Skip to content

B&R APROL Multiple Vulnerabilities Addressed in R 4.4-01P5 (CVE-2026-6900, CVE-2026-6901, and Four Apache Tomcat Flaws)

B&R, a member of the ABB Group, has published cyber security advisory SA26P011 (dated July 6, 2026) addressing six vulnerabilities in its APROL process control system, all resolved in release R 4.4-01P5. Two of the issues are newly identified B&R-specific flaws — CVE-2026-6900, an improper certificate validation weakness in the LDAP Server Connector, and CVE-2026-6901, an untrusted search path weakness in the web server — while the remaining four are inherited third-party vulnerabilities in the Apache Tomcat component bundled with the product. Successful exploitation could impact product availability, spoof identities, disclose information, escalate privileges, or, in the case of the Tomcat flaws, achieve remote code execution.

The two B&R-specific issues address distinct attack paths. CVE-2026-6900 (CVSS v3.1 7.4, CVSS v4.0 9.1) allows a network-based attacker to conduct adversary-in-the-middle attacks against the APROL LDAP connection because the client does not properly validate the LDAP server's TLS certificate, leading to information disclosure or identity spoofing. CVE-2026-6901 (CVSS v3.1 7.7, CVSS v4.0 8.4) allows an authenticated local attacker to escalate privileges through an untrusted search path in the web server configuration. The four Apache Tomcat vulnerabilities range from a critical time-of-check/time-of-use race condition enabling remote code execution (CVE-2024-50379 and CVE-2024-56337, both CVSS v3.1 9.8) to an HTTP/2 request mix-up (CVE-2024-52317) and a denial-of-service condition in the bundled examples web application (CVE-2024-54677).

APROL is a process control and data acquisition platform used to operate and monitor industrial processes, so vulnerabilities in its authentication, web, and application components carry consequences for both the confidentiality of operational data and the integrity of process control. B&R states that the vulnerabilities were reported through responsible disclosure, that they had not been publicly disclosed when the advisory was issued, and that there are no reports of exploitation in the wild. Nonetheless, because the fixes bundle a critical-severity Tomcat remote code execution flaw and two network- and privilege-relevant B&R issues, B&R recommends applying the update to R 4.4-01P5 at the earliest convenience.

Threats and Vulnerabilities

CVE-2026-6900, with a CVSS v3.1 base score of 7.4 and a CVSS v4.0 base score of 9.1, is an improper certificate validation vulnerability (CWE-295) in the LDAP Server Connector used by APROL versions prior to R 4.4-01P5. Because the LDAP client does not require and verify the LDAP server's TLS certificate, a network-positioned attacker can perform an adversary-in-the-middle attack against the authentication channel, intercepting credentials and directory data (information disclosure) or impersonating a legitimate server or user (identity spoofing). The CVSS v3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) reflects a network attack vector with high complexity because the attacker must occupy a man-in-the-middle position, but the confidentiality and integrity impact is high; the v4.0 score of 9.1 weights this attack path more heavily.

CVE-2026-6901, with a CVSS v3.1 base score of 7.7 and a CVSS v4.0 base score of 8.4, is an untrusted search path vulnerability (CWE-426) in the APROL web server. The web server configuration includes wildcard alias directives that resolve paths in a way an authenticated local attacker can abuse to load attacker-controlled resources and elevate privileges on the affected node. The CVSS v3.1 vector (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) indicates a local attack vector with low complexity and high confidentiality and integrity impact, consistent with a privilege-escalation outcome on an operator or engineering host.

CVE-2024-50379 and CVE-2024-56337, both with a CVSS v3.1 base score of 9.8, are critical time-of-check/time-of-use (TOCTOU) race condition vulnerabilities (CWE-367) in the Apache Tomcat component bundled with APROL. CVE-2024-50379 occurs during JSP compilation and permits remote code execution on case-insensitive file systems when the default servlet is enabled for write, a non-default configuration; CVE-2024-56337 is a follow-on flaw arising because the original mitigation for CVE-2024-50379 was incomplete, leaving the same remote code execution condition exploitable. Both carry a network vector, low attack complexity, and high confidentiality, integrity, and availability impact, making them the highest-severity items in the advisory where the vulnerable Tomcat configuration is present.

CVE-2024-52317 (CVSS v3.1 6.5) and CVE-2024-54677 (CVSS v3.1 5.3) are the two remaining Apache Tomcat third-party vulnerabilities. CVE-2024-52317 is an incorrect object recycling and reuse flaw in which request and response objects used by HTTP/2 requests can be mismatched between users, potentially exposing one user's data or actions to another; the advisory maps it to CWE-326. CVE-2024-54677 is an uncontrolled resource consumption vulnerability (CWE-400) in the Tomcat examples web application that lacks data upload limits, allowing a denial-of-service condition. Both are resolved by the updated Tomcat component in APROL R 4.4-01P5, and the examples application should not be deployed in production.

