Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
An Allocation of Resources Without Limits or Throttling vulnerability in the OPC-UA Server used in PPT30 Operating System versions before 1.8.0 may be used by an unauthenticated network-based attacker to permanently prevent legitimate users from interacting with the service.
AnalysisAI
Denial of service in B&R Industrial Automation PPT30 Operating System versions before 1.8.0 allows unauthenticated network attackers to permanently disable the OPC-UA Server through resource exhaustion. The flaw stems from missing throttling on resource allocation (CWE-770) and carries a CVSS 4.0 score of 8.7 due to high availability impact via the network with no privileges or user interaction. EPSS is low at 0.04% and no public exploit has been identified at time of analysis, though SSVC marks the issue as automatable with partial technical impact.
Technical ContextAI
The vulnerability resides in the OPC-UA (Open Platform Communications Unified Architecture) Server component embedded in the PPT30 Operating System, an industrial automation platform from B&R Industrial Automation GmbH (a member of the ABB group, identified by CPE cpe:2.3:a:b&r_industrial_automation_gmbh:ppt30_operating_system). OPC-UA is the dominant machine-to-machine communication protocol used in OT/ICS environments for SCADA, HMI, and PLC data exchange and typically listens on TCP/4840. CWE-770 (Allocation of Resources Without Limits or Throttling) describes a class of defect where a server accepts connection, session, or memory allocation requests without enforcing per-client quotas, allowing a small amount of attacker traffic to consume server-side resources until the service degrades or crashes - a known systemic weakness in many OPC-UA stack implementations.
RemediationAI
Upgrade PPT30 Operating System to version 1.8.0 or later, which is the vendor-released patch per B&R/ABB advisory SA25P006 (https://br-cws-assets.de-fra-1.linodeobjects.com/SA25P006-0eec719c.pdf). Where immediate upgrade is not possible - common in OT environments with change windows - apply compensating network controls: restrict TCP/4840 (and any non-default OPC-UA port configured on PPT30) to a strict allowlist of trusted engineering workstations and SCADA hosts via firewall or zone/conduit boundaries per IEC 62443, with a side effect of breaking any ad-hoc OPC-UA client connectivity until the allowlist is updated. If OPC-UA is not actively required on a given PPT30 unit, disable the OPC-UA Server service entirely, which removes the attack surface but also removes monitoring/control integration for that device. Place affected devices behind an OPC-UA-aware industrial firewall or data diode where outbound-only telemetry is acceptable; this can blunt session-exhaustion attacks but adds operational complexity and may require re-architecting client connections.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209928
GHSA-32cv-rh96-xx2f