¾«¶«Ó°Òµ

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see 

1. EXECUTIVE SUMMARY

• CVSS v3 7.4
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: Teamcenter
• Vulnerability: URL Redirection to Untrusted Site ('Open Redirect')

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to redirect the legitimate user to an attacker-controlled URL to steal valid session data.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens Teamcenter: All versions prior to V14.3.0.0

3.2 VULNERABILITY OVERVIEW 3.2.1

The SSO login service of affected applications accepts user-controlled input that could specify a link to an external site. This could allow an attacker to redirect the legitimate user to an attacker-controlled URL to steal valid session data. For a successful exploit, the legitimate user must actively click on an attacker-crafted link.

has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Nicolo Vinci reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Teamcenter: Do not click on links from untrusted sources
• Teamcenter: Update to

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the

For more information see the associated Siemens security advisory SSA-656895 in and .

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are .
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to for more information on avoiding email scams.
• Refer to for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 13, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see 

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SIMATIC S7-1200 CPU Family
• Vulnerabilities: Improper Resource Shutdown or Release, Improper Validation of Syntactic Correctness of Input

2. RISK EVALUATION

The affected devices do not correctly process certain special crafted packets sent to Port 80/tcp and Port 102/tcp, which could allow an attacker to cause a denial of service in the device.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports the following products are affected:

• Siemens SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-2XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-2XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214FC DC/DC/DC (6AG1214-1AF40-5XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214C DC/DC/DC RAIL (6AG2214-1AG40-1XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-5XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-2XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1215C AC/DC/Rly (6ES7215-1BG40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-4XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-2XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1212C DC/DC/Rly (6ES7212-1HE40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1215C DC/DC/Rly (6ES7215-1HG40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-2XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-4XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-5XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-4XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1212FC DC/DC/DC (6ES7212-1AF40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1217C DC/DC/DC (6ES7217-1AG40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1215C DC/DC/DC (6ES7215-1AG40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-4XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-2XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1214C DC/DC/DC (6ES7214-1AG40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-4XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1215FC DC/DC/Rly (6ES7215-1HF40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-2XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-2XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1212C DC/DC/DC (6ES7212-1AE40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1215FC DC/DC/DC (6ES7215-1AF40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1214C AC/DC/Rly (6ES7214-1BG40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-4XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-5XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1212FC DC/DC/Rly (6ES7212-1HF40-0XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1214FC DC/DC/DC (6ES7214-1AF40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214FC DC/DC/RLY (6AG1214-1HF40-5XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215C DC/DC/DC (6AG1215-1AG40-5XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-4XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1214FC DC/DC/Rly (6ES7214-1HF40-0XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215FC DC/DC/DC (6AG1215-1AF40-5XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-5XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-4XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-4XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1212C DC/DC/DC RAIL (6AG2212-1AE40-1XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-5XB0): vers:all/<V4.7
• Siemens SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-2XB0): vers:all/<V4.7
• Siemens SIMATIC S7-1200 CPU 1214C DC/DC/Rly (6ES7214-1HG40-0XB0): vers:all/<V4.7

3.2 VULNERABILITY OVERVIEW 3.2.1

The affected devices do not correctly process certain special crafted packets sent to Port 80/tcp, which could allow an unauthenticated attacker to cause a denial of service in the device.

has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.2.2

The affected devices do not correctly process certain special crafted packets sent to Port 102/tcp, which could allow an attacker to cause a denial of service in the device.

has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.1 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Gao Jian coordinated the disclosure of CVE-2025-24812 with Siemens.
Siemens then reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-2XB0), SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-4XB0), SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-2XB0), SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-4XB0), SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-2XB0), SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-4XB0), SIPLUS S7-1200 CPU 1212C DC/DC/DC RAIL (6AG2212-1AE40-1XB0), SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-2XB0), SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-4XB0), SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-5XB0), SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-2XB0), SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-4XB0), SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-5XB0), SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-2XB0), SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-4XB0), SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-5XB0), SIPLUS S7-1200 CPU 1214C DC/DC/DC RAIL (6AG2214-1AG40-1XB0), SIPLUS S7-1200 CPU 1214FC DC/DC/DC (6AG1214-1AF40-5XB0), SIPLUS S7-1200 CPU 1214FC DC/DC/RLY (6AG1214-1HF40-5XB0), SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-2XB0), SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-4XB0), SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-5XB0), SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-2XB0), SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-4XB0), SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-2XB0), SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-4XB0), SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-5XB0), SIPLUS S7-1200 CPU 1215C DC/DC/DC (6AG1215-1AG40-5XB0), SIPLUS S7-1200 CPU 1215FC DC/DC/DC (6AG1215-1AF40-5XB0): Update to V4.7 or a .
• SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0), SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0), SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0), SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0), SIMATIC S7-1200 CPU 1212C DC/DC/DC (6ES7212-1AE40-0XB0), SIMATIC S7-1200 CPU 1212C DC/DC/Rly (6ES7212-1HE40-0XB0), SIMATIC S7-1200 CPU 1212FC DC/DC/DC (6ES7212-1AF40-0XB0), SIMATIC S7-1200 CPU 1212FC DC/DC/Rly (6ES7212-1HF40-0XB0), SIMATIC S7-1200 CPU 1214C AC/DC/Rly (6ES7214-1BG40-0XB0), SIMATIC S7-1200 CPU 1214C DC/DC/DC (6ES7214-1AG40-0XB0), SIMATIC S7-1200 CPU 1214C DC/DC/Rly (6ES7214-1HG40-0XB0), SIMATIC S7-1200 CPU 1214FC DC/DC/DC (6ES7214-1AF40-0XB0), SIMATIC S7-1200 CPU 1214FC DC/DC/Rly (6ES7214-1HF40-0XB0), SIMATIC S7-1200 CPU 1215C AC/DC/Rly (6ES7215-1BG40-0XB0), SIMATIC S7-1200 CPU 1215C DC/DC/DC (6ES7215-1AG40-0XB0), SIMATIC S7-1200 CPU 1215C DC/DC/Rly (6ES7215-1HG40-0XB0), SIMATIC S7-1200 CPU 1215FC DC/DC/DC (6ES7215-1AF40-0XB0), SIMATIC S7-1200 CPU 1215FC DC/DC/Rly (6ES7215-1HF40-0XB0), SIMATIC S7-1200 CPU 1217C DC/DC/DC (6ES7217-1AG40-0XB0): Update to V4.7 or a .

