Update Your Niagara Software to Address Several Vulnerabilities Identified in the Niagara Framework®

Summary 
This bulletin is to make you aware of a few recently reported vulnerabilities. The fixes applied include but are not limited to:

• Properly escaping characters or rejecting characters stored in some configuration files.

• Improved user permission validation during file writes.

• Updated some cryptographic parameters to accommodate latest recommendations.

 

 Affected Supported Products

• Niagara Framework 4.10u10

• Niagara Enterprise Security 4.10u10

• Niagara Framework 4.14u1

• Niagara Enterprise Security 4.14u1

• Niagara Framework 4.15

• Niagara Enterprise Security 4.15

Security Bulletin #: SB 2025-Tridium-1
Defect#: PSIRT-1229 

CVE ID                CVSS Vector                                                           Score

CVE-2025-3936  CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N      6.5

CVE-2025-3937  CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N      7.7

CVE-2025-3938  CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N     6.8

CVE-2025-3939  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N      5.3

CVE-2025-3940  CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N      5.3

CVE-2025-3941  CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N       5.4

CVE-2025-3942  CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N      4.3

CVE-2025-3943  CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N      4.1

CVE-2025-3944  CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H     7.2

CVE-2025-3944  CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H     7.2

CVE-2025-3945  CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H     7.2

CVE-2025-3945  CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L       4.7

CVE-2025-3945  CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L       4.7

Recommended Action 
Tridium recommends upgrading to Niagara 4.14u2 and Niagara EntSec 4.14u2 for any Niagara 4.14 deployments. These updates are available by contacting your sales support channel or by contacting the Tridium support team at support@tridium.com.

It is important that all Niagara customers for all supported platforms update their systems with these releases to mitigate risk. If you have any questions, please contact your Tridium account manager or Customer Support at support@tridium.com. As always, we highly recommend that Niagara customers running on unsupported platforms (such as Niagara AX) take action to update their systems to a supported platform. 

NOTE: Updates to Niagara 4.10 and Niagara 4.15 will be released shortly.

Mitigation
In addition to updating your system, Tridium recommends that customers with affected products take the following steps to protect themselves:

• Review and validate the list of users who are authorized and who can authenticate to Niagara.

• Allow only trained and trusted persons to have physical access to the system, including devices that have connection to the system though the Ethernet port.

• Consider using a VPN or other means to ensure secure remote connections into the network where the system is located, if remote connections are enabled,

• Sign all modules and program objects provided by third-party teams.

• Review the Niagara Hardening Guide and implement the recommended techniques for securing your installation

• Review the Security Dashboard for current installations that may have any warnings or errors.

Cybersecurity is a priority at Tridium. We are dedicated to continuously improving the security of our products, and we will continue to update you as we release new security features, enhancements, and updates.