CISA.gov
23 hours 49 minutes ago

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Optigo Networks
  • Equipment: ONS NC600
  • Vulnerability: Use of Hard-coded Credentials
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to establish an authenticated connection with the hard-coded credentials and perform OS command executions.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Optigo Networks ONS NC600 are affected:

  • ONS NC600: Versions 4.2.1-084 through 4.7.2-330
3.2 VULNERABILITY OVERVIEW 3.2.1

In Optigo Networks ONS NC600 versions 4.2.1-084 through 4.7.2-330, an attacker could connect with the device's ssh server and utilize the system's components to perform OS command executions.

has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Canada
3.4 RESEARCHER

Tomer Goldschmidt of Claroty Team82 reported this vulnerability to CISA.

4. MITIGATIONS

Optigo Networks recommends users implement at least one of the following additional mitigations:

  • Use a dedicated NIC on the BMS computer and exclusively use the computer for connecting to OneView to manage your OT network configuration.
  • Set up a router firewall with a white list for the devices permitted to access OneView.
  • Connect to OneView via secure VPN.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are .
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

  • Do not click web links or open attachments in unsolicited email messages.
  • Refer to for more information on avoiding email scams.
  • Refer to for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • May 6, 2025: Initial Publication
CISA

CISA.gov
23 hours 49 minutes ago

1. EXECUTIVE SUMMARY
  • CVSS v4 6.1
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Milesight
  • Equipment: UG65-868M-EA
  • Vulnerability: Improper Access Control for Volatile Memory Containing Boot Code
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow any user with admin privileges to inject arbitrary shell commands.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of UG65-868M-EA, an industrial gateway, are affected:

  • UG65-868M-EA: Firmware versions prior to 60.0.0.46
3.2 VULNERABILITY OVERVIEW 3.2.1

An admin user can gain unauthorized write access to the /etc/rc.local file on the device, which is executed on a system boot.

has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 6.1 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: China
3.4 RESEARCHER

Joe Lovett of Pen Test Partners reported this vulnerability to CISA.

4. MITIGATIONS

Milesight released the latest firmware Version 60.0.0.46 for the UG65 gateway. Users can download the latest firmware from the

Please for more information about this issue and for instructions for installing the latest firmware.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Ensure that principles of least privilege are followed.
  • Minimize network exposure for all control system devices and/or systems, ensuring they are .
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • May 6, 2025: Initial Publication
CISA

CISA.gov
23 hours 49 minutes ago

1. EXECUTIVE SUMMARY
  • CVSS v4 8.5
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: BrightSign
  • Equipment: Brightsign Players
  • Vulnerabilities: Execution with Unnecessary Privileges
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow for privilege escalation on the device, easily guessed passwords, or for arbitrary code to be executed on the underlying operating system.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Products using the following versions of BrightSign OS are affected:

  • BrightSign OS series 4 players: Versions prior to v8.5.53.1
  • BrightSign OS series 5 players: Versions prior to v9.0.166
3.2 VULNERABILITY OVERVIEW 3.2.1

BrightSign players running BrightSign OS series 4 prior to v8.5.53.1 or series 5 prior to v9.0.166 contain an execution with unnecessary privileges vulnerability, allowing for privilege escalation on the device once code execution has been obtained.

has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.5 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Financial Services, Food and Agriculture, Healthcare and Public Health
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER

Adam Merrill, a member of the Adversarial Modeling and Penetration Testing (AMPT) team at Sandia National Laboratories, reported this vulnerability to CISA.

4. MITIGATIONS

BrightSign fixed in v8.5.53.1 (for series 4 players) and v9.0.166 (for series 5 players). Both of these have been released and available on the

BrightSign recommends the following security practices:

  • Change default passwords when the device is initially set up.
  • Disable the local DWS as described in "High Security settings".
  • Disable the SSH/telnet server when not being used - it is not enabled by default.
  • Devices should be located where an attacker does not have physical access to the device.
  • SD and USB ports can be disabled if not needed.

For more information, please

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are .
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • May 6, 2025: Initial Publication
CISA

CISA.gov
5 days 23 hours ago

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: KUNBUS
  • Equipment: Revolution Pi
  • Vulnerabilities: Missing Authentication for Critical Function, Authentication Bypass by Primary Weakness, Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow attackers to bypass authentication, gain unauthorized access to critical functions, and execute malicious server-side includes (SSI) within a web page.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of KUNBUS Revolution Pi are affected:

Revolution Pi OS Bookworm: Versions 01/2025 and earlier
Revolution Pi PiCtory: Versions 2.5.0 through 2.11.1
Revolution Pi PiCtory: Versions 2.11.1 and earlier

3.2 VULNERABILITY OVERVIEW 3.2.1

KUNBUS Revolution Pi OS Bookworm 01/2025 is vulnerable because authentication is not configured by default for the Node-RED server. This can give an unauthenticated remote attacker full access to the Node-RED server where they can run arbitrary commands on the underlying operating system.

has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.2.2

KUNBUS PiCtory versions 2.5.0 through 2.11.1 have an authentication bypass vulnerability where a remote attacker can bypass authentication to get access due to a path traversal.

has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.2.3

KUNBUS PiCtory version 2.11.1 and earlier are vulnerable when an authenticated remote attacker crafts a special filename that can be stored by API endpoints. That filename is later transmitted to the client in order to show a list of configuration files. Due to a missing escape or sanitization, the filename could be executed as HTML script tag resulting in a cross-site-scripting attack.

has been assigned to this vulnerability. A CVSS v3.1 base score of 9.0 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.5 has been calculated; the CVSS vector string is ().

3.2.4

KUNBUS PiCtory version 2.11.1 and earlier are vulnerable to a cross-site-scripting attack via the sso_token used for authentication. If an attacker provides the user with a PiCtory URL containing an HTML script as an sso_token, that script will reply to the user and be executed.

has been assigned to this vulnerability. A CVSS v3.1 base score of 6.1 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 5.1 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Transportation Systems, Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER

Adam Bromiley of Pen Test Partners reported these vulnerabilities to CISA.

4. MITIGATIONS

KUNBUS has identified the following specific mitigations that users can apply to reduce risk:

  • Update PiCtory package to version 2.12

The preferred method for updating to version 2.12 is accomplished through KUNBUS's management UI Cockpit. However, users can also download the update package .

