CRA Compliance

Active CVEs

1

requiring ENISA reporting

Open Incidents

1

active Article 14 §3 flows

Machines affected

47

across 12 customers

CRA Status

Action required

2 obligations pending

Required actions

Sorted by deadline

CVE-2024-0323 Art. 14 §1 Early Warning pending

Actively exploited · CVSS 9.8 · 47 machines affected across 12 customers

18:42

remaining

INC-2026-FI-H3020 Art. 14 §3 Early Warning pending

Finjet Oy · Tampere · Unauthorized PLC access

23:37

remaining

Vulnerabilities

1 pending

CVEs requiring action 1

Machines affected 47

View vulnerabilities →

Incidents

1 open

Open incidents 1

Resolved (last 30 days) 1

View incidents →

Cases

2 active

Active compliance cases 2

Steps overdue 1

View cases →

Reports

7 documents

Submitted this year 7

Cases with open filings 1

View reports →

AI CVE-2024-0323 affects 47 machines — Early Warning required. File now →

Installed base

156

machines · 23 customers

Affected machines

47

across 12 customers

Actively exploited

2

CVEs in CISA KEV catalog

Active CVEs

1

1 Critical

Customer notifications

12

CVE-2024-0323 · 0 / 12 sent

Showing 3 of 47 affected machines — View all →

Asset	Customer	Worst severity	CVEs	CRA score% of CRA Article 14 requirements met for this machine — based on SBOM completeness, unpatched CVE count, and customer notifications sent. Below 30% = action required.	SBOM	Last scan
H3020 Tampere · Site A	Finjet	Critical	1CVE-2024-0323 KEVKnown Exploited · CISA KEV CVE-2024-0323	17%	CycloneDX 1.5	3h ago
CRC-2200 Helsinki · Plant 1	Konecranes	Critical	1CVE-2024-0323 KEVKnown Exploited · CISA KEV CVE-2024-0323	22%	CycloneDX 1.5	2h ago
KCR-540 Kotka · Port	Konecranes	High	1CVE-2023-4863 KEVKnown Exploited · CISA KEV CVE-2023-4863	92%	CycloneDX 1.5	14d ago

CVE	Severity	CVSS	Affected machines	Customers	Patch coverage	ENISA filing	Customer notifs
CVE-2024-0323 B&R Automation Runtime ≤b4.92 KEV · CISA	Critical	9.8	47 of 156	12 Finjet, Konecranes +10	0 / 47	Not filed — 18h 42m	0 / 12 sent
CVE-2023-4863 libwebp — heap buffer overflow KEV · CISA	High	8.8	14 of 156	4 Konecranes +3	14 / 14	Final report filed	4 / 4 sent

Overdue

1

immediate action required

Pending

4

filing required

Submitted

6

this year

Next deadline

18h 42m

CVE-2024-0323 Early Warning

Reference	Track	Stage	Status	Deadline	Submitted
CVE-2024-1234 OpenSSL 3.x · CVSS 8.1 · 18 machines	T1 Vuln	Early Warning	⚠ Overdue	Missed · 2026-03-29	—
INC-2026-FI-H4512 H4512 · HMI ransomware variant · Metso Corp Oulu	T2 Incident	72h Notification	● In progress	2026-04-04 · 47h 12m	EW: 2026-04-02
INC-2026-FI-H3020 H3020 · Unauthorized PLC access · Finjet Oy Tampere	T2 Incident	Early Warning	● Draft	2026-04-02 · 23h 37m	—
CVE-2024-0323 B&R Automation Runtime ≤b4.92 · CVSS 9.8 · 47 machines	T1 Vuln	Early Warning	● Draft	2026-04-01 · 18h 42m	—
CVE-2024-0323 B&R Automation Runtime ≤b4.92 · CVSS 9.8	T1 Vuln	Detailed Report	🔒 Locked — awaiting EW	2026-04-03 09:14 UTC	—
INC-2025-FI-H2201 H2201 · Unauthorized firmware modification · Outokumpu Tornio	T2 Incident	Final Report	✓ Complete — all 3 stages	2025-12-14	2025-11-14
INC-2025-SE-H1104 H1104 · Network intrusion attempt · SSAB Sweden Luleå	T2 Incident	Early Warning	— Dismissed (false positive)	2025-09-03	2025-09-03
CVE-2023-4863 libwebp heap buffer overflow · CVSS 9.8	T1 Vuln	Early Warning	✓ Submitted	2026-01-12	2026-01-12 · Anssi T.
CVE-2023-4863 libwebp heap buffer overflow · CVSS 9.8	T1 Vuln	Detailed Report	✓ Submitted	2026-01-14	2026-01-13 · Anssi T.
CVE-2022-42889 Apache Commons Text · CVSS 9.8	T1 Vuln	Early Warning	✓ Submitted	2025-11-03	2025-11-02 · Anssi T.
CVE-2022-42889 Apache Commons Text · CVSS 9.8	T1 Vuln	Detailed Report	✓ Submitted	2025-11-07	2025-11-06 · Anssi T.

