cbcvebase.
CVE-2025-3945
published 2025-05-22

CVE-2025-3945: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Tridium Niagara Framework on QNX, Tridium Niagara…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.59%
43.9th percentile
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Tridium Niagara Framework on QNX, Tridium Niagara Enterprise Security on QNX allows Command Delimiters. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11.

Affected

12 ranges
VendorProductVersion rangeFixed in
tridiumniagara
tridiumniagara
tridiumniagara
tridiumniagara_enterprise_security< 4.14.24.14.2
tridiumniagara_enterprise_security< 4.15.14.15.1
tridiumniagara_enterprise_security< 4.10.114.10.11
tridiumniagara_enterprise_security
tridiumniagara_enterprise_security
tridiumniagara_enterprise_security
tridiumniagara_framework< 4.14.24.14.2
tridiumniagara_framework< 4.15.14.15.1
tridiumniagara_framework< 4.10.114.10.11

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-3945 is an Argument Injection (CWE-88) vulnerability in Tridium Niagara Framework and Enterprise Security on QNX; monitor for command delimiter abuse in Niagara process invocations on QNX-based deployments
  • CVE-2025-3945 is part of a chain triggered by CVE-2025-43867 (CVEs CVE-2025-3936 through CVE-2025-3945); detection of CVE-2025-43867 exploitation (network-accessible, low complexity, authenticated) should be treated as a precursor to CVE-2025-3945 exploitation
  • Exploitation is remotely possible with low attack complexity; alert on unexpected inbound network connections to Niagara/FX devices not isolated behind firewalls or VPNs
  • Successful exploitation targets device configuration files; monitor for unexpected reads, modifications, or exfiltration of configuration files on affected Niagara/FX devices
  • ·Affected versions span three Niagara release trains; ensure all three are checked during asset inventory — before 4.10.11, before 4.14.2, and before 4.15.1
  • ·The vulnerability is specific to QNX-based deployments of Niagara; non-QNX deployments are not listed as affected
  • ·No known public exploitation has been reported at time of advisory publication; threat posture may change
  • ·Access to the vendor patch portal requires login credentials; coordinate with asset owners to obtain and apply patches 14.10.11 or 14.14.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.