By end of April 2025, KUNBUS plans to release a new Cockpit plugin that helps the user to make configurations which are available in a graphical interface. In the meantime, it is recommended that users activate authentication. Please refer to this for help with activating authentication.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are .
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY
  • May 1, 2025: Initial Publication
CISA

CISA.gov
1 week ago

1. EXECUTIVE SUMMARY
  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Rockwell Automation
  • Equipment: ThinManager
  • Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Incorrect Default Permissions
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges and cause a denial-of-service condition.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of ThinManager, a software management platform, are affected:

  • ThinManager: Version 14.0.0 and prior
3.2 VULNERABILITY OVERVIEW 3.2.1

A denial-of-service vulnerability exists in Rockwell Automation ThinManager. The software fails to adequately verify the outcome of memory allocation while processing Type 18 messages. If exploited, a threat actor could cause a denial of service on the target software.

has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.2

A privilege escalation vulnerability exists in Rockwell Automation ThinManager. When the software starts up, files are deleted in the temporary folder causing the Access Control Entry of the directory to inherit permissions from the parent directory. If exploited, a threat actor could inherit elevated privileges.

has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.5 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States
3.4 RESEARCHER

An anonymous researcher working with Trend Micro's Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation encourages users to update ThinManager to v14.0.2 or later to mitigate CVE-2025-3617.

Rockwell Automation fixed CVE-2025-3618 in the following versions of ThinManager:

  • ThinManager v11.2.11
  • ThinManager v12.0.9
  • ThinManager v13.1.5
  • ThinManager v13.2.4
  • ThinManager v14.0.2
  • For information on how to mitigate security risks on industrial automation control systems, Rockwell Automation encourages users to implement their suggested to minimize the risk of the vulnerability.

For more information about these issues, please see the

can be used to generate more environment-specific prioritization.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are .
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY
  • April 29, 2025: Initial Publication
CISA

CISA.gov
1 week ago

1. EXECUTIVE SUMMARY
  • CVSS v4 8.4
  • ATTENTION: Low attack complexity
  • Vendor: Delta Electronics
  • Equipment: ISPSoft
  • Vulnerabilities: Stack-based Buffer Overflow, Out-of-bounds Write
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in an attacker executing arbitrary code.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of ISPSoft are affected:

  • ISPSoft: Versions 3.19 and prior
3.2 VULNERABILITY OVERVIEW 3.2.1

Delta Electronics ISPSoft Versions 3.19 and prior are vulnerable to a stack-based buffer overflow vulnerability that could allow an attacker to leverage debugging logic to execute arbitrary code when parsing CBDGL files.

has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.4 has been calculated; the CVSS vector string is ().

3.2.2

Delta Electronics ISPSoft Versions 3.19 and prior are vulnerable to an out-of-bounds write vulnerability that could allow an attacker to execute arbitrary code when parsing DVP files.

has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.4 has been calculated; the CVSS vector string is ().

3.2.3

Delta Electronics ISPSoft Versions 3.19 and prior are vulnerable to a stack-based buffer overflow vulnerability that could allow an attacker to execute arbitrary code when parsing DVP files.

has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.4 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Taiwan
3.4 RESEARCHER

Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta Electronics recommends users to update to

For more information, see .

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are .
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY
  • April 29, 2025: Initial Publication
CISA

CISA.gov
1 week 5 days ago

1. EXECUTIVE SUMMARY
  • CVSS v3 10.0
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Schneider Electric
  • Equipment: Modicon M580, Modicon M340, Modicon Premium, and Modicon Quantum
  • Vulnerabilities: Trust Boundary Violation, Uncaught Exception, Exposure of Sensitive Information to an Unauthorized Actor, Authentication Bypass by Spoofing, Improper Access Control, Reliance on Untrusted Inputs in a Security Decision, Out-of-bounds Read
2. RISK EVALUATION

Successful exploitation of these vulnerabilities may risk execution of unsolicited command on the PLC, which could result in a loss of availability of the controller.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

  • Modicon M580: All versions prior to 2.90 (CVE-2018-7846, CVE-2018-7849, CVE-2018-7848, CVE-2018-7842, CVE-2018-7847, CVE-2018-7850, CVE-2018-7853, CVE-2018-7854, CVE-2019-6808, CVE-2019-6828, CVE-2019-6829, CVE-2019-6809)
  • Modicon Momentum CPU (part numbers 171CBU*): All versions (CVE-2018-7857)
  • Modicon Quantum: All versions prior to 3.60 (CVE-2018-7843, CVE-2018-7845, CVE-2018-7852, CVE-2018-7856, CVE-2019-6807)
  • Modicon Quantum: All versions (CVE-2018-7846, CVE-2018-7849, CVE-2018-7848, CVE-2018-7842, CVE-2018-7847, CVE-2018-7850, CVE-2018-7855, CVE-2018-7857, CVE-2019-6806, CVE-2019-6808, CVE-2018-7844, CVE-2019-6828, CVE-2019-6809)
  • Modicon Premium: All versions (CVE-2018-7846, CVE-2018-7849, CVE-2018-7848, CVE-2018-7842, CVE-2018-7847, CVE-2018-7850, CVE-2018-7855, CVE-2018-7857, CVE-2019-6806, CVE-2019-6808, CVE-2018-7844, CVE-2019-6828, CVE-2019-6809)
  • Modicon Premium: All versions prior to 3.60 (CVE-2018-7852, CVE-2019-6807)
  • PLC Simulator for EcoStruxure Control Expert: All versions prior to 15.1 (CVE-2018-7857)
  • Modicon Premium: All versions prior to 3.20 (CVE-2018-7843, CVE-2018-7845, CVE-2018-7852, CVE-2018-7856, CVE-2019-6807)
  • Modicon Momentum Unity M1E Processor (part numbers 171CBU*): All versions prior to SV2.6 (CVE-2018-7857, CVE-2019-6807)
  • Modicon M580: All versions prior to sv4.20 (CVE-2018-7855)
  • Modicon M340: All versions prior to SV3.60 (CVE-2018-7855)
  • Modicon MC80: All versions (CVE-2018-7855)
  • Modicon Momentum M1E: All versions (CVE-2018-7855)
  • Modicon M580: All versions prior to 2.80 (CVE-2018-7843, CVE-2018-7845, CVE-2018-7852, CVE-2018-7856, CVE-2019-6807, CVE-2019-6830)
  • Modicon Quantum Safety: All versions (CVE-2018-7846, CVE-2018-7849, CVE-2018-7848, CVE-2018-7842, CVE-2018-7847, CVE-2018-7850, CVE-2018-7852, CVE-2018-7855, CVE-2018-7857, CVE-2019-6806, CVE-2019-6808, CVE-2018-7844)
  • Modicon M340: All versions prior to 3.10 (CVE-2018-7846, CVE-2018-7849, CVE-2018-7843, CVE-2018-7848, CVE-2018-7842, CVE-2018-7847, CVE-2018-7850, CVE-2018-7845, CVE-2018-7852, CVE-2018-7854, CVE-2018-7856, CVE-2019-6807, CVE-2019-6808, CVE-2019-6828, CVE-2019-6829, CVE-2019-6809)
  • Modicon M340: All versions (CVE-2018-7857, CVE-2019-6806, CVE-2018-7844)
  • Modicon M580: All versions (CVE-2018-7857, CVE-2019-6806, CVE-2018-7844)
  • Modicon MC80 BMKC80*: Versions prior to 1.80 (CVE-2018-7857)
3.2 VULNERABILITY OVERVIEW 3.2.1

A trust boundary violation vulnerability on connection to the controller exists, which could cause unauthorized access by conducting a brute force attack on Modbus protocol to the controller.

has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 6.9 has been calculated; the CVSS vector string is ().