Active 1

Incident	Source	Detected	Severity	Status
INC-2026-FI-H3020 Unauthorized firmware modification attempt · Outokumpu Tornio	Monitoring API	2026-03-18	Critical	Case created

Resolved · 1 incident

Incident	Source	Detected	Severity	Status
INC-2025-SE-H1104 Network intrusion attempt · SSAB Sweden Luleå	Customer report	2025-08-29	Low	Dismissed

Incident details

Detected

2025-08-29 · 04:17 UTC

Source

Customer report — phone call

Machine

H1104 — Hydraulic press line B

Customer

SSAB Sweden Luleå

Description

Customer reported unusual login attempts on the machine HMI panel. IT team investigated remotely. No confirmed intrusion — attempts originated from a misconfigured internal network scanner, not an external threat actor.

CRA threshold assessment

Reviewed by

Mikael Lindqvist

Review date

2025-09-03

Severity assessed

Low

CRA Article 14 threshold

Not met — no reporting required

Threshold criteria checked

Impact on product security functions No impact confirmed

Unauthorised access to product data or controls No access gained

Impact on availability or integrity of product No impact

Significant impact on other systems or customers Isolated to single site

Dismissed — below CRA reporting threshold

No ENISA filing or customer notice required. Record retained for audit purposes.

Machine

H1104

Hydraulic press line B

SSAB Sweden Luleå

Serial: BR-H1104-SE-029

Outcome

ENISA filing Not required

Customer notice Not required

Record retained Yes

Open cases

2

active CVEs and incidents

Overdue steps

1

immediate action required

Due today

1

file before end of day

Work orders open

2

assigned and in progress

Case	Type	Progress	Next deadline	Next step
INC-2026-FI-H3020 Unauthorized PLC access · H3020 · Finjet Oy Tampere	Incident	0 / 5	2026-04-02 · 23h 37m	⚠ Early Warning overdue
CVE-2024-0323 B&R Automation Runtime ≤b4.92 · CVSS 9.8 · 47 machines · 12 customers	CVE	1 / 5	2026-04-01 · 18h 42m	Notify customers — 0 / 12 sent

ENISA Reporting

Filed with ENISA within 24h · 2026-04-01 · On time · Ref: ENISA-2026-FI-00847

72h Detailed Report — Overdue

File detailed report with ENISA

Deadline missed · Was due 2026-04-03

Customer Notification

Initial Notice — Action needed

Notify all affected customers

12 customers · 0 / 12 sent · Required without undue delay · CRA Article 14

WO-2342 M. Korhonen · Open

Patch not yet published

Publishing unlocks Final Report (ENISA) and Closure Report (customers)

Final Report — Pending

File final report with ENISA

Due 14 days after patch published · Unlocks when patch is published

Closure Report — Pending

Confirm resolution to all customers

Available after patch published · Confirms patch availability + case closure

Close case — OEM obligations fulfilled

Complete both tracks above · CRA Article 13 & 14

Affected machines

H3020

Finjet · Tampere

CRC-2200

Konecranes · Helsinki

+45 more machines →

Linked work orders

WO-2341

Early Warning filed

✓ Done

WO-2342

Customer notices

Open

WO-2343–45

Steps 3–5

Not created

Customer deployment status

Live · IoT

8 / 47

Confirmed patched 8

Acknowledged, pending 21

No response / not connected 18

Synced from connected machines via IoT module. Informational only — case closure does not require full deployment. Log update →

