July 7, 2026

XZ Utils Flaw Hits Industrial Gear: What SMBs Should Know

XZ Utils Flaw Hits Industrial Gear: What SMBs Should Know

This One Isn't About Windows, But It Still Matters to You

Most of my clients run Windows shops. Laptops, servers, Microsoft 365, maybe some cloud stuff. So when a vulnerability hits industrial automation hardware from an Austrian manufacturer, it's easy to assume it's someone else's problem. Sometimes it is. But if you're running any B&R automation gear on your floor or in your facility, this one's yours to deal with.

CISA flagged CVE-2025-31115, a bug in XZ Utils that affects several B&R products including the PPC3100, C50, C80, FT50, MT50, T30, T50, and T80. The CVSS score is 7.5, which puts it in the high severity category. Not the worst number I've seen, but high enough that you don't sit on it.

What the Bug Actually Does

XZ Utils is a compression library. It's used under the hood in a lot of Linux-based systems, including embedded devices like these B&R panels and controllers. The specific problem is in the multithreaded decoder. If an attacker sends malformed compressed data to a vulnerable device, the software can crash or corrupt memory. The technical term is heap use-after-free, which basically means the program tries to use memory it already freed. That's the kind of thing that leads to crashes or, in worse cases, code execution.

The race condition piece means the bug is tied to how threads compete for resources. It's not trivially exploitable, but a 7.5 score means researchers consider it realistic enough to take seriously.

Who's Actually at Risk Here

If you're a pure office shop, you're probably fine. This isn't a Windows or Microsoft 365 issue. But small manufacturers in New Jersey and the metro area, food processors, packaging operations, anyone running B&R HMI panels or controllers as part of their production line, should check their firmware versions today.

The affected versions are anything below 1.8.1 on the PPC3100, FT50, MT50, and T50, and below 1.8.0 on the C50, C80, T30, and T80. If you're not sure what firmware version your B&R equipment is running, that's the first thing to find out.

What to Do About It

B&R has patches available. The fix is in XZ Utils 5.8.1, and B&R has rolled that into updated firmware for the affected product lines. The remediation steps are straightforward in concept: identify which devices you have, check the firmware version, and apply the update.

In practice it's a little messier. Firmware updates on production equipment need to happen during a maintenance window. You don't want to reboot a controller mid-shift. If you have a controls engineer or an OT vendor relationship, loop them in. If you don't, this is a good time to think about whether your IT support covers OT assets or just office infrastructure, because those are increasingly different things.

One practical step right now: pull your asset inventory and filter for any B&R devices. If you don't have an asset inventory that covers your floor equipment, start building one. Even a spreadsheet beats flying blind when a patch like this drops.

The Bigger Pattern Worth Paying Attention To

What makes this interesting beyond the specific CVE is the pattern. Open-source libraries like XZ Utils end up embedded in all kinds of products, including industrial hardware that most people think of as isolated from the internet. It's not always isolated. B&R devices often connect to SCADA systems, and those systems sometimes have network paths that touch corporate infrastructure.

The 2024 XZ Utils backdoor incident already put this library under a microscope. This new CVE is a separate bug, but it's a reminder that the software stack inside your physical equipment has the same kinds of vulnerabilities as anything else running code.

If you're a manufacturer or operator with B&R gear and you're not sure where to start with patching or asset tracking, Exine works with SMBs across New Jersey on exactly this kind of problem and we're happy to take a look at where you stand.

Tomasz Sobolewski, founder of Exine LLC
About the author
Tomasz Sobolewski
Founder of Exine LLC. Hands-on IT, cybersecurity and backup for growing New Jersey businesses, with 15+ years in the field. The kind of support that knows your systems and picks up the phone.