CVE-2025-11044 Overview
CVE-2025-11044 is a Resource Exhaustion vulnerability (CWE-770: Allocation of Resources Without Limits or Throttling) affecting the ANSL-Server component of B&R Automation Runtime. This vulnerability allows an unauthenticated network attacker to exploit a race condition, resulting in permanent denial-of-service (DoS) conditions on affected industrial automation devices.
Critical Impact
Unauthenticated attackers can cause permanent denial-of-service on industrial automation systems, potentially disrupting critical manufacturing and operational technology (OT) environments.
Affected Products
- B&R Automation Runtime versions prior to 6.5
- B&R Automation Runtime versions prior to R4.93
- ANSL-Server component in affected Automation Runtime versions
Discovery Timeline
- 2026-01-19 - CVE CVE-2025-11044 published to NVD
- 2026-01-19 - Last updated in NVD database
Technical Details for CVE-2025-11044
Vulnerability Analysis
The vulnerability resides in the ANSL-Server component of B&R Automation Runtime, which fails to implement proper resource allocation limits or throttling mechanisms. This design flaw enables an attacker to exhaust system resources through unbounded allocation requests. The exploitation requires winning a race condition, which while adding complexity to the attack, ultimately results in a permanent denial-of-service state that persists until manual intervention.
The ANSL (Automation Network Service Layer) Server is a critical component in B&R's industrial automation ecosystem, handling network communications and service requests. Without proper throttling controls, the server becomes susceptible to resource exhaustion attacks that can render the entire automation system inoperable.
Root Cause
The root cause is the absence of resource allocation limits within the ANSL-Server component (CWE-770). When processing incoming network requests, the server does not enforce boundaries on resource consumption, allowing an attacker to allocate resources without restriction. Combined with a race condition vulnerability, this enables attackers to trigger a permanent DoS state.
Attack Vector
The attack is network-based and requires no authentication, making it particularly dangerous in industrial environments where network segmentation may be insufficient. An attacker must successfully exploit a race condition to trigger the permanent denial-of-service state.
The attack flow involves sending specially crafted requests to the ANSL-Server component that exploit the race condition window. Once the race is won, the system enters an unrecoverable state requiring manual restart or intervention to restore functionality.
This vulnerability is particularly concerning in operational technology (OT) environments where availability is paramount. Industrial control systems relying on B&R Automation Runtime could face production downtime, safety system disruptions, or cascading failures in connected systems.
Detection Methods for CVE-2025-11044
Indicators of Compromise
- Unusual network traffic patterns targeting ANSL-Server ports from untrusted sources
- System resource exhaustion alerts on B&R Automation Runtime devices
- Unresponsive or hung ANSL-Server processes requiring manual restart
- Repeated connection attempts in rapid succession from single sources
Detection Strategies
- Monitor network traffic for anomalous connection rates to ANSL-Server components
- Implement intrusion detection rules for resource exhaustion attack patterns
- Configure alerts for ANSL-Server process failures or unresponsive states
- Deploy network behavior analysis to detect race condition exploitation attempts
Monitoring Recommendations
- Enable verbose logging on B&R Automation Runtime systems to capture connection attempts
- Implement network flow monitoring between IT and OT network segments
- Configure SIEM integration for real-time alerting on ANSL-Server anomalies
- Establish baseline metrics for normal ANSL-Server resource utilization
How to Mitigate CVE-2025-11044
Immediate Actions Required
- Update B&R Automation Runtime to version 6.5 or later
- For systems on the R4.x branch, update to version R4.93 or later
- Implement network segmentation to restrict access to ANSL-Server components
- Apply firewall rules to limit network access to authorized systems only
Patch Information
B&R Automation has released security patches addressing this vulnerability. Affected users should update to B&R Automation Runtime version 6.5 or R4.93 (depending on their deployment branch) to remediate this issue. Detailed patch information is available in the B&R Automation Security Advisory.
Workarounds
- Implement strict network segmentation to isolate ANSL-Server from untrusted networks
- Deploy application-layer firewalls or rate limiting in front of ANSL-Server components
- Configure network access control lists (ACLs) to restrict connections to known, trusted IP addresses
- Consider disabling the ANSL-Server component if not required for operations until patching is complete
# Network segmentation example (firewall rule)
# Restrict ANSL-Server access to authorized management network only
# Adjust ports and IP ranges according to your environment
iptables -A INPUT -p tcp --dport <ANSL_PORT> -s <AUTHORIZED_NETWORK> -j ACCEPT
iptables -A INPUT -p tcp --dport <ANSL_PORT> -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