ENISA Reporting

Early Warning — Overdue

File Early Warning with authorities

Deadline missed · Was due 2026-04-02 within 24h

WO-2356 A. Virtanen · Overdue

⚠ Overdue

72h Notification — Pending

File 72h detailed notification

Due within 72h of detection · Available after Early Warning filed

Customer Notification

Initial Notice — Action needed

Notify affected customer

1 customer — Finjet Oy · Required without undue delay · CRA Article 14

WO-2357 M. Korhonen · Open

Incident not yet contained

Confirming H3020 is secured unlocks Final Report (ENISA) and Confirm resolved (customer)

Final Report — Pending

File final report with ENISA

Due within 1 month of containment · Unlocks when incident is contained

Confirm Resolved — Pending

Confirm incident resolved to customer

Available after incident contained · Confirms H3020 is secured

Close case

Available when all ENISA reports filed and customer confirmed resolved

AI Guidance Content below is AI-generated from the incident record — click any text to edit directly. Review carefully before sending — machine access incidents require precise language.

Security Incident Notice

INC-2026-FI-H3020 · Finjet Oy · H3020 · Initial notice · 2026-04-02

Executive summary AI

We are writing to inform you of a security incident detected on 2026-04-02 affecting machine H3020 at your Tampere facility. An unauthorized access attempt to the PLC was identified. We are investigating the nature and scope of the access. This notification is provided under our obligations under the EU Cyber Resilience Act (Article 14).

1

Machine affected

H3020

Asset ID

2026-04-02

Detection date

Active

Investigation

What happened

AI filled

Unauthorized PLC access detected on H3020

On 2026-04-02, our monitoring systems detected an unauthorized access attempt targeting the PLC on machine H3020 at your Tampere site. The access originated from an unexpected network source. We have logged the event and initiated a full investigation. We are currently assessing whether any configuration changes or data were affected.

Actions taken

AI filled

Investigation initiated — machine being assessed

We have notified the relevant authorities (ENISA Early Warning filed) and assigned a dedicated work order (WO-2356) to A. Virtanen for investigation. Network access logs from H3020 have been preserved. We are working to confirm the full scope and will provide an update within 72 hours.

Recommended steps for you

No immediate action is required from your side at this stage. Please do not modify the machine configuration or restart H3020 until you receive further instructions from us — this preserves the state needed for our investigation. We will contact you within 72 hours with a full update.

AI-generated content — review before sending

Reports filed

3

to authorities this year

Notices sent

2

to customers this year

Last submission

11 Aug 2025

CVE-2023-4863 Customer Notice

Active cases 1

Case	Stage	Type	Submitted	Recipient
CVE-2024-0323 B&R Automation Runtime ≤b4.92	Customer Notice	Customer notice	2025-10-20	Andritz AG
CVE-2024-0323 B&R Automation Runtime ≤b4.92	72h Report	Security report	2025-09-28	ENISA
CVE-2024-0323 B&R Automation Runtime ≤b4.92	Early Warning	Security report	2025-09-25	ENISA

Closed · 2 cases

Case	Stage	Type	Submitted	Recipient
INC-2025-SE-H1104 Network intrusion attempt · SSAB Sweden Luleå	Dismissed	Assessment record	2025-09-03	Internal
CVE-2023-4863 libwebp heap buffer overflow · CVSS 9.8	Customer Notice	Customer notice	2025-08-11	Konecranes Oyj
CVE-2023-4863 libwebp heap buffer overflow · CVSS 9.8	Final Report	Security report	2025-08-01	ENISA

Sent to Andritz AG — 2025-10-20 · CRA Article 14 §8 · Sent by M. Korhonen · Read only

Recipients

Company

Andritz AG

Contact

security@andritz.com

Affected assets

AND-0047 · AND-0048 · AND-0051 (3 installations)

Sent by

M. Korhonen · WO-2342

Notice content

Subject

Security Notice — CVE-2024-0323 affecting B&R Automation Runtime installations

Summary

A critical vulnerability (CVE-2024-0323, CVSS 9.8) has been identified in B&R Automation Runtime ≤b4.92. The FTP server accepts legacy TLS versions (SSLv3, TLSv1.0, TLS1.1), allowing an attacker with network access to intercept or tamper with communications. 3 of your installations are affected.

Recommended actions

A patch will be made available via your customer portal at portal.fter.io. You will receive a follow-up notice with download instructions once the patch is released. No action is required from your side at this stage — we will notify you when the patch is ready to deploy.

