Details of VAR-202505-2694

ID

VAR-202505-2694

CVE

CVE-2025-3937

TITLE

Tridium of Niagara and Niagara Enterprise Security Vulnerability related to the use of insufficiently strong password hashes in

Trust: 0.8

sources: JVNDB: JVNDB-2025-006310

DESCRIPTION

Use of Password Hash With Insufficient Computational Effort vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows Cryptanalysis. This issue affects Niagara Framework: before 4.14.2, before 4.15.1, before 4.10.11; Niagara Enterprise Security: before 4.14.2, before 4.15.1, before 4.10.11. Tridium recommends upgrading to Niagara Framework and Enterprise Security versions 4.14.2u2, 4.15.u1, or 4.10u.11. (DoS) It may be in a state

Trust: 1.62

sources: NVD: CVE-2025-3937 // JVNDB: JVNDB-2025-006310

AFFECTED PRODUCTS

vendor:	tridium	model:	niagara	scope:	eq	version:	4.10u10	Trust: 1.0
vendor:	tridium	model:	niagara	scope:	eq	version:	4.15	Trust: 1.0
vendor:	tridium	model:	niagara enterprise security	scope:	eq	version:	4.10u10	Trust: 1.0
vendor:	tridium	model:	niagara	scope:	eq	version:	4.14u1	Trust: 1.0
vendor:	tridium	model:	niagara enterprise security	scope:	eq	version:	4.15	Trust: 1.0
vendor:	tridium	model:	niagara enterprise security	scope:	eq	version:	4.14u1	Trust: 1.0
vendor:	tridium	model:	niagara enterprise security	scope:	-	version:	-	Trust: 0.8
vendor:	tridium	model:	niagara	scope:	-	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2025-006310 // NVD: CVE-2025-3937

CVSS

SEVERITY

CVSSV2

CVSSV3

psirt@honeywell.com:	CVE-2025-3937
value:	HIGH
Trust: 1.0
nvd@nist.gov:	CVE-2025-3937
value:	CRITICAL
Trust: 1.0
NVD:	CVE-2025-3937
value:	CRITICAL
Trust: 0.8

psirt@honeywell.com:	CVE-2025-3937
baseSeverity:	HIGH
baseScore:	7.7
vectorString:	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	LOW
userInteraction:	NONE
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.1
impactScore:	4.0
version:	3.1
Trust: 1.0
nvd@nist.gov:	CVE-2025-3937
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	3.9
impactScore:	5.9
version:	3.1
Trust: 1.0
NVD:	CVE-2025-3937
baseSeverity:	CRITICAL
baseScore:	9.8
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2025-006310 // NVD: CVE-2025-3937 // NVD: CVE-2025-3937

PROBLEMTYPE DATA

problemtype:	CWE-916	Trust: 1.0
problemtype:	Use of weak password hashes (CWE-916) [ others ]	Trust: 0.8
problemtype:	Use of weak password hashes (CWE-916) [NVD evaluation ]	Trust: 0.8

sources: JVNDB: JVNDB-2025-006310 // NVD: CVE-2025-3937

EXTERNAL IDS

db:	NVD	id:	CVE-2025-3937	Trust: 2.6
db:	JVNDB	id:	JVNDB-2025-006310	Trust: 0.8

sources: JVNDB: JVNDB-2025-006310 // NVD: CVE-2025-3937

REFERENCES

url:	https://www.honeywell.com/us/en/product-security#security-notices	Trust: 1.8
url:	https://docs.niagara-community.com/category/tech_bull	Trust: 1.0
url:	https://nvd.nist.gov/vuln/detail/cve-2025-3937	Trust: 0.8

sources: JVNDB: JVNDB-2025-006310 // NVD: CVE-2025-3937

SOURCES

db:	JVNDB	id:	JVNDB-2025-006310
db:	NVD	id:	CVE-2025-3937

LAST UPDATE DATE

2025-06-06T23:25:55.221000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2025-006310	date:	2025-06-05T05:54:00
db:	NVD	id:	CVE-2025-3937	date:	2025-06-04T19:52:59.573

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2025-006310	date:	2025-06-05T00:00:00
db:	NVD	id:	CVE-2025-3937	date:	2025-05-22T13:15:56.457