Platform
cpp
Component
opc-ua-c-sdk
Fixed in
6.80.1
6.80.2
1.0.1
CVE-2025-7390 is a critical vulnerability affecting the OPC UA C++ SDK, specifically versions 6.40–SDEX Suite V1.0. This flaw allows a malicious client to bypass the client certificate trust check on an opc.https server, even when secure communication is enforced. Successful exploitation could lead to unauthorized access to sensitive data and control systems, posing a significant risk to industrial environments. A patch is expected to be released by the vendor.
The impact of CVE-2025-7390 is severe, particularly within industrial control systems (ICS) and operational technology (OT) environments. An attacker exploiting this vulnerability can effectively impersonate a legitimate client, gaining access to OPC UA servers without proper authentication. This could allow them to read sensitive process data, modify control parameters, or even disrupt operations entirely. The ability to bypass certificate validation represents a significant escalation of privilege, potentially granting an attacker complete control over targeted systems. This vulnerability shares similarities with other certificate validation bypasses, highlighting the importance of rigorous security practices in ICS deployments.
CVE-2025-7390 is currently not listed on the CISA KEV catalog. The EPSS score is pending evaluation. Public proof-of-concept (PoC) code is not yet publicly available, but the critical severity suggests a high likelihood of exploitation once a PoC is developed. The vulnerability was publicly disclosed on 2025-08-21.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-7390 is to upgrade to a patched version of the OPC UA C++ SDK as soon as it becomes available. Until a patch is applied, consider implementing compensating controls to reduce the risk. These controls may include restricting network access to the OPC UA server, implementing strict firewall rules to limit client connections, and closely monitoring server logs for suspicious activity. Consider using a Web Application Firewall (WAF) to filter malicious requests. Verify that client certificates are properly configured and validated on the server side. After upgrading, confirm the fix by attempting a connection with an invalid certificate and verifying that it is rejected.
Update the OPC UA C++ SDK to a patched version that correctly implements client certificate validation. Refer to the vendor's website for the latest version and upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-7390 is a critical vulnerability in the OPC UA C++ SDK allowing malicious clients to bypass certificate trust checks, potentially granting unauthorized access to industrial control systems.
If you are using OPC UA C++ SDK version 6.40–SDEX Suite V1.0, you are potentially affected by this vulnerability. Check your system configuration and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of the OPC UA C++ SDK. Until then, implement compensating controls like restricting network access and monitoring server logs.
While no active exploitation has been confirmed, the critical severity and potential impact suggest a high likelihood of exploitation once a proof-of-concept is developed.
Refer to the vendor's official security advisory page for the OPC UA C++ SDK for the latest information and updates regarding CVE-2025-7390.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.