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the .

For more information see the associated Siemens security advisory SSA-224824 in and .

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are .
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• February 13, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see 

1. EXECUTIVE SUMMARY

• CVSS v4 5.1
• ATTENTION: Low attack complexity
• Vendor: Siemens
• Equipment: SIPROTEC 5
• Vulnerability: Cleartext Storage of Sensitive Information

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker with physical access to read the sensitive information from the filesystem of the device.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports the following products are affected:

• Siemens SIPROTEC 5 7SK85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SJ81 (CP100): vers:all/*
• Siemens SIPROTEC 5 7SL86 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SL86 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SJ86 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SK82 (CP100): vers:all/*
• Siemens SIPROTEC 5 6MD84 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SA87 (CP200): vers:all/*
• Siemens SIPROTEC 5 7ST85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SD87 (CP200): vers:all/*
• Siemens SIPROTEC 5 7UT87 (CP300): vers:all/*
• Siemens SIPROTEC 5 6MD89 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SD82 (CP100): vers:all/*
• Siemens SIPROTEC 5 6MD85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7ST86 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SJ82 (CP150): vers:all/*
• Siemens SIPROTEC 5 7UT86 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SX85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SD87 (CP300): vers:all/*
• Siemens SIPROTEC 5 7VU85 (CP300): vers:all/*
• Siemens SIPROTEC 5 6MU85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SD86 (CP300): vers:all/*
• Siemens SIPROTEC 5 7UT86 (CP300): vers:all/*
• Siemens SIPROTEC 5 7VK87 (CP200): vers:all/*
• Siemens SIPROTEC 5 7UT85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7UT82 (CP150): vers:all/*
• Siemens SIPROTEC 5 7SA87 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SJ81 (CP150): vers:all/*
• Siemens SIPROTEC 5 7SJ82 (CP100): vers:all/*
• Siemens SIPROTEC 5 7SA82 (CP100): vers:all/*
• Siemens SIPROTEC 5 7UT87 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SX82 (CP150): vers:all/*
• Siemens SIPROTEC 5 7SD86 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SL87 (CP300): vers:all/*
• Siemens SIPROTEC 5 6MD85 (CP200): vers:all/*
• Siemens SIPROTEC 5 7ST85 (CP200): vers:all/*
• Siemens SIPROTEC 5 Compact 7SX800 (CP050): vers:all/*
• Siemens SIPROTEC 5 6MD86 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SD82 (CP150): vers:all/*
• Siemens SIPROTEC 5 7KE85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SL82 (CP100): vers:all/*
• Siemens SIPROTEC 5 7SL82 (CP150): vers:all/*
• Siemens SIPROTEC 5 7VE85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7KE85 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SA86 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SL87 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SY82 (CP150): vers:all/*
• Siemens SIPROTEC 5 6MD86 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SJ86 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SA86 (CP300): vers:all/*
• Siemens SIPROTEC 5 7UM85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SS85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SK82 (CP150): vers:all/*
• Siemens SIPROTEC 5 7UT82 (CP100): vers:all/*
• Siemens SIPROTEC 5 7SS85 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SJ85 (CP200): vers:all/*
• Siemens SIPROTEC 5 7UT85 (CP200): vers:all/*
• Siemens SIPROTEC 5 7SK85 (CP200): vers:all/*
• Siemens SIPROTEC 5 7VK87 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SJ85 (CP300): vers:all/*
• Siemens SIPROTEC 5 7SA82 (CP150): vers:all/*

3.2 VULNERABILITY OVERVIEW 3.2.1

The affected devices do not encrypt certain data within the on-board flash storage on their PCB. This could allow an attacker with physical access to read the entire filesystem of the device.