3.2.2

An uncaught exception vulnerability exists, which could cause a possible denial-of-service due to improper data integrity check when sending files to the controller over Modbus.

has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.3

An uncaught exception vulnerability exists, which could cause denial-of-service when reading memory blocks with an invalid data size or with an invalid data offset in the controller over Modbus.

has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.4

An information exposure vulnerability exists, which could cause the disclosure of SNMP information when reading files from the controller over Modbus.

has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 8.2 has been calculated; the CVSS vector string is ().

3.2.5

An authentication bypass by spoofing vulnerability exists, which could cause an elevation of privilege by conducting a brute force attack on Modbus parameters sent to the controller.

has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.6

An improper access control vulnerability exists, which could cause denial-of-service or potential code execution by overwriting configuration settings of the controller over Modbus.

has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.2.7

A reliance on untrusted inputs in a security decision vulnerability exists, which could cause invalid information displayed in Unity Pro software.

has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.2.8

An out-of-bounds read vulnerability exists, which could cause the disclosure of unexpected data from the controller when reading specific memory blocks in the controller over Modbus

has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.9

An uncaught exception vulnerability exists, which could cause denial-of-service when an invalid private command parameter is sent to the controller over Modbus.

has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.10

An uncaught exception vulnerability exists, which could cause denial-of-service when reading invalid physical memory blocks in the controller over Modbus.

has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.11

An uncaught exception vulnerability exists, which could cause a denial-of-service when sending invalid debug parameters to the controller over Modbus.

has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.12

An uncaught exception vulnerability exists, which could cause a denial-of-service when sending invalid breakpoint parameters to the controller over Modbus.

has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.13

An uncaught exception vulnerability exists, which could cause a possible denial-of-service when writing invalid memory blocks to the controller over Modbus

has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.14

An uncaught exception vulnerability exists, which could cause a possible denial-of-service when writing out-of-bounds variables to the controller over Modbus.

has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.15

An information exposure vulnerability exists, which could cause the disclosure of SNMP information when reading variables in the controller using Modbus.

has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.16

An uncaught exception vulnerability could cause a possible denial-of-service when writing sensitive application variables to the controller over Modbus.

has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.17

An uncaught exception vulnerability exists, which could cause a remote code execution by overwriting configuration settings of the controller over Modbus

has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 10.0 has been calculated; the CVSS vector string is ().

3.2.18

An exposure of sensitive information to an unauthorized actor vulnerability could cause a remote code execution by overwriting configuration settings of the controller over Modbus

has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.19

An uncaught exception vulnerability could cause a possible denial-of-service when sending an appropriately timed HTTP request to the controller.

has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 8.2 has been calculated; the CVSS vector string is ().

3.2.20

An uncaught exception vulnerability could cause a possible denial-of-service when reading specific coils and registers in the controller over Modbus.

has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.21

An uncaught exception vulnerability could cause a possible denial-of-service when writing to specific memory addresses in the controller over Modbus.

has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.22

An uncaught exception vulnerability exists cause a possible denial-of-service when reading invalid data from the controller.

has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for  . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France
3.4 RESEARCHER

These vulnerabilities were reported to Schneider Electric by the following researchers:
Jared Rittle of Cisco Talos, Pavel Nesterov, Artem Zinenko of Kaspersky, Gao Jian of ns focus, and Dong Yang of Dingxiang Dongjian Security Lab.

4. MITIGATIONS

Schneider Electric has identified the following specific mitigations users can apply to reduce risk. Please see SEVD-2019-134-11 for detailed update steps.

Modicon M580:

  • A fix is available for (CVE-2018-7846, CVE-2018-7849, CVE-2018-7848, CVE-2018-7842, CVE-2018-7845, CVE-2018-7847, CVE-2018-7850, CVE-2018-7853, CVE-2018-7854, CVE-2018-7856, CVE-2018-7857, CVE-2019-6808, CVE-2019-6828, CVE-2019-6829, CVE-2019-6830, CVE-2019-6809) on Modicon M580 firmware V3.10.
  • A fix is available for (CVE-2018-7843, CVE-2018-7852, CVE-2019-6807) on Modicon M580 firmware V2.80.

Modicon M340:

  • A fix is available for (CVE-2018-7846, CVE-2018-7849, CVE-2018-7843, CVE-2018-7848, CVE-2018-7842, CVE-2018-7847, CVE-2018-7850, CVE-2018-7845, CVE-2018-7852, CVE-2018-7854, CVE-2018-7856, CVE-2019-6807, CVE-2019-6808, CVE-2019-6828, CVE-2019-6829, CVE-2019-6809) on Modicon M340 firmware V3.20.

Modicon MC80:

  • A fix is available for (CVE-2018-7857) on Modicon MC80 (part numbers BMKC80*).

Modicon Premium Modicon Momentum Unity M1E Processor:

  • A fix is available for (CVE-2019-6807, CVE-2018-7857) on (part numbers 171CBU*) <SV2.6.

Modicon Quantum:

  • A fix is available for (CVE-2018-7845, CVE-2018-7856) on Modicon Quantum V3.60.
  • There is no fix available for (CVE-2018-7842, CVE-2018-7843, CVE-2018-7844, CVE-2018-7846, CVE-2018-7847, CVE-2018-7848, CVE-2018-7849, CVE-2018-7850, CVE-2018-7852, CVE-2018-7855, CVE-2018-7857, CVE-2019-6806, CVE-2019-6807, CVE-2019-6808, CVE-2019-6809, CVE-2019-6828). Schneider Electric's Modicon Quantum and Quantum Safety controllers have reached their end of life and are no longer commercially available. They have been replaced by the Modicon M580 or M580 Safety ePAC controller, the most current product offer. Users should strongly consider migrating to the Modicon M580 ePAC. Please contact a local Schneider Electric technical support for more information.

Modicon Premium:

  • A fix is available for (CVE-2018-7845, CVE-2018-7856) on Modicon Premium V3.20, please contact Schneider Electric customer support to get the
  • There is no fix available for (CVE-2018-7842, CVE-2018-7843, CVE-2018-7844, CVE-2018-7847, CVE-2018-7848, CVE-2018-7849, CVE-2018-7850, CVE-2018-7852, CVE-2018-7855, CVE-2018-7857, CVE-2019-6806, CVE-2019-6807, CVE-2019-6808, CVE-2019-6809, CVE-2019-6828). Schneider Electric's Modicon Premium controllers have reached their end of life and are no longer commercially available. They have been replaced by the Modicon M580 ePAC controller, the most current product offer. Users should strongly consider migrating to the Modicon M580 ePAC. Please contact a local Schneider Electric technical support for more information.

PLC Simulator for EcoStruxure Control Expert:

  • A fix is available for (CVE-2018-7857) on PLC Simulator.

