- B&R released version 1.8.0 of its PPT30 operating system, fixing CVE‑2025‑11482.
The vulnerability allowed an unauthenticated network attacker to flood the OPC‑UA server with resource‑intensive requests, eventually making the service unavailable. It affected all PPT30 OS releases prior to 1.8.0 and scored 7.5 on the CVSS 3.1 scale. B&R says the OPC‑UA server is disabled by default, but customers who have enabled it should apply the update immediately.
For industrial operators, the flaw mattered because the OPC‑UA server is a common gateway for SCADA and HMI systems. A denial‑of‑service event could halt data collection or control loops, forcing a manual takeover. The fix aligns B&R with the broader push in the sector to harden default configurations and limit exposure of network services.
The patch arrives amid a surge of resource‑exhaustion bugs targeting control‑system firmware, echoing similar CVEs disclosed last year for Siemens and Rockwell devices. While B&R’s advisory notes no known exploitation, the advisory’s timing suggests a proactive stance rather than a reaction to an incident.
In short, version 1.8.0 removes the DOS vector, and operators who run the OPC‑UA server should install it now to keep production lines running.