has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 5.1 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Steffen Robertz, Stefan Viehböck, and Constantin Schieber-Knöbl from SEC Consult Vulnerability Lab reported this vulnerability to Siemens.
Siemens then reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• All affected products: Limit physical access to affected devices to trusted personnel.
• All affected products: Provision certificates signed by customer PKI as described in .
• SIPROTEC 5 6MD85 (CP200), SIPROTEC 5 6MD86 (CP200), SIPROTEC 5 7KE85 (CP200), SIPROTEC 5 7SA86 (CP200), SIPROTEC 5 7SA87 (CP200), SIPROTEC 5 7SD86 (CP200), SIPROTEC 5 7SD87 (CP200), SIPROTEC 5 7SJ85 (CP200), SIPROTEC 5 7SJ86 (CP200), SIPROTEC 5 7SK85 (CP200), SIPROTEC 5 7SL86 (CP200), SIPROTEC 5 7SL87 (CP200), SIPROTEC 5 7SS85 (CP200), SIPROTEC 5 7ST85 (CP200), SIPROTEC 5 7UT85 (CP200), SIPROTEC 5 7UT86 (CP200), SIPROTEC 5 7UT87 (CP200), SIPROTEC 5 7VK87 (CP200): Currently no fix is planned.
• SIPROTEC 5 6MD84 (CP300), SIPROTEC 5 6MD85 (CP300), SIPROTEC 5 6MD86 (CP300), SIPROTEC 5 6MD89 (CP300), SIPROTEC 5 6MU85 (CP300), SIPROTEC 5 7KE85 (CP300), SIPROTEC 5 7SA82 (CP100), SIPROTEC 5 7SA82 (CP150), SIPROTEC 5 7SA86 (CP300), SIPROTEC 5 7SA87 (CP300), SIPROTEC 5 7SD82 (CP100), SIPROTEC 5 7SD82 (CP150), SIPROTEC 5 7SD86 (CP300), SIPROTEC 5 7SD87 (CP300), SIPROTEC 5 7SJ81 (CP100), SIPROTEC 5 7SJ81 (CP150), SIPROTEC 5 7SJ82 (CP100), SIPROTEC 5 7SJ82 (CP150), SIPROTEC 5 7SJ85 (CP300), SIPROTEC 5 7SJ86 (CP300), SIPROTEC 5 7SK82 (CP100), SIPROTEC 5 7SK82 (CP150), SIPROTEC 5 7SK85 (CP300), SIPROTEC 5 7SL82 (CP100), SIPROTEC 5 7SL82 (CP150), SIPROTEC 5 7SL86 (CP300), SIPROTEC 5 7SL87 (CP300), SIPROTEC 5 7SS85 (CP300), SIPROTEC 5 7ST85 (CP300), SIPROTEC 5 7ST86 (CP300), SIPROTEC 5 7SX82 (CP150), SIPROTEC 5 7SX85 (CP300), SIPROTEC 5 7SY82 (CP150), SIPROTEC 5 7UM85 (CP300), SIPROTEC 5 7UT82 (CP100), SIPROTEC 5 7UT82 (CP150), SIPROTEC 5 7UT85 (CP300), SIPROTEC 5 7UT86 (CP300), SIPROTEC 5 7UT87 (CP300), SIPROTEC 5 7VE85 (CP300), SIPROTEC 5 7VK87 (CP300), SIPROTEC 5 7VU85 (CP300), SIPROTEC 5 Compact 7SX800 (CP050): Currently no fix is available.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the .

For more information see the associated Siemens security advisory SSA-111547 in and .

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are .
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• February 13, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see 

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SIPROTEC 5 Devices
• Vulnerability: Use of Default Credentials

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated, remote attacker to retrieve sensitive information of the device.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens SIPROTEC 5 7VE85 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7SS85 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 Communication Module ETH-BB-2FO (Rev. 2): All versions prior to V9.90
• Siemens SIPROTEC 5 Communication Module ETH-BA-2EL (Rev.2): All versions prior to V9.90
• Siemens SIPROTEC 5 7UT82 (CP150): All versions prior to V9.90
• Siemens SIPROTEC 5 7UT85 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 6MD84 (CP300): All versions prior to V9.90
• Siemens SIPROTEC 5 7SJ82 (CP150): All versions prior to V9.90
• Siemens SIPROTEC 5 7SL86 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7KE85 (CP300): Versions later than and including V8.80
• Siemens SIPROTEC 5 7SJ86 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 6MD86 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7SX82 (CP150): All versions prior to V9.90
• Siemens SIPROTEC 5 7SL87 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7SA82 (CP150): All versions prior to V9.90
• Siemens SIPROTEC 5 7SL82 (CP150): All versions prior to V9.90
• Siemens SIPROTEC 5 7SJ85 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7ST85 (CP300): Versions later than and including V8.80
• Siemens SIPROTEC 5 7ST86 (CP300): All versions
• Siemens SIPROTEC 5 7SD82 (CP150): All versions prior to V9.90
• Siemens SIPROTEC 5 7SK85 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 Compact 7SX800 (CP050): Version V9.50 up to but not including V9.90
• Siemens SIPROTEC 5 6MD85 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 6MU85 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7SK82 (CP150): All versions prior to V9.90
• Siemens SIPROTEC 5 7SA87 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7VK87 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7VU85 (CP300): All versions prior to V9.90
• Siemens SIPROTEC 5 7SA86 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7SD87 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 Communication Module ETH-BD-2FO: Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 6MD89 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7UM85 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7SJ81 (CP150): All versions prior to V9.90
• Siemens SIPROTEC 5 7UT86 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7SX85 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7UT87 (CP300): Version V8.80 up to but not including V9.90
• Siemens SIPROTEC 5 7SY82 (CP150): All versions prior to V9.90
• Siemens SIPROTEC 5 7SD86 (CP300): Version V8.80 up to but not including V9.90

3.2 VULNERABILITY OVERVIEW 3.2.1

Affected devices do not properly validate SNMP GET requests. This could allow an unauthenticated, remote attacker to retrieve sensitive information of the affected devices with SNMPv2 GET requests using default credentials.