Schneider Electric recommends the following to help mitigate weaknesses in the management of Modbus protocol:

  • Set up an application password in the project properties.
  • Set up network segmentation and implement a firewall to block all unauthorized access to Port 502/TCP.
  • Configure the access control list following the recommendations of user manuals.
  • Set up secure communication according to the guidelines for the product.
  • Consider use of an external firewall device.
  • Please see SEVD-2019-134-11 for detailed mitigation information.

For more information see the associated Schneider Electric security advisory , .

Schneider Electric strongly recommends the following industry cybersecurity best practices:

  • Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
  • Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
  • Place all controllers in locked cabinets and never leave them in the "Program" mode.
  • Never connect programming software to any network other than the network for the devices that it is intended.
  • Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
  • Never allow laptops that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
  • Minimize network exposure for all control system devices and systems, and ensure that they are not accessible from the Internet.
  • When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

  • Do not click web links or open attachments in unsolicited email messages.
  • Refer to for more information on avoiding email scams.
  • Refer to for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY
  • April 24, 2025: Initial Publication
CISA

CISA.gov
1 week 5 days ago

1. EXECUTIVE SUMMARY
  • CVSS v4 8.5
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: ALBEDO Telecom
  • Equipment: Net.Time - PTP/NTP clock
  • Vulnerability: Insufficient Session Expiration
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to transmit passwords over unencrypted connections, resulting in the product becoming vulnerable to interception.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following version of Net.Time - PTP/NTP clock is affected:

  • Net.Time - PTP/NTP clock (Serial No. NBC0081P): Software release 1.4.4
3.2 VULNERABILITY OVERVIEW 3.2.1

The affected product is vulnerable to an insufficient session expiration vulnerability, which could permit an attacker to transmit passwords over unencrypted connections, resulting in the product becoming vulnerable to interception.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.5 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Communications, Financial Services, Information Technology
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Spain
3.4 RESEARCHER

Khalid Markar, Parul Sindhwad & Dr. Faruk Kazi from CoE-CNDS Lab reported this vulnerability to CISA.

4. MITIGATIONS

ALBEDO Telecom has identified the following mitigations users can apply to reduce risk:

  • Net.Time - PTP/NTP clock (Serial No. NBC0081P) Software release 1.4.4: Update to v1.6.1

For more information, please

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are .
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

  • Do not click web links or open attachments in unsolicited email messages.
  • Refer to for more information on avoiding email scams.
  • Refer to for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • April 24, 2025: Initial Publication
CISA

CISA.gov
1 week 5 days ago

1. EXECUTIVE SUMMARY
  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Vestel
  • Equipment: AC Charger
  • Vulnerability: Exposure of Sensitive System Information to an Unauthorized Control Sphere
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker access to sensitive information, such as credentials which could subsequently enable them to cause a denial of service or partial loss of integrity of the charger.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of AC Charger are affected:

  • AC Charger EVC04: Version 3.75.0
3.2 VULNERABILITY OVERVIEW 3.2.1

Affected versions of the Vestel AC Charger contain a vulnerability that could enable an attacker to access files containing sensitive information, such as credentials which could be used to further compromise the device.

has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Turkey
3.4 RESEARCHER

Cumhur Kizilari reported this vulnerability to CISA.

4. MITIGATIONS

Vestel strongly suggests that users of the related AC chargers update to V3.187 or a higher version.

Vestel also recommends the following mitigations to reduce risk:

Avoid using open networks:

  • Use secure methods like Virtual Private Networks (VPNs) for remote access. Regularly update VPNs to their latest versions and ensure that connected devices maintain strong security measures.
  • Reduce network exposure for applications and endpoints. Only make them accessible via the Internet if specifically designed for and required by their intended use.

Login Credentials Management:

  • Force the end user to change the factory default username and password of the web configuration page.
  • Remove any printed documents such as installation guides, instruction books, and quick start guides from the web where login credentials are featured.

Please refer to Vestel's for more information.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

  • Do not click web links or open attachments in unsolicited email messages.
  • Refer to for more information on avoiding email scams.
  • Refer to for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • April 24, 2025: Initial Publication
CISA

CISA.gov
1 week 5 days ago

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Nice
  • Equipment: Linear eMerge E3
  • Vulnerability: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary OS commands.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Nice Linear eMerge E3 are affected:

  • Linear eMerge E3: Versions 1.00-07 and prior
3.2 VULNERABILITY OVERVIEW 3.2.1

The Linear eMerge e3-Series through version 1.00-07 is vulnerable to an OS command injection vulnerability. A remote and unauthenticated attacker can execute arbitrary OS commands via the login_id parameter when invoking the forgot_password functionality over HTTP.

has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Italy
3.4 RESEARCHER

Noam Rathaus of SSD Secure Disclosure reported this vulnerability to CISA.

4. MITIGATIONS

Nice did not indicate if/when a patch would be developed. Please see for the latest information on product security.

Nice also recommends the following defensive measures to minimize the risk of exploitation of this vulnerability:

  • Minimize network exposure of devices, ensuring they are not accessible from the internet.
  • Place the devices behind firewalls and isolate them from other networks.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Keep your VPNs as up-to-date as possible.
  • Change default credentials on the device.
  • Change the default IP address of the device.

See for additional information.

Users should with any questions.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • April 24, 2025: Initial Publication
CISA

CISA.gov
1 week 5 days ago

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Johnson Controls Inc.
  • Equipment: iSTAR Configuration Utility (ICU)
  • Vulnerability: Stack-based Buffer Overflow
2. RISK EVALUATION

Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Johnson Controls reports the following versions of ICU are affected:

  • ICU: Versions prior to 6.9.5
3.2 VULNERABILITY OVERVIEW 3.2.1

Under certain circumstances, the ICU tool can have a buffer overflow issue.

has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Government Services and Facilities, Transportation Systems, Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Ireland
3.4 RESEARCHER

Reid Wightman of Dragos reported this vulnerability to Johnson Controls, Inc.

4. MITIGATIONS

Johnson Controls recommends users upgrade ICU to Version 6.9.5 or greater.

For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory .

Aligning with CISA recommendations, Johnson Controls recommends taking steps to minimize risks to all building automation systems.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are .
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • April 24, 2025: Initial Republication of Johnson Controls JCI-PSA-2025-04
CISA

CISA.gov
1 week 5 days ago

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/Low attack complexity
  • Vendor: Planet Technology
  • Equipment: Planet Technology Network Products
  • Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Use of Hard-coded Credentials, Missing Authentication for Critical Function
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to read or manipulate device data, gain administrative privileges, or alter database entries.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Planet Technology products are affected:

  • UNI-NMS-Lite: Versions 1.0b211018 and prior
  • NMS-500: All Versions
  • NMS-1000V: All Versions
  • WGS-804HPT-V2: Versions 2.305b250121 and prior
  • WGS-4215-8T2S: Versions 1.305b241115 and prior
3.2 VULNERABILITY OVERVIEW 3.2.1

UNI-NMS-Lite, NMS-500 and NMS-1000 are vulnerable to a command injection attack that could allow an unauthenticated attacker to read or manipulate device data.

has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.2.2

WGS-80HPT-V2 and WGS-4215-8T2S are vulnerable to a command injection attack that could allow an unauthenticated attacker to execute OS commands on the host system.

has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.2.3

All affected products use hard-coded credentials that could allow an unauthenticated attacker to gain administrative privileges to all UNI-NMS managed devices.

has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.2.4

UNI-NMS-Lite, NMS-500 and NMS-1000 use hard-coded credentials that could allow an unauthenticated attacker to read, manipulate and create entries in the managed database.

has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.2.5

WGS-80HPT-V2 and WGS-4215-8T2S are missing authentication that could allow an attacker to create an administrator account without knowing any existing credentials.

has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Taiwan
3.4 RESEARCHER

Kev Breen of Immersive reported these vulnerabilities to CISA.

