Summary
This bulletin is to make you aware of a few recently reported vulnerabilities. The fixes applied include but are not limited to:
• Properly escaping characters or rejecting characters stored in some configuration files.
• Improved user permission validation during file writes.
• Updated some cryptographic parameters to accommodate latest recommendations.
Affected Supported Products
• Niagara Framework 4.10u10
• Niagara Enterprise Security 4.10u10
• Niagara Framework 4.14u1
• Niagara Enterprise Security 4.14u1
• Niagara Framework 4.15
• Niagara Enterprise Security 4.15
Security Bulletin #: SB 2025-Tridium-1
Defect#: PSIRT-1229
CVE ID CVSS Vector Score
CVE-2025-3936 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 6.5
CVE-2025-3937 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N 7.7
CVE-2025-3938 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N 6.8
CVE-2025-3939 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N 5.3
CVE-2025-3940 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N 5.3
CVE-2025-3941 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N 5.4
CVE-2025-3942 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N 4.3
CVE-2025-3943 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N 4.1
CVE-2025-3944 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 7.2
CVE-2025-3944 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 7.2
CVE-2025-3945 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 7.2
CVE-2025-3945 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L 4.7
CVE-2025-3945 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L 4.7
Recommended Action
Tridium recommends upgrading to Niagara 4.14u2 and Niagara EntSec 4.14u2 for any Niagara 4.14 deployments. These updates are available by contacting your sales support channel or by contacting the Tridium support team at support@tridium.com.
It is important that all Niagara customers for all supported platforms update their systems with these releases to mitigate risk. If you have any questions, please contact your Tridium account manager or Customer Support at support@tridium.com. As always, we highly recommend that Niagara customers running on unsupported platforms (such as Niagara AX) take action to update their systems to a supported platform.
NOTE: Updates to Niagara 4.10 and Niagara 4.15 will be released shortly.
Mitigation
In addition to updating your system, Tridium recommends that customers with affected products take the following steps to protect themselves:
• Review and validate the list of users who are authorized and who can authenticate to Niagara.
• Allow only trained and trusted persons to have physical access to the system, including devices that have connection to the system though the Ethernet port.
• Consider using a VPN or other means to ensure secure remote connections into the network where the system is located, if remote connections are enabled,
• Sign all modules and program objects provided by third-party teams.
• Review the Niagara Hardening Guide and implement the recommended techniques for securing your installation
• Review the Security Dashboard for current installations that may have any warnings or errors.
Cybersecurity is a priority at Tridium. We are dedicated to continuously improving the security of our products, and we will continue to update you as we release new security features, enhancements, and updates.