CVE-2026-6900
B&R Industrial Automation · APROL
An improper certificate validation vulnerability in B&R Industrial Automation's APROL allows potential security bypasses.
Executive summary
A critical certificate validation flaw in B&R APROL exposes industrial control systems to potential man-in-the-middle attacks, necessitating immediate attention.
Vulnerability
This vulnerability (CWE-295) involves improper validation of digital certificates, which could allow an unauthenticated attacker to intercept or manipulate encrypted communications between system components.
Business impact
The exploitation of this vulnerability could lead to a complete compromise of the integrity and confidentiality of communication channels within the APROL environment. Given the high CVSS score of 7.4, this risk is substantial for industrial operations, as it could facilitate unauthorized command injection or the exfiltration of sensitive process data, leading to operational downtime or safety risks.
Remediation
Immediate Action: Update the APROL software to version R 4.4-01P5 or later as specified by the vendor advisory.
Proactive Monitoring: Monitor network traffic logs for unusual certificate handshakes or unexpected communication patterns between APROL nodes.
Compensating Controls: Implement strict network segmentation to isolate APROL components and ensure that only authorized, trusted connections are permitted to communicate with the application.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The severity of this certificate validation flaw requires prompt action to prevent potential man-in-the-middle attacks. Administrators should prioritize testing and deploying the vendor-provided update to all affected APROL installations immediately to ensure the security of industrial communication channels.