4. MITIGATIONS

Planet Technology has released patches for the following devices:

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are .
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY
  • April 24, 2025: Initial Publication
CISA

CISA.gov
2 weeks ago

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see 

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: TeleControl Server Basic
  • Vulnerabilities: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to read and write to the application's database, cause a denial-of-service condition, and execute code in an OS shell.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

  • TeleControl Server Basic: versions prior to V3.1.2.2
3.2 VULNERABILITY OVERVIEW 3.2.1

The affected application is vulnerable to SQL injection through the internally used 'CreateTrace' method. This could allow an unauthenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.2.2

The affected application is vulnerable to SQL injection through the internally used 'VerifyUser' method. This could allow an unauthenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.2.3

The affected application is vulnerable to SQL injection through the internally used 'Authenticate' method. This could allow an unauthenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.2.4

The affected application is vulnerable to SQL injection through the internally used 'RestoreFromBackup' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.5

The affected application is vulnerable to SQL injection through the internally used 'UpdateConnectionVariables' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.6

The affected application is vulnerable to SQL injection through the internally used 'UpdateProjectConnections' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.7

The affected application is vulnerable to SQL injection through the internally used 'ImportDatabase' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.8

The affected application is vulnerable to SQL injection through the internally used 'UpdateUsers' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.9

The affected application is vulnerable to SQL injection through the internally used 'UpdateDatabaseSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.10

The affected application is vulnerable to SQL injection through the internally used 'UpdateTcmSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.11

The affected application is vulnerable to SQL injection through the internally used 'UpdateSmtpSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.12

The affected application is vulnerable to SQL injection through the internally used 'UpdateBufferingSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.13

The affected application is vulnerable to SQL injection through the internally used 'CreateProject' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.14

The affected application is vulnerable to SQL injection through the internally used 'UpdateGateways' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.15

The affected application is vulnerable to SQL injection through the internally used 'UpdateOpcSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.16

The affected application is vulnerable to SQL injection through the internally used 'UpdateProject' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.17

The affected application is vulnerable to SQL injection through the internally used 'DeleteProject' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.18

The affected application is vulnerable to SQL injection through the internally used 'LockProject' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.19

The affected application is vulnerable to SQL injection through the internally used 'UnlockProject' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.20

The affected application is vulnerable to SQL injection through the internally used 'GetProjects' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.21

The affected application is vulnerable to SQL injection through the internally used 'GetActiveProjects' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.22

The affected application is vulnerable to SQL injection through the internally used 'ActivateProject' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.23

The affected application is vulnerable to SQL injection through the internally used 'UpdateProjectCrossCommunications' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.24

The affected application is vulnerable to SQL injection through the internally used 'LockProjectCrossCommunications' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.25

The affected application is vulnerable to SQL injection through the internally used 'UnlockProject' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.26

The affected application is vulnerable to SQL injection through the internally used 'UpdateProjectUserRights' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.27

The affected application is vulnerable to SQL injection through the internally used 'LockProjectUserRights' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.28

The affected application is vulnerable to SQL injection through the internally used 'UnlockProjectUserRights' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.29

The affected application is vulnerable to SQL injection through the internally used 'UpdateConnectionVariablesWithImport' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.30

The affected application is vulnerable to SQL injection through the internally used 'UpdateConnectionVariableArchivingBuffering' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.31

The affected application is vulnerable to SQL injection through the internally used 'GetConnectionVariables' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.32

The affected application is vulnerable to SQL injection through the internally used 'GetActiveConnectionVariables' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.33

The affected application is vulnerable to SQL injection through the internally used 'ImportConnectionVariables' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.34

The affected application is vulnerable to SQL injection through the internally used 'GetGateways' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.35

The affected application is vulnerable to SQL injection through the internally used 'LockGateway' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.36

The affected application is vulnerable to SQL injection through the internally used 'UnlockGateway' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.37

The affected application is vulnerable to SQL injection through the internally used 'GetUsers' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.38

The affected application is vulnerable to SQL injection through the internally used 'LockUser' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.39

The affected application is vulnerable to SQL injection through the internally used 'UnlockUser' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.40

The affected application is vulnerable to SQL injection through the internally used 'UpdateGeneralSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.41

The affected application is vulnerable to SQL injection through the internally used 'LockGeneralSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.42

The affected application is vulnerable to SQL injection through the internally used 'UnlockGeneralSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.43

The affected application is vulnerable to SQL injection through the internally used 'LockSmtpSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.44

The affected application is vulnerable to SQL injection through the internally used 'UnlockSmtpSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.45

The affected application is vulnerable to SQL injection through the internally used 'LockTcmSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.46

The affected application is vulnerable to SQL injection through the internally used 'UnlockTcmSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.47

The affected application is vulnerable to SQL injection through the internally used 'LockDatabaseSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.48

The affected application is vulnerable to SQL injection through the internally used 'UnlockDatabaseSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.49

The affected application is vulnerable to SQL injection through the internally used 'LockOpcSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.50

The affected application is vulnerable to SQL injection through the internally used 'UnlockOpcSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.51

The affected application is vulnerable to SQL injection through the internally used 'LockBufferingSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.52

The affected application is vulnerable to SQL injection through the internally used 'UnlockBufferingSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.53

The affected application is vulnerable to SQL injection through the internally used 'UpdateWebServerGatewaySettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.54

The affected application is vulnerable to SQL injection through the internally used 'LockWebServerGatewaySettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.55

The affected application is vulnerable to SQL injection through the internally used 'UnlockWebServerGatewaySettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.56

The affected application is vulnerable to SQL injection through the internally used 'UpdateTraceLevelSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.57

The affected application is vulnerable to SQL injection through the internally used 'LockTraceLevelSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.58

The affected application is vulnerable to SQL injection through the internally used 'UnlockTraceLevelSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.59

The affected application is vulnerable to SQL injection through the internally used 'GetSettings' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.60

The affected application is vulnerable to SQL injection through the internally used 'CreateLog' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.61

The affected application is vulnerable to SQL injection through the internally used 'GetLogs' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.62

The affected application is vulnerable to SQL injection through the internally used 'CreateBackup' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.63

The affected application is vulnerable to SQL injection through the internally used 'ExportCertificate' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.64

The affected application is vulnerable to SQL injection through the internally used 'ImportCertificate' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.65

The affected application is vulnerable to SQL injection through the internally used 'GetTraces' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.66

The affected application is vulnerable to SQL injection through the internally used 'MigrateDatabase' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.67

The affected application is vulnerable to SQL injection through the internally used 'GetOverview' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater Systems, Transportation Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER

Trend Micro Zero Day Initiative coordinated CVE-2025-32475, CVE-2025-31353, CVE-2025-31352, CVE-2025-31351, CVE-2025-31350, CVE-2025-31349, CVE-2025-31343, CVE-2025-30032, CVE-2025-30031, CVE-2025-30030, CVE-2025-30003, CVE-2025-30002, CVE-2025-29905, CVE-2025-27540, CVE-2025-27539, and CVE-2025-27495 with Siemens.