has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• All affected products: Restrict access to port 161/udp to trusted IP addresses only.
• All affected products: Disable the SNMP service running in the communication modules, if not used.
• SIPROTEC 5 7KE85 (CP300), SIPROTEC 5 7ST85 (CP300), SIPROTEC 5 7ST86 (CP300): Currently no fix is available.
• SIPROTEC 5 Compact 7SX800 (CP050):
• SIPROTEC 5 7SA82 (CP150), SIPROTEC 5 7SD82 (CP150), SIPROTEC 5 7SJ81 (CP150), SIPROTEC 5 7SJ82 (CP150), SIPROTEC 5 7SK82 (CP150), SIPROTEC 5 7SL82 (CP150), SIPROTEC 5 7SX82 (CP150), SIPROTEC 5 7SY82 (CP150), SIPROTEC 5 7UT82 (CP150):
• SIPROTEC 5 6MD84 (CP300), SIPROTEC 5 6MD85 (CP300), SIPROTEC 5 6MD86 (CP300), SIPROTEC 5 6MD89 (CP300), SIPROTEC 5 6MU85 (CP300), SIPROTEC 5 7SA86 (CP300), SIPROTEC 5 7SA87 (CP300), SIPROTEC 5 7SD86 (CP300), SIPROTEC 5 7SD87 (CP300), SIPROTEC 5 7SJ85 (CP300), SIPROTEC 5 7SJ86 (CP300), SIPROTEC 5 7SK85 (CP300), SIPROTEC 5 7SL86 (CP300), SIPROTEC 5 7SL87 (CP300), SIPROTEC 5 7SS85 (CP300), SIPROTEC 5 7SX85 (CP300), SIPROTEC 5 7UM85 (CP300), SIPROTEC 5 7UT85 (CP300), SIPROTEC 5 7UT86 (CP300), SIPROTEC 5 7UT87 (CP300), SIPROTEC 5 7VE85 (CP300), SIPROTEC 5 7VK87 (CP300), SIPROTEC 5 7VU85 (CP300):
• SIPROTEC 5 Communication Module ETH-BA-2EL (Rev.2), SIPROTEC 5 Communication Module ETH-BB-2FO (Rev. 2), SIPROTEC 5 Communication Module ETH-BD-2FO:

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the

For more information see the associated Siemens security advisory SSA-767615 in and .

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are .
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 13, 2025: Initial Publication

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Dingtian
• Equipment: DT-R0 Series
• Vulnerability: Authentication Bypass Using an Alternate Path or Channel

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to modify the device settings and gain administrator access.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Dingtian DT-R0 Series are affected:

• DT-R002: Version V3.1.3044A
• DT-R008: Version V3.1.1759A
• DT-R016: Version V3.1.2776A
• DT-R032: Version V3.1.3826A

3.2 Vulnerability Overview 3.2.1

The Dingtian DT-R0 Series is vulnerable to an exploit that allows attackers to bypass login requirements by directly navigating to the main page.

has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER

Cumhur Kizilari (Zeus) reported this vulnerability to CISA.

4. MITIGATIONS

Dingtian has not responded to requests to work with CISA to mitigate this vulnerability, thus no mitigation is available at this time. Users of affected versions of Dingtian DT-R002 are invited to contact Dingtian for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are .
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to for more information on avoiding email scams.
• Refer to for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 13, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see 

1. EXECUTIVE SUMMARY

• CVSS v4 9.4
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: Opcenter Intelligence
• Vulnerabilities: Improper Authentication, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Deserialization of Untrusted Data, Insertion of Sensitive Information into Log File, Server-Side Request Forgery (SSRF)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could enable an attacker to execute remote code or allow a malicious site administrator to change passwords for users.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens Opcenter Intelligence: All versions prior to V2501

3.2 VULNERABILITY OVERVIEW 3.2.1

Tableau is aware of a broken access control vulnerability present in Tableau Server affecting Tableau Server users using Local Identity Store for managing users. The vulnerability allows a malicious site administrator to change passwords for users in different sites hosted on the same Tableau Server, resulting in the potential for unauthorized access to data. Tableau Server versions affected are: 2020.4.16, 2021.1.13, 2021.2.10, 2021.3.9, 2021.4.4 and earlier. All future releases of Tableau Server will address this security issue. Versions that are no longer supported are not tested and may be vulnerable.

has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been assigned; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.4 has been calculated; the CVSS vector string is ().

3.2.2

Tableau discovered a path traversal vulnerability affecting Tableau Server Administration Agent's internal file transfer service that could allow remote code execution. Tableau only supports product versions for 24 months after release. Older versions have reached their end of life and are no longer supported. They are also not assessed for potential security issues and do not receive security updates.

has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been assigned; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.2 has been calculated; the CVSS vector string is ().

3.2.3

The Java OpenWire protocol marshaller is vulnerable to remote code execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue. For Opcenter Intelligence: On November 2, 2023, Apache announced the discovery of CVE-2023-46604, a As a result of this issue, a remote threat actor with network access to either a Java-based OpenWire broker or client could execute code remotely to run arbitrary shell commands.

has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been assigned; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.4 has been calculated; the CVSS vector string is ().

3.2.4

Personal access token disclosure vulnerability in Tableau Server. For details see

has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been assigned; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 6.9 has been calculated; the CVSS vector string is ().

3.2.5

Server-side request forgery (SSRF) vulnerability in Tableau Server. For details see

has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been assigned; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.1 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens recommends Opcenter Intelligence users update to V2501 or later version and install the latest available version of Tableau Server as described in .