Next steps

Patch expected: 2025-10-28 · Closure notice to follow after patch confirmed deployed

Send details

Format

Executive summary

Delivery

Email · security@andritz.com

Submitted to ENISA — 2026-04-01 09:56 UTC · Filed on time · Reference: ENISA-2026-FI-00847 · Read only

1 — Incident identification

CVE identifier

CVE-2024-0323

Date / time of detection

2026-03-31 09:14 UTC

Severity

Critical (CVSS 9.8)

Vulnerability status

Actively exploited in the wild

Brief description

The FTP server in B&R Automation Runtime supports insecure encryption mechanisms (SSLv3, TLSv1.0, TLS1.1). A network attacker can conduct man-in-the-middle attacks or decrypt communications. Root weakness: CWE-1240.

2 — Affected products & installations

Manufacturer

B&R Industrial Automation GmbH

Product name

B&R Automation Runtime

Affected version(s)

b4.92 and earlier

Affected installations

47 (across 12 customers)

Asset	Customer	Site	Component version
H3020	Finjet Oy	Tampere	Automation Runtime b4.92
H3060	Finjet Oy	Tampere	Automation Runtime b4.92
KCR-2241	Konecranes	Hyvinkää	Automation Runtime b4.92
VLM-0118	Valmet	Jyväskylä	Automation Runtime b4.91
AND-0047	Andritz	Graz	Automation Runtime b4.90

Showing 5 of 47 — full list included in submission

3 — Initial impact & mitigation

Potential impact

Confidentiality — data interception

Immediate mitigation

Patch preparation in progress

Mitigation details

Vulnerability identified via SBOM scan. Affected components mapped to 47 installations. Patch development initiated. Customers to be notified per CRA Article 14 requirements.

4 — Notifier information

Organisation name

Fter Technologies Oy

Contact name

A. Virtanen

Contact email

security@fter.io

EU Member State

Finland

Submitted to ENISA — 2026-04-07 11:24 UTC · 4 days late · Deadline was 2026-04-03 · Reference: ENISA-2026-FI-00847-DR · Read only

1 — Incident identification

CVE identifier

CVE-2024-0323

Early Warning reference

ENISA-2026-FI-00847

CVSS score

9.8 — Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Actively exploited

Yes — confirmed in the wild

2 — Root cause & technical detail

Root cause (preliminary)

Use of deprecated cryptographic protocols

Vulnerability category

CWE-1240 — Use of a Risky Cryptographic Primitive

Technical description

The FTP server component in B&R Automation Runtime ≤b4.92 negotiates legacy TLS versions (SSLv3, TLSv1.0, TLS1.1) when requested by clients. An attacker with network access to the same segment can perform a downgrade attack and intercept or tamper with FTP traffic, exposing credentials and transferred files. The issue exists in the TLS negotiation handler and does not require authentication to trigger.

SBOM current

Yes — SBOM updated 2026-04-01

Affected users / installations

47 installations · 12 customers

3 — Impact assessment

Confidentiality impact

High — credentials and data exposed to MITM

Integrity impact

High — transferred files may be tampered

Availability impact

None at this time

Known exploitation

Observed in targeted campaigns against industrial control systems

Impact description

Risk is highest for installations where FTP is used to transfer machine configuration files or diagnostic data. No confirmed exploitation of affected customer installations as of filing date.

4 — Remediation plan

Patch status

In development — target release 2026-04-14

Planned remediation date

2026-04-21

Remediation description

Patch disables SSLv3, TLSv1.0 and TLS1.1 in the FTP server configuration. Only TLS 1.2 and TLS 1.3 will be accepted after patch deployment. Final Report to be filed by 2026-04-21.

CVD policy

Coordinated — 90 day disclosure window

Public disclosure planned

Yes — after patch available to all customers

Customers notified

Initial notice sent to 12 customers — 2026-04-07

Security advisory

Draft prepared — to be published after patch release

Submitted to ENISA — 2026-04-21 09:42 UTC · On time · Reference: ENISA-2026-FI-00847-FR · Case closed · Read only

1 — Incident resolution

Resolution status

Fully resolved — all installations patched

Fix version

B&R Automation Runtime b4.93

Patch deployment date

2026-04-14 (published) · 2026-04-21 (all customers confirmed)

Installations patched

47 / 47 — 100% remediated

Resolution description

Patch b4.93 disables all legacy TLS versions (SSLv3, TLSv1.0, TLS1.1) in the FTP server. Enforces TLS 1.2 minimum. All 47 affected installations confirmed patched by 2026-04-21. No customer reported any exploitation of the vulnerability prior to patching.