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • TeleControl Server Basic: Restrict access to port 8000 on the affected systems to trusted IP addresses only.
  • TeleControl Server Basic: Update to V3.1.2.2 or .

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the .

For more information see the associated Siemens security advisory SSA-443402 in and .

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are .
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY
  • April 22, 2025: Initial Republication of Siemens ProductCERT SSA-443402
CISA

CISA.gov
2 weeks ago

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see 

1. EXECUTIVE SUMMARY
  • CVSS v4 6.3
  • ATTENTION: Exploitable remotely
  • Vendor: Siemens
  • Equipment: TeleControl Server Basic
  • Vulnerability: Improper Handling of Length Parameter Inconsistency
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause the application to allocate exhaustive amounts of memory and subsequently create a denial-of-service condition.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

  • TeleControl Server Basic: Versions prior to V3.1.2.2
3.2 VULNERABILITY OVERVIEW 3.2.1

The affected product does not properly validate a length field in a serialized message, which it uses to determine the amount of memory to be allocated for deserialization. This could allow an unauthenticated remote attacker to cause the application to allocate exhaustive amounts of memory and subsequently create a partial denial-of-service condition. Successful exploitation is only possible in redundant TeleControl Server Basic setups and only if the connection between the redundant servers has been disrupted.

has been assigned to this vulnerability. A CVSS v3.1 base score of 3.7 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 6.3 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater Systems, Transportation Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER

Jin Huang from ADLab of Venustech coordinated this vulnerability with Siemens.

4. MITIGATIONS

Siemens has released a new version for TeleControl Server Basic and recommends to update to the latest version.

  • Update to V3.1.2.2 or .

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Disable TeleControl Server Basic redundancy, if not used.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the .

For more information see the associated Siemens security advisory SSA-395348 in and .

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are .
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY
  • April 22, 2025: Initial Republication of Siemens ProductCERT SSA-395348
CISA

CISA.gov
2 weeks ago

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Schneider Electric
  • Equipment: Wiser Home Controller WHC-5918A
  • Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to disclose sensitive credentials.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Schneider Electric reports the following products are affected:

  • Wiser Home Controller WHC-5918A: All versions
3.2 VULNERABILITY OVERVIEW 3.2.1

An information exposure vulnerability exists that could cause disclosure of credentials when a specially crafted message is sent to the device.

has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France
3.4 RESEARCHER

Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric reports the Wiser Home Controller WHC-5918A product has been discontinued and is out of support. Users should consider upgrading to the latest product offering, C-Bus, Home Controller, SpaceLogic IP, Free Standing, 24V DC, 5200WHC2, or removing the Wiser Home Controller WHC-5918A from service.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are .
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

  • Do not click web links or open attachments in unsolicited email messages.
  • Refer to for more information on avoiding email scams.
  • Refer to for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • April 22, 2025: Initial Republication of Schneider Electric Advisory SEVD-2024-191-01
CISA

CISA.gov
2 weeks ago

1. EXECUTIVE SUMMARY
  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: ABB
  • Equipment: MV Drives
  • Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Out-of-bounds Write
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to gain full access to the drive or cause a denial-of-service condition.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

ABB reports that the following MV Drives are affected by CODESYS RTS (Runtime System) vulnerabilities:

  • ACS6080: LAAAA 2.10.0 to LAAAB 5.06.1
  • ACS5000: LAAAB 4.03.0 to LAAAB 5.06.1
  • ACS6000: LAAAA 2.10.0 to LAAAB 5.06.1
3.2 VULNERABILITY OVERVIEW 3.2.1

The CODESYS Control runtime system does not restrict the memory access. An improper restriction of operations within the bounds of a memory buffer allows an attacker with access to the drive with user privileges to gain full access of the drive.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.2

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpApp component to read from an invalid internal address, potentially leading to a denial-of-service condition.

has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.1 has been calculated; the CVSS vector string is ().

3.2.3

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpApp component to read from an invalid internal address, potentially leading to a denial-of-service condition.

has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.1 has been calculated; the CVSS vector string is ().

3.2.4

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpApp component to read from an invalid internal address, potentially leading to a denial-of-service condition.

has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.1 has been calculated; the CVSS vector string is ().

3.2.5

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpApp component to read from an invalid internal address, potentially leading to a denial-of-service condition.

has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.1 has been calculated; the CVSS vector string is ().

3.2.6

In multiple versions of various CODESYS products, after a user successfully authenticates, specially crafted network communication requests with inconsistent content can cause the CmpApp component to read from an invalid internal address, potentially leading to a denial-of-service condition.

has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.1 has been calculated; the CVSS vector string is ().

3.2.7

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpApp component to read from an invalid internal address, potentially leading to a denial-of-service condition.

has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.1 has been calculated; the CVSS vector string is ().

3.2.8

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpAppBP component to read from an invalid internal address, potentially leading to a denial-of-service condition.

has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.1 has been calculated; the CVSS vector string is ().

3.2.9

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpAppBP component to read from an invalid internal address, potentially leading to a denial-of-service condition.

has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.1 has been calculated; the CVSS vector string is ().

3.2.10

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpAppBP component to read from an invalid internal address, potentially leading to a denial-of-service condition.

has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.1 has been calculated; the CVSS vector string is ().

3.2.11

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpAppBP component to read from an invalid internal address, potentially leading to a denial-of-service condition.

has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.1 has been calculated; the CVSS vector string is ().

3.2.12

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpAppBP component to read from an invalid internal address, potentially leading to a denial-of-service condition.

has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.1 has been calculated; the CVSS vector string is ().

3.2.13

After successful user authentication in multiple versions of various CODESYS products, specifically crafted remote communication requests can cause the CmpAppBP component to overwrite a heap-based buffer, potentially leading to a denial-of-service condition.

has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.1 has been calculated; the CVSS vector string is ().

3.2.14

After successful user authentication in multiple versions of various CODESYS products, specifically crafted network communication requests with inconsistent content can cause the CmpAppForce component to read from an invalid internal address, potentially leading to a denial-of-service condition.

has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.1 has been calculated; the CVSS vector string is ().