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the .

For more information see the associated Siemens security advisory SSA-246355 in and .

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are .
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to for more information on avoiding email scams.
• Refer to for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• February 13, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see 

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SIMATIC PCS neo and TIA Administrator
• Vulnerability: Insufficient Session Expiration

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user's session even after logout.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• SIMOCODE ES V19: Versions prior to V19 Update 1
• TIA Administrator: Versions 3.0.4 and prior
• SIMATIC PCS neo V4.1: Versions prior to V4.1 Update 2
• SIMATIC PCS neo V4.0: All versions
• SIRIUS Safety ES V19 (TIA Portal): Versions prior to V19 Update 1
• SIRIUS Soft Starter ES V19 (TIA Portal): Versions prior to V19 Update 1
• SIMATIC PCS neo V5.0: Versions prior to V5.0 Update 1

3.2 VULNERABILITY OVERVIEW 3.2.1

Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user's session even after logout.

has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Close browser and client after logout and remove all locally stored session tokens
• SIMATIC PCS neo V4.0: Currently no fix is planned
• SIMOCODE ES V19: Update to V19 Update 1 or
• SIRIUS Soft Starter ES V19 (TIA Portal): Update to V19 Update 1 or
• SIRIUS Safety ES V19 (TIA Portal): Update to V19 Update 1 or
• TIA Administrator: Update to V3.0.4 or
• SIMATIC PCS neo V4.1: Update to V4.1 Update 2 or
• SIMATIC PCS neo V5.0: Update to V5.0 Update 1 or

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the

For more information see the associated Siemens security advisory SSA-342348 in and .

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are .
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to for more information on avoiding email scams.
• Refer to for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 13, 2025: Initial Publication

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: ABB
• Equipment: Drive Composer
• Vulnerability: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow attackers unauthorized access to the file system on the host machine. An attacker can exploit this flaw to run malicious code, which could lead to the compromise of the affected system.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

ABB reports that the following Drive Composer products are affected:

• Drive Composer entry: Version 2.9.0.1 and prior
• Drive Composer pro: Version 2.9.0.1 and prior

3.2 VULNERABILITY OVERVIEW 3.2.1

A vulnerability in drive composer can allow attackers unauthorized access to the file system on the host machine. An attacker can exploit this flaw to run malicious code, which could lead to the compromise of the affected system.

has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

ABB reported this vulnerability to CISA.

4. MITIGATIONS

ABB has corrected this vulnerability in Drive Composer Version 2.9.1. Drive Composer Version 2.9.1 (both entry and pro) is downloadable from the ABB recommends users apply the update at their earliest convenience.

For more information, please refer to the

ABB recommends the following general security practices for any installation of software-related ABB products:

• Isolate special purpose networks (e.g. for automation systems) and remote devices behind firewalls and separate them from any general-purpose network (e.g. office or home networks).
• Install physical controls so no unauthorized personnel can access your devices, components, peripheral equipment, and networks.
• Never connect programming software or computers containing programing software to any network
  other than the network for the devices that it is intended for.
• Scan all data imported into your environment before use to detect potential malware infections.
• Minimize network exposure for all applications and endpoints to ensure that they are not accessible from the Internet unless they are designed for such exposure and the intended use requires such.
• Ensure all nodes are always up to date in terms of installed software, operating system, and firmware patches as well as anti-virus and firewall.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

More information on recommended practices can be found in the following documents:

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 6, 2025: Initial Publication

1. EXECUTIVE SUMMARY

• CVSS v4 8.5
• ATTENTION: Low attack complexity
• Vendor: Schneider Electric
• Equipment: EcoStruxure
• Vulnerability: Uncontrolled Search Path Element

2. RISK EVALUATION

Successful exploitation of this vulnerability allows for local privilege escalation, which could lead to the execution of a malicious Dynamic-Link Library (DLL).

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following Schneider Electric EcoStruxure products and versions, which incorporate Revenera FlexNet Publisher, are affected:

• EcoStruxure Control Expert: Versions prior to V16.1
• EcoStruxure Process Expert: All versions
• EcoStruxure OPC UA Server Expert: All versions
• EcoStruxure Control Expert Asset Link: Versions prior to V4.0 SP1
• EcoStruxure Machine SCADA Expert Asset Link: All versions
• EcoStruxure Architecture Builder: Versions prior to V7.0.18
• EcoStruxure Operator Terminal Expert: All versions
• Vijeo Designer: Version prior to V6.3SP1 HF1
• EcoStruxure Machine Expert including EcoStruxure Machine Expert Safety: All versions
• EcoStruxure Machine Expert Twin: All versions
• Zelio Soft 2: All versions

3.2 VULNERABILITY OVERVIEW 3.2.1

A misconfiguration in lmadmin.exe of FlexNet Publisher versions prior to 2024 R1 (11.19.6.0) allows the OpenSSL configuration file to load from a non-existent directory. An unauthorized, locally authenticated user with low privileges can potentially create the directory and load a specially crafted openssl.conf file leading to the execution of a malicious DLL (Dynamic-Link Library) with elevated privileges.

has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.5 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Food and Agriculture, Government Services and Facilities, Transportation Systems, Water and Wastewater Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Xavier DANEST of Trend Micro Zero Day Initiative reported this vulnerability to Revenera PSIRT.