2 — Root cause (confirmed)

Root cause

Deliberate backwards compatibility — legacy TLS support was never disabled after initial product release

Systemic issue

Yes — same pattern present in 3 other components (addressed in b4.93)

Root cause description

During the 2018 release of Automation Runtime, legacy TLS support was included for compatibility with older SCADA clients. A process to review and deprecate protocol support over time was not established. The vulnerability was dormant until active exploitation toolkits targeting industrial TLS downgrade were observed in early 2026. SBOM scanning triggered detection on 2026-03-31.

3 — Customer notification

Customers notified

Yes — all 12 affected customers

Initial notice date

2026-04-07

Closure notice date

2026-04-21

Security advisory published

Yes — published 2026-04-21 at fter.io/security/SA-2026-001

4 — Lessons learned

Lessons learned

Legacy protocol support must be reviewed during each release cycle and deprecated on a defined schedule.
SBOM scanning now integrated into CI/CD pipeline — cryptographic primitive checks added to automated security gates.
Vulnerability response workflow improved: 72h report delayed due to unclear ownership of ENISA filing. Responsibility now documented in security runbook.
Customer notification template updated to remove pre-filled mitigation claims not verified by OEM.

Preventive measures implemented

CWE-1240 scan added to SBOM pipeline. Protocol deprecation policy documented. Security runbook updated with CRA reporting responsibility matrix. ENISA filing rehearsal scheduled for Q3 2026.

Early Warning

Submitted 2026-04-01 09:56 UTC

Submitted

72h Detailed Report

Submitted 2026-04-07 11:24 UTC (late)

Submitted

Final Report

Submitted 2026-04-21 09:42 UTC

Submitted

Authority reporting steps only · View full case (5 steps) →

Early Warning submitted to ENISA

Submitted: 2026-04-01 09:56 UTC · CVE-2024-0323 · 47 affected installations
Severity: Critical (CVSS 9.8) · Status: Actively exploited in the wild · Filed on time

Reference: ENISA-2026-FI-00847

72h Detailed Report submitted to ENISA

Submitted: 2026-04-07 11:24 UTC · 4 days late · CVE-2024-0323 · CVSS 9.8 Critical
WO-2343 created and assigned to M. Korhonen · Due 2026-04-21

Reference: ENISA-2026-FI-00847-DR

Final Report submitted to ENISA

Submitted: 2026-04-21 09:42 UTC · On time · CVE-2024-0323 · All 47 installations patched
Root cause confirmed · Lessons learned documented · Case closed 2026-04-21

Reference: ENISA-2026-FI-00847-FR

1

Early Warning

Due within 24h of becoming aware

Pending

2

72h Detailed Report

Available after Early Warning submitted

Upcoming

3

Final Report

Due 14 days after patch available

Upcoming

Authority reporting steps only · View full case (5 steps) →

AI Guidance Fields marked AI have been pre-filled from your SBOM and asset data. Review before submitting — you are legally responsible for accuracy.

1 — Incident identification

AI filled

CVE identifier * AI

Date / time of detection * AI

Severity * AI

Vulnerability status * AI

Brief description * AI

2 — Affected products & installations

AI filled

Manufacturer * AI

Product name * AI

Affected version(s) * AI

Affected installations * AI

Affected assets in installed base

Showing 5 of 47 — Export full list

Asset	Customer	Site	Component version	Status
H3020	Finjet Oy	Tampere	Automation Runtime b4.92	Open
H3060	Finjet Oy	Tampere	Automation Runtime b4.92	Open
KCR-2241	Konecranes	Hyvinkää	Automation Runtime b4.92	Open
VLM-0118	Valmet	Jyväskylä	Automation Runtime b4.91	Open
AND-0047	Andritz	Graz	Automation Runtime b4.90	Open

3 — Initial impact & mitigation

Potential impact *

Immediate mitigation *

Mitigation details

4 — Notifier information

Organisation name *

Contact name *

Contact email *

EU Member State *

72h Detailed Report — available after Early Warning is submitted

Submit the Early Warning above to unlock this step.