3.2.15

After successful user authentication in multiple versions of various CODESYS products, specifically crafted network communication requests with inconsistent content can cause the CmpAppForce component to read from an invalid internal address, potentially leading to a denial-of-service condition.

has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.1 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Switzerland
3.4 RESEARCHER

ABB reported these vulnerabilities to CISA.

4. MITIGATIONS

ABB recommends users apply a firmware update as soon as possible to the latest firmware, i.e. LAAAB v. 5.07 and higher, for the affected products. ABB has addressed the CODESYS Runtime System vulnerabilities by disabling the IEC online programming communication by default. As a result, CODESYS communication between affected products and the ABB Automation Builder or ABB Drive Application Builder tools is disabled.
It should be noted that the CODESYS application continues to run on the Drive and if it is necessary to establish communication with CODESYS RTS, for example to debug the CODESYS application, this is possible through the drive parameter configuration. Open the user lock via the "96.02 Pass code" parameter and make sure that bit 9 "Enable online IEC programming" is set to TRUE in the "96.102 User lock functionality" parameter. IMPORTANT: After this task, be sure to disable CODESYS communication by setting the bit back to FALSE.
A future firmware update is planned to update the CODESYS RTS library, which will further strengthen defenses for the vulnerabilities mentioned above.

ABB recommends the following mitigating factors:
To exploit these vulnerabilities, a successful login to the affected product is required. This can be achieved by one of the following methods:

  • Connecting a computer to the Drive that is running or .
  • Having access to the local network where the drive is located. In this case, an attacker could send malformed packets directly to the drive.
    To make the attack more difficult and less likely to succeed, provide network isolation where the drive is located and ensure that no computer running Drive Automation Builder or Drive Composer is connected to the drive without proper security controls. Please refer to "General security recommendations" for further advise on how to keep drive secure.

ABB proposes the following workaround to mitigate this threat for situations where the above actions are not feasible:

  • Set bit 2 "Disable file download" to TRUE in the "96.102 User lock functionality" parameter.
    Although these workarounds will not correct the underlying vulnerability, they can help block known attack vectors. Please see below to understand possible reduced functionality of the drive. IMPORTANT: Contact a qualified and certified ABB personnel for more information about the parameter handling of the affected products.
    Impact of workaround: This workaround restricts the updating of IEC programs, but existing IEC programs on Drives can still be used. To update an IEC program, the operator must unlock the user lock and enable file download in a protected network environment. It is highly recommended to disable file download, as vulnerabilities are more easily exploitable when file download is enabled. WARNING: The user lock cannot be opened even by ABB if the pass code is lost.

For more information, see

ABB strongly recommends the following general cybersecurity practices for any installation of software-related products (this list is non-exhaustive):

  • Isolate special purpose networks (e.g., automation systems) and remote devices behind firewalls, and separate them from any general-purpose network (e.g., office or home networks).
  • Install physical controls to prevent unauthorized personnel from accessing devices, components, peripheral equipment, and networks.
  • Never connect programming software or computers containing programming software to any network other than the network intended for the devices.
  • Scan all data imported into your environment before use to detect potential malware infections.
  • Minimize network exposure for all applications and endpoints to ensure they are not accessible from the Internet unless designed for such exposure and required for the intended use.
  • Ensure all nodes are always up to date with installed software, operating system, and firmware patches, as well as anti-virus and firewall protections.
  • When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.
  • Install the drive in a secure location accessible only to authorized personnel.
  • Install physical controls to ensure only authorized personnel can access devices connected to the drive (e.g., computers, peripheral equipment, and networks).
  • Avoid connecting computers containing Drive Automation Builder programming software to any network other than the network intended for the devices.
  • Ensure security controls are followed on computers connected to the drive, such as installing updated security patches, firewalls, and anti-virus software, and running only authorized software. It is the user's responsibility to ensure these conditions.
  • More information on recommended practices can be found in

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

  • Do not click web links or open attachments in unsolicited email messages.
  • Refer to for more information on avoiding email scams.
  • Refer to for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY
  • April 22, 2025: Initial Republication of ABB PSIRT 9AKK108470A9989
CISA

CISA.gov
2 weeks 5 days ago

1. EXECUTIVE SUMMARY
  • CVSS v4 5.4
  • ATTENTION: Low attack complexity
  • Vendor: Schneider Electric
  • Equipment: Trio Q Licensed Data Radio
  • Vulnerabilities: Insecure Storage of Sensitive Information, Initialization of a Resource with an Insecure Default
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to access confidential information, compromise the integrity, or affect the availability of the affected product.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

  • Schneider Electric Trio Q Licensed Data Radio: Versions prior to 2.7.2
3.2 VULNERABILITY OVERVIEW 3.2.1

An insecure storage of sensitive information vulnerability exists that could potentially lead to unauthorized access to confidential data when a malicious user with physical access and advanced knowledge of the filesystem sets the radio to factory default mode.

has been assigned to this vulnerability. A CVSS v3.1 base score of 4.2 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 4.1 has been calculated; the CVSS vector string is ().

3.2.2

An incorrect initialization of resource vulnerability exists that could lead to a loss of confidentiality when a malicious user with physical access sets the radio to factory default mode, causing the product to not correctly initialize all data.

has been assigned to this vulnerability. A CVSS v3.1 base score of 4.6 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 4.1 has been calculated; the CVSS vector string is ().

3.2.3

An initialization of a resource with an insecure default vulnerability exists that could potentially lead to unauthorized access, resulting in the loss of confidentiality, integrity, and availability when a malicious user with physical access sets the radio to factory default mode.

has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 5.4 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France
3.4 RESEARCHER

Schneider Electric CPCERT reported these vulnerabilities to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Version v2.7.2 of the TRIO Q Data Radio firmware includes fixes for the identified vulnerabilities and is .
  • Follow the instructions in Section 10 Part J – Firmware Updating and Maintenance in the Trio Q Series Data Radio User Manual. This section provides information on how to download, install, and verify the new

If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploitation:

  • Install Trio Data Radios in a secure location to prevent physical access by unauthorized personnel, and ensure they are securely disposed of when decommissioned.
  • Confirm the firmware loaded in Trio Data Radios using the hash published with the release notes, and follow the instructions in Section 10 Part J – Firmware Updating and Maintenance in the Trio Q Series Data Radio User Manual. This section provides information on how to download, install, and verify the new

For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-098-02 , .