4. MITIGATIONS

Schneider Electric recommends that users of the following products follow these actions:

• EcoStruxure Control Expert: Versions prior to V16.1 - Version V16.1 of EcoStruxure Control Expert includes a fix for this vulnerability and is available for download . Reboot the computer after installation is completed.
• EcoStruxure Architecture Builder: Versions prior to V7.0.18 - Version V7.0.18 of EcoStruxure Architecture Builder includes a fix for this vulnerability and is available for download .
• EcoStruxure Control Expert Asset Link: Versions prior to V4.0 SP1 - Version V4.0SP1 of EcoStruxure Control Expert Asset Link includes a fix for this vulnerability and is available for download .
• Vijeo Designer: Version prior to V6.3SP1 HF1 - Version V6.3SP1 HF1 of Vijeo Designer includes a fix for this vulnerability. Please contact your to get Vijeo Designer version V6.3SP1 HF1 software.

Users should follow appropriate patching methodologies when applying these patches to their systems. We strongly recommend the use of back-ups and evaluating the impact of these patches in a Test and Development environment or an offline infrastructure. Contact Schneider Electric's if you need assistance removing a patch.

If users choose not to apply the remediation provided above, they should immediately apply the following mitigations in order to reduce the risk of exploit:

Schneider Electric is establishing a remediation plan for all future versions of the following that will include a fix for this vulnerability:

• EcoStruxure Process Expert
• EcoStruxure OPC UA Server Expert
• EcoStruxure Machine SCADA Expert - Asset Link
• EcoStruxure Operator Terminal Expert
• EcoStruxure Machine Expert including
• EcoStruxure Machine Expert Safety
• EcoStruxure Machine Expert Twin
• Zelio Soft 2

We will update this document when the remediation is available. Until then, users should immediately apply the following mitigations to reduce the risk of exploit:

• Limit authenticated user access to the workstation and implement existing User Account Control practices.
• Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices guide available for download .

To ensure you are informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric's security notification service .

General Security Recommendations

Schneider Electric strongly recommends the following industry cybersecurity best practices:

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the "Program" mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric document.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are .
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
  CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• February 6, 2025: Initial Publication

1. EXECUTIVE SUMMARY

• CVSS v3 7.1
• ATTENTION: Exploitable remotely
• Vendor: Schneider Electric
• Equipment: EcoStruxure Power Monitoring Expert (PME)
• Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to remotely execute code.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

• EcoStruxure Power Monitoring Expert (PME): Versions 2022 and prior

3.2 VULNERABILITY OVERVIEW 3.2.1

A deserialization of untrusted data vulnerability exists which could allow code to be remotely executed on the server when unsafely deserialized data is posted to the web server.

has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric CPCERT reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

• EcoStruxure Power Monitoring Expert 2021 and prior have reached end-of-life support. Users should consider upgrading to the latest version offering of PME to resolve this issue. Please contact
• EcoStruxure Power Monitoring Expert (PME) Version 2022 and prior: There is a hotfix available for EcoStruxure Power Monitoring Expert (PME) that includes a fix for this vulnerability. Contact to download this hotfix.

Schneider Electric strongly recommends the following industry cybersecurity best practices:

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the "Program" mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the and the associated Schneider Electric security notification SEVD-2024-282-05 in and

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to for more information on avoiding email scams.
• Refer to for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• February 06, 2025: Initial Publication

1. EXECUTIVE SUMMARY

• CVSS v4 8.6
• ATTENTION: Exploitable remotely/low attack complexity/known public exploitation
• Vendor: Trimble
• Equipment: Cityworks
• Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated user to perform a remote code execution.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Trimble Cityworks, an asset and work management system, are affected:

• Cityworks: All versions prior to 15.8.9
• Cityworks with office companion: All versions prior to 23.10

3.2 VULNERABILITY OVERVIEW 3.2.1

Trimble Cityworks versions prior to 15.8.9 and Cityworks with office companion versions prior to 23.10 are vulnerable to a deserialization vulnerability. This could allow an authenticated user to perform a remote code execution attack against a customer's Microsoft Internet Information Services (IIS) web server.

has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.6 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Water and Wastewater Systems, Energy, Transportation Systems, Government Services and Facilities, Communications
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Trimble reported this vulnerability to CISA.

4. MITIGATIONS

Cityworks has released the following update guidance for users:

• Trimble will be releasing updated versions to both 15.x (15.8.9 available January 28, 2025) and Cityworks 23.x software releases (23.10 available January 29, 2025). Information on the updated versions will be available through the normal channels via the (Login required). On-premise users should install the updated version immediately. These updates will be automatically applied to all Cityworks Online (CWOL) deployments.
• Trimble has observed that some on-premise deployments may have overprivileged Internet Information Services (IIS) identity permissions. For avoidance of doubt, and in accordance with Trimble's technical documentation, IIS should not be run with local or domain level administrative privileges on any site. Please refer to the direction in the latest release notes in the (Login required) for more information on how to update IIS identity permissions. Trimble's CWOL users have their IIS identity permissions set appropriately and do not need to take this action.
• Trimble has observed that some deployments have inappropriate attachment directory configurations. Trimble recommends that attachment directory root configuration should be limited to folders/subfolders which only contain attachments. Please refer to the direction in the latest release notes in the (Login required) for more information on how to ensure proper configuration of the attachment directory.

For more information, see Trimble's .

Cityworks software is incapable of controlling industrial processes and is not directly part of an ICS.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to for more information on avoiding email scams.
• Refer to for more information on social engineering attacks.