Stage 2 — Detailed Report

Required fields

0 / 12 completed

Was due 2026-04-03 09:56 UTC · 4 days overdue · Delay reason logged

AI Guidance Early Warning data has been pre-filled where applicable. This is the legally binding document under CRA Article 14 — complete all required fields. Root cause and remediation timeline are scrutinised most closely by ENISA.

A — Root cause analysis

Required

Root cause narrative *Reference CWE identifiers where applicable. ENISA may request clarification if vague.

Vulnerability category *

Attack vector

Were SBOMs current at time of detection? *✓ SBOM scan on 2026-03-31 identified CVE-2024-0323 in B&R Automation Runtime b4.92

B — Full impact assessment

AI filled

CVSS v3.1 vector string * AIAuto-populated from NVD. Edit if your deployment context differs.

CVSS base score * AI

Confidentiality impact

Integrity impact

Affected users / deployments * AI

Exploitation confirmed? * AI

Full impact description *

C — Remediation plan & timeline

Patch / fix status *

Fix version / identifier

Target remediation date *Date by which all affected assets will be patched or mitigated.

Estimated full resolution

Remediation description *

Interim mitigations applied

D — Coordinated vulnerability disclosure (CVD)

CVD policy in place? *

Security researcher involvement?

Public disclosure status *

National CSIRT coordination

Public advisory URLLeave blank if no public advisory yet.

E — User & customer notification

Customers notified? *

Notification date

Notification channels used

In-app notification

Email to security contacts

Security advisory page

Vendor bulletin / release note

Notification message summary

Assign next step — Final Report

Optional

Create a work order for the Final Report step

AI Guidance The Final Report is due within 14 days of patch availability (~2026-04-21). Creating a work order now notifies the assignee and tracks the deadline — skip if you manage this outside the system.

Assign to

Target due date 14 days after patch availability — adjust if known earlier.

Note to assignee

Stage 3 — Final Report

Required fields

0 / 10 completed

Due: 2026-04-21 · 14 days after patch availability — 14 days remaining

AI Guidance This is the closing document for CVE-2024-0323. Confirm patch deployment status, root cause resolution, and customer notification of closure. ENISA scrutinises the lessons-learned section — be specific about systemic changes made.

A — Vulnerability resolution

Required

Resolution status *

Fix version deployed *

Patch deployment completed *

Installations patched *All affected installations confirmed patched via SBOM re-scan.

Resolution description *

B — Root cause & lessons learned

Required

Root cause confirmed *

Systemic changes made to prevent recurrence *E.g. SBOM scan frequency increased, new supplier security requirements, automated TLS policy enforcement.

Was this vulnerability in scope of prior audits?

SBOM accuracy improvement action taken?

C — Customer notification of resolution

Customers notified of resolution? *

Notification date

Resolution notice summary

D — Coordinated vulnerability disclosure closure

Public advisory published? *

NVD / CVE record updated?

National CSIRT notified of closure?

Advisory URL

Assign next step — Confirm patch deployed

Optional

Create a work order to confirm patch deployment

AI Guidance Patch confirmation across all 47 machines is the final closure step. A work order keeps this tracked and assigned — skip if patch verification is handled elsewhere (e.g. your maintenance system).

Assign to

Target due date

Note to assignee

AI Guidance Content below is AI-generated — click any text to edit directly if it needs adjusting. Choose tone to match your audience — Executive for management, Technical for IT teams.

Security Status Report

CVE-2024-0323 · 12 customers · 47 affected installations · Initial notice · 2026-04-07

Executive summary AI

We are writing to inform you of a critical cybersecurity vulnerability (CVE-2024-0323) detected in the B&R Automation Runtime component installed in your equipment. The vulnerability enables potential interception of encrypted communications on affected machines. Immediate remediation is in progress and we expect full resolution within 14 days. No operational disruption has occurred. This notification is provided under our obligations under the EU Cyber Resilience Act (Article 14).

1

Critical CVE

47

Affected installations

12

Customers to notify

14

Days to resolve

Our remediation status

Patch under development — B&R Automation Runtime b4.93

CVE-2024-0323 · Target availability 2026-04-07 · Will be published for customer download on completion

Recommended next steps for your team

AI

1

Forward this notice to your IT/OT security team — they will need to be aware and plan a maintenance window for applying the patch once it becomes available.

2

Plan a maintenance window for patching your affected machines. The patch will be ready for you to download and apply — we will send download instructions in our closure report.

