प्लेटफ़ॉर्म
cpp
घटक
opc-ua-c-sdk
में ठीक किया गया
6.80.1
6.80.2
1.0.1
CVE-2025-7390 is a critical vulnerability affecting the OPC UA C++ SDK, specifically versions 6.40–SDEX Suite V1.0. This flaw allows a malicious client to bypass the client certificate trust check on an opc.https server, even when secure communication is enforced. Successful exploitation could lead to unauthorized access to sensitive data and control systems, posing a significant risk to industrial environments. A patch is expected to be released by the vendor.
The impact of CVE-2025-7390 is severe, particularly within industrial control systems (ICS) and operational technology (OT) environments. An attacker exploiting this vulnerability can effectively impersonate a legitimate client, gaining access to OPC UA servers without proper authentication. This could allow them to read sensitive process data, modify control parameters, or even disrupt operations entirely. The ability to bypass certificate validation represents a significant escalation of privilege, potentially granting an attacker complete control over targeted systems. This vulnerability shares similarities with other certificate validation bypasses, highlighting the importance of rigorous security practices in ICS deployments.
CVE-2025-7390 is currently not listed on the CISA KEV catalog. The EPSS score is pending evaluation. Public proof-of-concept (PoC) code is not yet publicly available, but the critical severity suggests a high likelihood of exploitation once a PoC is developed. The vulnerability was publicly disclosed on 2025-08-21.
Organizations heavily reliant on industrial control systems (ICS) and operational technology (OT) using the OPC UA C++ SDK are at significant risk. This includes manufacturing plants, power grids, and other critical infrastructure sectors. Specifically, deployments using older versions of the SDK (6.40–SDEX Suite V1.0) and those with less stringent network security controls are particularly vulnerable.
• cpp / OPC UA: Use a network analyzer (Wireshark) to monitor OPC UA traffic and look for connections without valid client certificates. • cpp / OPC UA: Examine server logs for authentication failures related to certificate validation. • generic web: Monitor for unusual network traffic patterns originating from unauthorized clients attempting to connect to the OPC UA server. • generic web: Review firewall logs for attempts to bypass certificate validation.
disclosure
एक्सप्लॉइट स्थिति
EPSS
0.03% (9% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2025-7390 is to upgrade to a patched version of the OPC UA C++ SDK as soon as it becomes available. Until a patch is applied, consider implementing compensating controls to reduce the risk. These controls may include restricting network access to the OPC UA server, implementing strict firewall rules to limit client connections, and closely monitoring server logs for suspicious activity. Consider using a Web Application Firewall (WAF) to filter malicious requests. Verify that client certificates are properly configured and validated on the server side. After upgrading, confirm the fix by attempting a connection with an invalid certificate and verifying that it is rejected.
Actualice el SDK de OPC UA C++ a una versión corregida que implemente correctamente la validación del certificado del cliente. Consulte el sitio web del proveedor para obtener la última versión y las instrucciones de actualización.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2025-7390 is a critical vulnerability in the OPC UA C++ SDK allowing malicious clients to bypass certificate trust checks, potentially granting unauthorized access to industrial control systems.
If you are using OPC UA C++ SDK version 6.40–SDEX Suite V1.0, you are potentially affected by this vulnerability. Check your system configuration and upgrade as soon as a patch is available.
The recommended fix is to upgrade to a patched version of the OPC UA C++ SDK. Until then, implement compensating controls like restricting network access and monitoring server logs.
While no active exploitation has been confirmed, the critical severity and potential impact suggest a high likelihood of exploitation once a proof-of-concept is developed.
Refer to the vendor's official security advisory page for the OPC UA C++ SDK for the latest information and updates regarding CVE-2025-7390.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।