CISA has received reports of this vulnerability being actively exploited.

5. UPDATE HISTORY

• February 06, 2025: Initial Publication
• February 11, 2025: Update A - Update to the critical infrastructure sectors

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
• Vendor: Elber
• Equipment: Communications Equipment
• Vulnerabilities: Authentication Bypass Using an Alternate Path or Channel, Hidden Functionality

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker unauthorized administrative access to the affected device.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Elber Communications Equipment are affected:

• Signum DVB-S/S2 IRD: Versions 1.999 and prior
• Cleber/3 Broadcast Multi-Purpose Platform: Version 1.0
• Reble610 M/ODU XPIC IP-ASI-SDH: Version 0.01
• ESE DVB-S/S2 Satellite Receiver: Versions 1.5.179 and prior
• Wayber Analog/Digital Audio STL: Version 4

3.2 VULNERABILITY OVERVIEW 3.2.1

Multiple Elber products are affected by an authentication bypass vulnerability which allows unauthorized access to the password management functionality. Attackers can exploit this issue by manipulating the endpoint to overwrite any user's password within the system. This grants them unauthorized administrative access to protected areas of the application, compromising the device's system security.

has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.2.2

Multiple Elber products suffer from an unauthenticated device configuration and client-side hidden functionality disclosure.

has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Communications
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER

Gjoko Krstic of Zero Science Lab reported these vulnerabilities to CISA.

4. MITIGATIONS

Elber does not plan to mitigate these vulnerabilities because this equipment is either end of life or almost end of life. Users of affected versions of Elber Signum DVB-S/S2 IRD, Cleber/3 Broadcast Multi-Purpose Platform, Reble610 M/ODU XPIC IP-ASI-SDH, ESE DVB-S/S2 Satellite Receiver, and Wayber Analog/Digital Audio STL are invited to contact Elber for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are .
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to for more information on avoiding email scams.
• Refer to for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• February 4, 2025: Initial Publication

1. EXECUTIVE SUMMARY

• CVSS v3 7.8
• ATTENTION: Low attack complexity
• Vendor: Schneider Electric
• Equipment: Web Designer for Modicon
• Vulnerability: Improper Restriction of XML External Entity Reference

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in information disclosure, workstation integrity and potential remote code execution on the compromised computer.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Web Designer for Modicon are affected:

• Web Designer for BMXNOR0200H: All versions
• Web Designer for BMXNOE0110(H): All versions
• Web Designer for BMENOC0311(C): All versions
• Web Designer for BMENOC0321(C): All versions

3.2 VULNERABILITY OVERVIEW 3.2.1

The affected product is vulnerable to an improper restriction of XML external entity reference vulnerability that could cause information disclosure, impacts to workstation integrity, and potential remote code execution on the compromised computer when a specifically crafted XML file is imported in the Web Designer configuration tool.

has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Food and Agriculture, Government Facilities, Transportation Systems, Water and Wastewater Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Jin Huang of ADLab of Venustech reported this vulnerability Schneider Electric.

4. MITIGATIONS

Web Designer tool project file is based on XML language with specific parameters. To ensure the integrity of this file please follow the recommendations below:

• Encrypt project file (XML configuration file) when stored and restrict the access to only trusted users.
• When exchanging files over the network, use secure communication protocols.
• Only open project files received from a trusted source.
• Compute a hash of the project files and regularly check the consistency of this hash to verify the integrity before usage.

To ensure you are informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric's security notification service here:

Schneider Electric strongly recommends the following industry cybersecurity best practices.

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the "Program" mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have their own vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the

For more information, see Schneider Electric security notification

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to for more information on avoiding email scams.
• Refer to for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• February 4, 2025: Initial Publication

1. EXECUTIVE SUMMARY

• CVSS v3 8.6
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: Modicon M340 and BMXNOE0100/0110, BMXNOR0200H
• Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause information disclosure of a restricted web page, modification of a web page, and a denial of service when specific web pages are modified and restricted functions invoked.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following Schneider Electric products, Modicon M340 and BMXNOE0100/0110, BMXNOR0200H, are affected:

• Modicon M340 processors (part numbers BMXP34*): All versions
• BMXNOE0100: All versions
• BMXNOE0110: All versions
• BMXNOR0200H: Versions prior to SV1.70IR26

3.2 VULNERABILITY OVERVIEW 3.2.1

The affected products are vulnerable to an exposure of sensitive information to an unauthorized actor vulnerability, which could cause information disclosure of restricted web page, modification of web page, and denial of service when specific web pages are modified and restricted functions invoked.

has been assigned to this vulnerability. A CVSS v3.1 base score of 8.6 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: France
• COMPANY HEADQUARTERS LOCATION: Worldwide

3.4 RESEARCHER

Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

BMXNOR0200H: Version SV1.70IR26 of BMXNOR0200H includes a fix for this vulnerability and is

Users should use appropriate patching methodologies when applying these patches to their systems. Schneider Electric strongly recommends the use of back-ups and evaluating the impact of these patches in a testing and development environment, or on an offline infrastructure. Contact for assistance removing a patch.

