← CIO Briefings · High Impact ACTION REQUIRED

CVSS 10.0 Vulnerability in Industrial IoT Platform Allows Unauthenticated Takeover of OT-Connected Systems

A maximum-severity (CVSS 10.0) vulnerability in Eclipse BaSyx — industrial automation software used to connect IT and manufacturing systems under Industry 4.0 programmes — allows an internet-accessible attacker to take complete control of the software and the systems it is connected to, without any credentials. A companion vulnerability allows the attacker to probe the manufacturing network from the internet, bypassing network controls. Organisations running BaSyx as part of smart factory or Industry 4.0 programmes must patch immediately.

3 min read
#NIS2

What Happened

Eclipse BaSyx — an open-source software platform used by manufacturers and industrial companies to connect their factory equipment, production data, and supply chain systems as part of Industry 4.0 (smart manufacturing) programmes — has been found to contain two critical security vulnerabilities. The first (CVE-2026-7411) received the maximum possible severity score of 10.0: it allows an attacker to upload any file to the BaSyx server without any login credentials, and to use that access to take complete control of the server and the industrial systems it is connected to. The second (CVE-2026-7412) allows an attacker to use the BaSyx server as a relay to communicate with manufacturing equipment on the factory network — bypassing the firewall protections that should prevent internet access to production systems. Patches are available in BaSyx V2 milestone-10.

Business Impact

Eclipse BaSyx is typically deployed at the junction between a company’s business IT systems and its manufacturing or operational technology environment — precisely the boundary that operational technology security controls are designed to protect. A vulnerability in this specific layer is particularly damaging because it sits behind most perimeter controls and in front of the operational systems that control physical production.

For manufacturers using BaSyx, a successful attack could provide an adversary with the ability to: access production data and operational parameters in real time; communicate directly with manufacturing equipment, PLCs, and sensors on the factory network; potentially disrupt, alter, or sabotage production processes in severe scenarios; and exfiltrate proprietary production specifications, quality data, and supply chain information.

Regulatory Implications

Manufacturers operating under NIS2 as operators of essential entities in sectors including manufacturing, energy, and transport are required to implement appropriate security measures for operational technology connected to their business networks. A CVSS 10.0 vulnerability in software connecting IT and OT environments is directly relevant to NIS2’s risk management obligations. Sector-specific regulators may also have reporting expectations for vulnerabilities identified in OT-connected infrastructure.

Board-Ready Summary

  • A critical flaw in the software connecting your business systems to manufacturing operations can be exploited by anyone on the internet, without credentials, to gain control of that system and reach your factory network.
  • This is the category of vulnerability — unauthenticated access to industrial systems — that cybersecurity authorities have warned about as the primary pathway to manufacturing disruption attacks.
  • Immediate patching and a temporary restriction of internet access to the affected software are required.

  1. Immediate (today): Identify all Eclipse BaSyx deployments in your environment — including deployments managed by system integrators or third-party vendors on your behalf.

  2. Immediate (today): Confirm whether your BaSyx instances are accessible from the internet. If they are — even for integration purposes — apply emergency network access restrictions to limit incoming connections to known, trusted IP addresses until patching is complete.

  3. Short-term (this week): Apply the patch, upgrading to BaSyx V2 milestone-10 (v2.0.0-milestone-10) from the Eclipse BaSyx GitHub repository or Maven Central.

  4. Short-term (this week): After patching, review BaSyx access logs for any unusual file upload events, unexpected API calls, or outbound connection attempts to external infrastructure from the BaSyx server.

  5. Short-term (this week): Review the network architecture of your BaSyx deployment. BaSyx’s management and administration interface should only be accessible from internal networks, not from the internet. Only specific integration endpoints (if required for external partner data exchange) should be internet-accessible, with strong authentication.

  6. Ongoing: Apply the same vulnerability management process to industrial middleware and OT-integration software that you apply to IT infrastructure. Software at the IT/OT boundary warrants priority attention in your security programme.