3

Watch for our closure report — when the patch is published we will send you download instructions and confirm the case is resolved. No action is needed from you until then.

Recipients · 12 customers ✓ 11 contacts found ⚠ 1 missing

Customer	Contact email	Installations
Finjet Oy	security@finjet.fi	6 machines	✓ Ready
Andritz AG	it-security@andritz.com	8 machines	✓ Ready
Konecranes Oyj	Contact not on file	3 machines
SSAB Sweden AB	cyber@ssab.com	12 machines	✓ Ready
Metso Corporation	security@metso.com	4 machines	✓ Ready
+ 7 more customers · all contacts found →

Konecranes Oyj will not receive this notice — contact missing. Add a contact or proceed and log the gap in your audit trail.

AI-generated content — review before sending

AI Guidance Content below is AI-generated — click any text to edit directly if it needs adjusting. Fill in how customers can get the patch — that is the only required field before sending.

Security Resolution Report

CVE-2024-0323 · 12 customers · 47 installations · Patch published 2026-04-07

Resolution summary AI

We are writing to confirm that the critical cybersecurity vulnerability CVE-2024-0323 affecting your equipment has been fully resolved. A patch for the B&R Automation Runtime component is now available and ready to apply. No data was compromised and no operational disruption occurred. This report is provided under our obligations under the EU Cyber Resilience Act (Article 14).

1

CVE resolved

47

Installations patched

12

Customers notified

6d

Time to resolve

How customers get the patch

Required to send

This text will appear as a highlighted block in the email. All other content is generated automatically.

What was resolved

B&R Automation Runtime patched to b4.93

CVE-2024-0323 · CVSS 9.8 · SSLv3/TLS1.0 vulnerability eliminated · Published 2026-04-07

Action required from your team

AI

1

Download and apply the patch using the instructions provided above. The patch resolves CVE-2024-0323 in B&R Automation Runtime and should be applied at your earliest convenience.

2

Plan a maintenance window if your process requires downtime for patching. The patch itself takes approximately 15 minutes per machine.

3

Confirm patch applied to your internal IT/OT team. No response back to us is required — your CRA obligations as an operator are met by applying the available patch.

Recipients · 12 customers ✓ 11 contacts found ⚠ 1 missing

Customer	Contact email	Installations
Finjet Oy	security@finjet.fi	6 machines	✓ Ready
Andritz AG	it-security@andritz.com	8 machines	✓ Ready
Konecranes Oyj	Contact not on file	3 machines
SSAB Sweden AB	cyber@ssab.com	12 machines	✓ Ready
Metso Corporation	security@metso.com	4 machines	✓ Ready
+ 7 more customers · all contacts found →

Konecranes Oyj will not receive this report — contact missing. Add a contact or proceed and log the gap in your audit trail.

AI-generated content — review before sending

1

24h Early Warning

Due 2026-04-02 14:23 UTC

Pending

2

72h Notification

Available after Early Warning submitted

Upcoming

3

Final Report

Due 1 month after 72h notification

Upcoming

Authority reporting steps only · View full case (5 steps) →

Monitoring Alert H3020 · Finjet Oy · Tampere — received 2026-04-01 14:21 UTC. Monitoring detected unauthorized PLC parameter modifications and a remote connection from 192.168.1.47 (not in known device registry). Parameters modified: feed rate limits and axis home positions. No safety systems affected. Activity pattern is consistent with unauthorized remote access. AI assessment: likely criminal/malicious intent. Awareness timestamp auto-logged: 2026-04-01 14:23 UTC — not editable.

Triage — confirm incident type

Required before reporting

AI Guidance This qualifies as a severe security incident under CRA Article 14 §3. Unauthorized control access has a direct impact on product security. The 24h Early Warning clock is running from 14:23 UTC. Confirm to start the reporting flow, or dismiss if this is an operational anomaly. Dismissals are logged for audit.

Stage 2 — 72h Incident Notification

Due: 2026-04-04 14:23 UTC — 71h 25m remaining

AI Guidance Early Warning data has been pre-filled where applicable. Provide a fuller account of the incident — its nature, initial severity assessment, mitigations taken, and what the customer should do. AI has drafted the customer notification from the asset and incident data. This is the primary document ENISA and CSIRT will act on.

