Critical Flaws in Niagara Framework Threaten Smart Buildings and Industrial Systems Worldwide

Cybersecurity researchers at Nozomi Networks Labs have identified over a dozen critical vulnerabilities in Tridium’s Niagara Framework, a widely-used building management and industrial automation platform developed by Honeywell subsidiary Tridium. The vulnerabilities, with six rated at the maximum 9.8 CVSS severity score, could allow network-adjacent attackers to achieve complete system compromise when Niagara systems are misconfigured with disabled encryption. Researchers demonstrated an exploit chain that enables attackers to intercept authentication tokens, perform cross-site request forgery attacks, gain administrative access, and ultimately achieve root-level remote code execution on targeted devices. Given that Niagara Framework manages critical infrastructure including HVAC, lighting, energy management, and security systems across building management and smart infrastructure environments, these vulnerabilities pose significant risks to operational resilience and safety. Tridium has addressed the issues in updated versions 4.14.2u2, 4.15.u1, and 4.10u.11, with researchers emphasizing the importance of proper system configuration and following Tridium’s hardening guidelines to prevent exploitation.​​​​​​​​​​​​​​​​