Full Report
Behind the polished exterior of many modern buildings sit outdated systems with vulnerabilities waiting to be found
Analysis Summary
This summary is based on the provided article discussing vulnerabilities in Building Management Systems (BMS) presented at Black Hat Europe 2025. As the article is a discussion recap rather than a formal CVE advisory, specific CVE IDs and associated severity scores are not explicitly listed. The information below reflects the general findings discussed.
# Vulnerability: Legacy Vulnerabilities in Building Management Systems (BMS)
## CVE Details
- CVE ID: Not specified in the text. (Implied numerous vulnerabilities existing potentially spanning several years due to legacy code dating back 18 years.)
- CVSS Score: Not specified in the text.
- CWE: Not specified in the text. (Likely related to insecure design/legacy code issues.)
## Affected Systems
- Products: Building Management System (BMS) software from an unnamed vendor, stemming from product evolution across acquisitions.
- Versions: Unspecified, but noted to contain issues dating back to 18-year-old firmware codebases.
- Configurations: Systems hosted on public-facing IP addresses, accessible from the internet, contrary to vendor recommendation (which suggests using a VPN).
## Vulnerability Description
The research focused on a specific vendor's BMS, which is deployed in over 1,000 buildings globally. The core issue stems from security deficiencies inherited through multiple company acquisitions due to a lack of security due diligence during M&A processes. Vulnerabilities were often patched superficially ("sticking plaster") without addressing the underlying root cause in the legacy codebase (some dating back 18 years), leading to the continuous exposure of new or existing flaws.
## Exploitation
- Status: Not explicitly stated as "exploited in the wild," but the potential for significant operational disruption is high (e.g., manipulating HVAC, overriding door locks).
- Complexity: Likely Medium to High, depending on the specific exploit path, though easy access is provided by internet exposure.
- Attack Vector: Network (due to public IP exposure).
## Impact
- Confidentiality: Unknown/Potentially High (Depending on system integration, access to building data).
- Integrity: High (Ability to manipulate building controls like climate control or door access).
- Availability: High (Potential for operational disruption by causing physical environment failures, e.g., overheating server rooms).
## Remediation
### Patches
- Vendor has issued "numerous fixes" due to coordinated disclosure efforts, but these are deemed insufficient as they sometimes fail to address the root cause. Users must apply the latest available vendor patches.
### Workarounds
- **Crucial Mitigation:** The vendor recommends securing the BMS implementation behind a **Virtual Private Network (VPN)**.
- Ensure the system is *not* accessible directly from public IP addresses.
- Implement security layers comparable to those protecting corporate network systems.
## Detection
- Indicators of Compromise: Unexplained changes to HVAC settings, unexpected door lock behavior, unusual network traffic originating from the BMS endpoints to external addresses.
- Detection methods and tools: Regular security auditing of BMS infrastructure, including code audits following vulnerability reports. Monitoring network access logs for unauthorized external connections to the BMS interface.
## References
- Vendor advisories: Mentioned coordinated disclosure prompted fixes, but vendor information is obscured.
- Relevant links - defanged:
- Black Hat talk source: hxxps://blackhat.com/eu-25/briefings/schedule/#project-brainfog-hacking-smart-cities-one-building-at-a-time---a-city-of-a-thousand-zero-days-48113
- Accompanying white paper: hxxps://wwwzeroscience.mk/files/Brainfog.pdf
- Prior related research (ICS/Industroyer): hxxps://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/