A — Nature and assessment of the incident

Required

Incident type *

Initial severity assessment *

Incident description *

Is the incident ongoing? *

Cross-border impact? *

B — Corrective and mitigating measures

Measures taken *

Measures the customer can take

C — Customer notification

Required by Art. 14

Customer notified? *

Notification method

Notification message AI

INC-2026-FI-H4512 — HMI Ransomware Variant

H4512 · Metso Corp · Oulu, FI · Awareness logged 2026-04-02 09:10 UTC

Awareness: 2026-04-02 09:10 UTC — auto-logged

24h Early Warning

Submitted 2026-04-02 09:11 UTC

Submitted

2

72h Incident Notification

Due 2026-04-04 09:11 UTC

Pending

3

Final Report

1 month from 72h submission

Locked

Stage 1 — Early Warning submitted 2026-04-02 09:11 UTC

Reported to ENISA & CERT-FI. Suspected criminal intent: Yes. Affected product: H4512 · Oulu. Submission ID: EW-2026-FI-0042.

Stage 2 — 72h Incident Notification

CRA Article 14 §4(b)

AI Pre-fill Notification pre-filled from monitoring data and asset registry. Review all sections carefully — this is a legally binding submission.

A — Incident description & severity

Nature of incident AI

Severity assessment AI

Cross-border impact AI

B — Mitigations taken

Immediate mitigations AI

Customer guidance issued AI

C — Customer notification

AI Draft Customer notification drafted below. CRA Article 14 §8 requires you to inform affected users without undue delay.

Message to Metso Corp AI

Stage 3 — Final Report unlocks after 72h Notification submission

Stage 3 — Final Report

CRA Article 14 §4(c) · Due 2026-05-04

AI Guidance Final Report must be submitted within 1 month of the 72h Notification. It should document the full incident, confirmed root cause, threat actor assessment, and all remediation measures taken. AI has pre-filled sections from investigation data collected so far.

A — Detailed incident description

Full incident description AI

Timeline of events AI

B — Root cause & threat actor

Confirmed root cause AI

Threat actor assessment

Other products/customers affected?

C — Remediation & ongoing measures

Remediation completed AI

Preventive measures for fleet AI

Ref	Requirement	Status	Notes
Annex I §1	No known exploitable vulnerabilities at time of placing on market	✗ Not met	CVE-2024-0323 (CVSS 9.8) actively exploited in the wild
Annex I §2	Secure by default — no unnecessary services enabled, no universal passwords, secure protocols only	✗ Not met	SSLv3, TLS 1.0 & 1.1 enabled on FTP server by default
Annex I §3	Protect confidentiality, integrity and availability of data in transit and at rest	◑ Partial	HTTPS available but legacy cipher suites not disabled
Annex I §4	Minimal attack surface — disable unused ports, protocols and functions; least privilege	✗ Not met	FTP server active, legacy TLS exposed, unnecessary ports open
Annex I §5	Resilience against DoS attacks — product continues functioning under resource exhaustion attempts	✗ Not met	CVE-2024-0323 — B&R Automation Runtime exploitable remotely; rate limiting absent
Annex I §6	Limit negative impact on other devices and services in the event of a security incident	? Unknown	Network segmentation capability not assessed
Annex I §7	Security updates — patches can be applied, maintain integrity (signed), users notified	◑ Partial	Signed updates in place; update process and user notification not documented
Annex I §8	Minimise privacy impact by design — only process data necessary for intended function	? Unknown	No data flow mapping available for assessment

Ref	Requirement	Status	Notes
Annex I §9	Identify, document and address vulnerabilities — including third-party components (SBOM)	✓ Met	CycloneDX 1.5 SBOM, 95 components, automated CVE scan active
Annex I §10	Address vulnerabilities without undue delay — patch exploited or critical CVEs within 7 days	✗ Not met	CVE-2024-0323 (CVSS 9.8) detected 3 days ago — patch not yet applied
Annex I §11	Coordinated vulnerability disclosure — published CVD policy, accessible security contact	? Unknown	CVD policy not confirmed for this product
Annex I §12	Report actively exploited vulnerabilities to ENISA within 24 h (Early Warning) / 72 h (full report)	✗ Not met	Early Warning not yet submitted — 18h 42m until deadline
Annex I §13	Provide free security updates for at least 5 years (or product support lifetime if shorter)	? Unknown	Manufacturer update support policy not confirmed
Annex I §14	Publish information about remediated vulnerabilities after patches are released	? Unknown