CISA has published an ICS advisory warning that eight B&R Industrial Automation product lines ship with a vulnerable version of XZ Utils, the widely used open-source data-compression library. Successful exploitation of the flaw could allow an unauthenticated remote attacker to crash the affected device or corrupt memory data.

The Vulnerability

The issue is tracked as CVE-2025-31115 and carries a CVSS v3.1 base score of 7.5 (HIGH). It resides in the multithreaded .xz decoder inside liblzma, present in XZ Utils versions 5.3.3alpha through 5.8.0. When the lzma_stream_decoder_mt function processes malformed input, a race condition within a thread (CWE-366) can trigger heap use-after-free behavior or a write to a null-pointer-plus-offset address. The net effect is at minimum a process crash and potentially broader memory corruption.

The underlying XZ Utils bug was fixed upstream in version 5.8.1, with patches also committed to the v5.4, v5.6, and v5.8 stable branches. B&R has integrated those fixes into updated Terminal OS firmware for each affected product.

Affected Products

  • PPC3100: versions below 1.8.1
  • C50: versions below 1.8.0
  • C80: versions below 1.8.0
  • FT50: versions below 1.8.1
  • MT50: versions below 1.8.1
  • T30: versions below 1.8.0
  • T80: versions below 1.8.0
  • T50: versions below 1.8.1

All affected models are deployed worldwide and fall within critical manufacturing infrastructure. The vulnerability is remotely exploitable over the network with no authentication or user interaction required.

Remediation and Mitigations

B&R recommends applying the corrected firmware at the earliest opportunity. Installation and version-identification procedures are documented in each product’s user manual. The vulnerability was publicly disclosed prior to this advisory, though B&R reports no known active exploitation at the time of publication.

CISA advises operators to take the following additional steps while patching is underway:

  • Remove ICS devices from direct internet exposure and place them behind firewalls with minimal open ports.
  • Isolate control system networks from corporate business networks.
  • Use VPNs for any required remote access, ensuring VPN software is kept current.

ABB PSIRT reported the vulnerability to CISA.