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY
  • April 17, 2025: Initial Republication of Schneider Electric SEVD-2025-098-02
CISA

CISA.gov
2 weeks 5 days ago

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Schneider Electric
  • Equipment: Sage series
  • Vulnerabilities: Out-of-bounds Write, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Incorrect Default Permissions, Unchecked Return Value, Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'), Out-of-bounds Read
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to compromise the impacted device, leading to loss of data, loss of operation, or impacts to the performance of the device.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

  • Sage 1410: Versions C3414-500-S02K5_P8 and prior
  • Sage 1430: Versions C3414-500-S02K5_P8 and prior
  • Sage 1450: Versions C3414-500-S02K5_P8 and prior
  • Sage 2400: Versions C3414-500-S02K5_P8 and prior
  • Sage 4400: Versions C3414-500-S02K5_P8 and prior
  • Sage 3030 Magnum: Versions C3414-500-S02K5_P8 and prior
3.2 VULNERABILITY OVERVIEW 3.2.1

An out-of-bounds write vulnerability exists that could result in an authentication bypass when sending a malformed POST request and particular configuration parameters are set.

has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.2.2

An improper limitation of a pathname to a restricted directory (‘path traversal') vulnerability exists that could allow an authenticated user with access to the device's web interface to corrupt files and impact device functionality when sending a crafted HTTP request.

has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.2 has been calculated; the CVSS vector string is ().

3.2.3

An incorrect default permissions vulnerability exists that could allow an authenticated user with access to the device's web interface to perform unauthorized file and firmware uploads when crafting custom web requests.

has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.7 has been calculated; the CVSS vector string is ().

3.2.4

An unchecked return value vulnerability exists that could cause denial of service of the device when an attacker sends a specially crafted HTTP request.

has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.2 has been calculated; the CVSS vector string is ().

3.2.5

A buffer copy without checking size of input (‘classic buffer overflow') vulnerability exists that could allow a user with access to the device's web interface to cause a fault on the device when sending a malformed HTTP request.

has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.1 has been calculated; the CVSS vector string is ().

3.2.6

An out-of-bounds read vulnerability exists that could cause denial of service of the device's web interface when an attacker sends a specially crafted HTTP request.

has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 6.9 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France
3.4 RESEARCHER

Marlon Schumacher and Alex Armstrong from LLNL and Vishal Madipadga from SNL reported these vulnerabilities to Schneider Electric.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Firmware version C3414-500-S02K5_P9 of SAGE RTU includes a fix for these vulnerabilities and is

    For more information, see Schneider Electric security notification

Schneider Electric strongly recommend the following industry cybersecurity best practices.

  • Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
  • Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
  • Place all controllers in locked cabinets and never leave them in the "Program" mode.
  • Never connect programming software to any network other than the network intended for that device.
  • Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
  • Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
  • Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
  • When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

  • Do not click web links or open attachments in unsolicited email messages.
  • Refer to for more information on avoiding email scams.
  • Refer to for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY
  • April 17, 2025: Initial Republication of Schneider Electric Advisory SEVD-2024-163-05
CISA

CISA.gov
2 weeks 5 days ago

1. EXECUTIVE SUMMARY
  • CVSS v4 8.4
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Schneider Electric
  • Equipment: ConneXium Network Manager
  • Vulnerabilities: Files or Directories Accessible to External Parties, Improper Input Validation
2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to access sensitive data, escalate privileges, or perform remote code execution.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

  • Schneider Electric ConneXium Network Manager: Version 2.0.01 (CVE-2025-2222)
  • Schneider Electric ConneXium Network Manager: All versions (CVE-2025-2223)
3.2 VULNERABILITY OVERVIEW 3.2.1

CWE-552: Files or Directories Accessible to External Parties vulnerability over https exists that could leak information and potential privilege escalation following a Man-In-The-Middle attack.

has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.2 has been calculated; the CVSS vector string is ().

3.2.2

CWE-20: Improper Input Validation vulnerability exists that could cause a loss of confidentiality, integrity, and availability of the engineering workstation when a malicious project file is loaded by a user from the local system.

has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.4 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France
3.4 RESEARCHER

Schneider Electric CPCERT reported these vulnerabilities to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

Schneider Electric ConneXium Network Manager v2.0.01: Please note that the ConneXium Network Manager product has reached the end of its life and is no longer supported. Customers should immediately apply the following mitigations to reduce the risk of exploit:

  • Disable the webserver (disabled by default)
  • Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices available for download here:

Schneider Electric ConneXium Network Manager All versions: Please note that the ConneXium Network Manager product has reached the end of its life and is no longer supported. Customers should immediately apply the following mitigations to reduce the risk of exploit:

  • Only open project files received from a trusted source.
  • Compute a hash of the project files and regularly check the consistency of this hash to verify the integrity before usage.
  • Encrypt project files when stored and restrict the access to only trusted users.
  • When exchanging files over the network, use secure communication protocols.
  • Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices available for download here:

For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-098-01 , .

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are .
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

  • Do not click web links or open attachments in unsolicited email messages.
  • Refer to for more information on avoiding email scams.
  • Refer to for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY
  • April 17, 2025: Initial Republication of Schneider Electric CPCERT SEVD-2025-098-01
CISA

CISA.gov
2 weeks 5 days ago

1. EXECUTIVE SUMMARY
  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Yokogawa
  • Equipment: GX10, GX20, GP10, GP20, GM Data Acquisition System, DX1000, DX2000, DX1000N, FX1000, μR10000, μR20000, MW100, DX1000T, DX2000T, CX1000, CX2000
  • Vulnerability: Missing Authentication for Critical Function
2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to manipulate information on the affected products.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Yokogawa recorder products are affected:

  • GX10 / GX20 / GP10 / GP20 Paperless Recorders: Versions R5.04.01 and earlier
  • GM Data Acquisition System: Versions R5.05.01 and earlier
  • DX1000 / DX2000 / DX1000N Paperless Recorders: Versions R4.21 and earlier
  • FX1000 Paperless Recorders: Versions R1.31 and earlier
  • μR10000 / μR20000 Chart Recorders: Versions R1.51 and earlier
  • MW100 Data Acquisition Units: All versions
  • DX1000T / DX2000T Paperless Recorders: All versions
  • CX1000 / CX2000 Paperless Recorders: All versions
3.2 VULNERABILITY OVERVIEW 3.2.1

Authentication is disabled by default on the affected products. When connected to a network with default settings, this could allow anyone to access all functions related to settings and operations. As a result, an attacker can illegally manipulate and configure important data such as measured values and settings.

has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND
  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Food and Agriculture
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER

Souvik Kandar of MicroSec (microsec.io) reported this vulnerability to CISA.

4. MITIGATIONS

Yokogawa has provided the following countermeasures for this vulnerability:

  • Yokogawa urges users to enable the authentication function when connecting the affected products to the network (login function).
  • Be sure to change the password from the default setting after enabling the authentication function.

Yokogawa strongly recommends all users to establish and maintain a full security program. Security program components are patch updates, anti-virus, backup and recovery, zoning, hardening, whitelisting, firewall, etc. Yokogawa can assist in setting up and running the security program continuously. For considering the most effective risk mitigation plan, as a starting point, Yokogawa can perform a security risk assessment.

For more information, .

For more information and details on implementing these mitigations, users should see the

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are .
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY
  • April 17, 2025: Initial Publication
CISA
Checked
44 minutes 26 seconds ago
URL