Cybersecurity researchers have identified multiple vulnerabilities affecting Tridium’s Niagara Framework, a versatile platform utilized in managing and controlling various building systems including HVAC and energy management. These flaws could potentially allow attackers to compromise systems on the same network when they exploit misconfigurations that disable encryption on specific devices. A report from Nozomi Networks Labs, detailing these issues, underscores the severity of the situation.
Among the vulnerabilities are high-risk issues such as CVE-2025-3936 and CVE-2025-3937, both with a CVSS score of 9.8, indicating critical resource mismanagement and insufficient password hash computational effort. If exploited, these vulnerabilities could enable unauthorized access, leading to severe operational risks.
The Niagara Framework, which connects various systems in building management and industrial automation, relies on two core components: the Station and the Platform. The vulnerabilities, primarily linked to the misconfiguration of these components, could permit lateral movement across the network, jeopardizing productivity and service continuity. Nozomi Networks emphasized that the potential reach of these vulnerabilities poses high risks to operational resilience.
Following responsible disclosure, the vulnerabilities have been addressed in recent updates of the Niagara Framework (Honeywell Security Notification). The company has remarked on the criticality of adhering to their security guidelines to mitigate these risks, as improperly configured systems can become prime targets for cyber threats.