuln/detail/CVE-2025-3939
- https://nvd.nist.gov/vuln/detail/CVE-2025-3940
- https://nvd.nist.gov/vuln/detail/CVE-2025-3941
- https://nvd.nist.gov/vuln/detail/CVE-2025-3942
- https://nvd.nist.gov/vuln/detail/CVE-2025-3943
- https://nvd.nist.gov/vuln/detail/CVE-2025-3944
- https://nvd.nist.gov/vuln/detail/CVE-2025-3945
- https://www.honeywell.com/content/dam/honeywellbt/en/documents/downloads/product-security/security-notification/hon-corp-niagara-software-vulnerabilities-2025-05-22-01.pdf