Client Impact

For operators of B&R APROL, these vulnerabilities create risk across the authentication, web, and application layers of the process control system. An adversary-in-the-middle attack against the LDAP connection could expose operator and engineering credentials or allow an attacker to impersonate a directory server, undermining the trust boundary that governs who can access and control the process. The untrusted search path flaw provides a route for an authenticated user to escalate privileges on an operator or engineering node, and the bundled Tomcat race conditions, where the vulnerable write configuration is present, could allow remote code execution on the affected node. Collectively these outcomes threaten both the confidentiality of process and operational data and the integrity and availability of the control environment.

The compliance consequences are relevant for industrial operators subject to frameworks such as IEC 62443, NERC CIP where applicable, and the CISA Cross-Sector Cybersecurity Performance Goals, which call for timely patching of known vulnerabilities in control-system software, for encrypted and authenticated communication channels, and for network segmentation that isolates automation systems from general-purpose networks. B&R's advisory reinforces this by recommending firewall isolation of automation networks, physical access controls, and minimized network exposure. A documented evaluation of exposure and a record of applying the R 4.4-01P5 update support both regulatory obligations and internal patch-governance requirements.

Mitigations

The following actions are recommended to reduce exposure to the vulnerabilities addressed in SA26P011:

1. Update APROL to release R 4.4-01P5 or later. This is the primary remediation and resolves all six vulnerabilities, including the updated Apache Tomcat third-party component; follow the update procedure described in the APROL user manual and use the documented step to confirm the installed version.

2. Enforce LDAP TLS certificate verification as an interim workaround for CVE-2026-6900. Set TLS_REQCERT demand in /etc/openldap/ldap.conf, create a per-account .ldaprc referencing the appropriate issuer certificate directory (TLS_CACERTDIR) for engineering, runtime, and operator accounts, index the certificates with openssl rehash, and deploy the external LDAP server's trusted issuer certificate to those directories.

3. Replace wildcard web server aliases as an interim workaround for CVE-2026-6901. In the Apache configuration file used by APROL, replace wildcard AliasMatch directives with explicit aliases that reference specific system and project names, removing the untrusted path resolution that enables privilege escalation.

4. Constrain the Apache Tomcat exposure. Confirm that the Tomcat default servlet is not enabled for write (the non-default configuration required to exploit the TOCTOU remote code execution flaws) and remove the Tomcat examples web application from any production deployment to eliminate the resource-consumption denial-of-service path.

5. Isolate and monitor the automation environment. Place APROL nodes behind firewalls, separated from office and internet-facing networks, enforce physical access controls, keep operating system and application patches current, and forward web server, LDAP, and host logs to a SIEM to detect adversary-in-the-middle attempts, anomalous web requests, and unexpected process execution.

Applying the R 4.4-01P5 update and validating the LDAP and web server configurations are the priority actions for any organization running an affected version.

1898 & Co. Response

1898 & Co. works alongside industrial operators and process-automation asset owners to reduce the risk that vulnerabilities like those in SA26P011 introduce to operational technology environments. Our security consultants have supported clients in inventorying control-system software such as APROL, validating installed versions against active vendor advisories, and confirming that automation networks are segmented from corporate and internet-facing networks.

Through managed threat detection and response services, 1898 & Co. helps clients monitor process control systems for the behaviors these vulnerabilities enable, including adversary-in-the-middle attempts against authentication channels, anomalous web requests to control-system web servers, and unexpected process execution or privilege changes on operator and engineering nodes. Our analysts develop hunt procedures and detection content tuned to a client's deployed platforms so that exploitation attempts can be identified and contained quickly.

Beyond incident response, 1898 & Co. supports vulnerability management and OT security program development, helping organizations establish the patch governance, certificate and authentication hardening, and network segmentation that limit the impact of a compromised control-system component. Our team is available to assist clients in assessing their exposure to the APROL vulnerabilities and in validating that the R 4.4-01P5 update and interim workarounds have been applied correctly.

Sources

1. B&R Cyber Security Advisory SA26P011 — Security Issues addressed in APROL R 4.4-01P5

2. ABB Cyber Security Alerts and Notifications

3. NVD Entry — CVE-2026-6900

4. NVD Entry — CVE-2026-6901

5. NVD Entry — CVE-2024-56337

6. NVD Entry — CVE-2024-54677

7. NVD Entry — CVE-2024-52317

8. NVD Entry — CVE-2024-50379