Schneider Electric is establishing a remediation plan for all future versions of Modicon M340 processors BMXP34*, BMXNOE0100 and BMXNOE0110 that will include a fix for this vulnerability. They will provide an update when the remediation is available. Until then, users should immediately apply the following mitigations to reduce the risk of exploit:

• Set up network segmentation and implement a firewall to block all unauthorized access to FTP Port 21/TCP on the devices.
• Disable FTP service via EcoStruxureTM Control Expert. This is disabled by default when a new application is created.
• Disable Web server service via EcoStruxureTM Control Expert. This is disabled by default when a new application is created.
• Configure the Access Control List following the recommendation on the

Schneider Electric strongly recommends the following industry cybersecurity best practices.

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the "Program" mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the

For more information, see Schneider Electric security notification

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 4, 2025: Initial Publication

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: AutomationDirect
• Equipment: C-more EA9 HMI
• Vulnerability: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition or achieve remote code execution on the affected device.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following Automation Direct products are affected:

• C-more EA9 HMI EA9-T6CL: v6.79 and prior
• C-more EA9 HMI EA9-T7CL-R: v6.79 and prior
• C-more EA9 HMI EA9-T7CL: v6.79 and prior
• C-more EA9 HMI EA9-T8CL: v6.79 and prior
• C-more EA9 HMI EA9-T10CL: v6.79 and prior
• C-more EA9 HMI EA9-T10WCL: v6.79 and prior
• C-more EA9 HMI EA9-T12CL: v6.79 and prior
• C-more EA9 HMI EA9-T15CL-R: v6.79 and prior
• C-more EA9 HMI EA9-T15CL: v6.79 and prior
• C-more EA9 HMI EA9-RHMI: v6.79 and prior

3.2 VULNERABILITY OVERVIEW 3.2.1

AutomationDirect C-more EA9 HMI contains a function with bounds checks that can be skipped, which could result in an attacker abusing the function to cause a denial-of-service condition or achieving remote code execution on the affected device.

has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 9.3 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Sharon Brizinov of Claroty Team82 reported this vulnerability to CISA.

4. MITIGATIONS

AutomationDirect recommends that users update C-MORE EA9 HMI software and firmware to .

If an immediate update is not feasible, AutomationDirect recommends considering the following interim steps until the programming software can be updated:

• Isolate the HMI Workstation: Disconnect the HMI from external networks (e.g., internet or corporate LAN) to limit exposure to external threats.
• Use dedicated, secure internal networks or air-gapped systems for communication with programmable devices.
• Control Access: Restrict physical and logical access to the HMI to authorized personnel only.
• Implement Whitelisting: Use application whitelisting to allow only pre-approved and trusted software to execute on the HMI. Block untrusted or unauthorized applications.
• Apply Endpoint Security Measures: Use antivirus or endpoint detection and response (EDR) tools to monitor for and mitigate threats. Ensure that host-based firewalls are properly configured to block unauthorized access.
• Monitor and Log Activity: Enable logging and monitoring of system activities to detect potential anomalies or unauthorized actions. Regularly review logs for suspicious activity.
• Use Secure Backup and Recovery: Regularly back up the workstation and its configurations to a secure location. Test recovery procedures to ensure minimal downtime in the event of an incident.
• Conduct Regular Risk Assessments: Continuously assess the risks posed by the outdated software and adjust mitigation measures as necessary.

For more information, please see the

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 4, 2025: Initial Publication

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC
• Vulnerability: Incorrect Calculation of Buffer Size

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause a denial-of-service of the product when an unauthenticated user sends a crafted HTTPS packet to the webserver.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC are affected:

• Modicon M580 CPU (part numbers BMEP* and BMEH*, excluding M580 CPU Safety): Versions prior to SV4.30
• Modicon M580 CPU Safety (part numbers BMEP58-S and BMEH58-S): Versions prior to SV4.21
• BMENOR2200H: All versions
• EVLink Pro AC: Versions prior to v1.3.10

3.2 VULNERABILITY OVERVIEW 3.2.1

The affected product is vulnerable to an incorrect calculation of buffer size vulnerability which could cause a denial-of-service of the product when an unauthenticated user is sending a crafted HTTPS packet to the webserver.

has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 8.7 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric has identified the following remediations users can apply to reduce risk:

• Modicon M580 CPU (partnumbers BMEP* and BMEH*,excluding M580 CPU Safety): Version SV4.30 of Modicon M580 firmware includes a fix for this vulnerability and is
• Modicon M580 CPU Safety part numbers BMEP58-S and MEH58-S): Version SV4.21 of Modicon M580 firmware includes a fix for this vulnerability and is
• EVLink Pro AC: Version V1.3.10 of EVLink Pro AC firmware includes a fix for this vulnerability and is

Users should use appropriate patching methodologies when applying these patches to their systems. Schneider Electric strongly recommends making use of back-ups and evaluating the impact of these patches in a testing and development environment or on an offline infrastructure. Contact Schneider Electric's if assistance is needed for removing a patch.

If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit:

• Modicon M580 CPU (partnumbers BMEP* and BMEH*,excluding M580 CPU Safety): Set up network segmentation and implement a firewall to block all unauthorized access to Port 443/TCP. Configure the access control list following the recommendations of the user manuals:
• Modicon M580 CPU Safety part numbers BMEP58-S and MEH58-S): Set up network segmentation and implement a firewall to block all unauthorized access to Port 443/TCP. Configure the access control list following the recommendations of the user manuals:
• BMENOR2200H: Schneider Electric is establishing a remediation plan for BMENOR2200H that will include a fix for CVE-2024-11425. They will update SEVD-2025-014-01 when the remediation is available. Until then, users should immediately set up network segmentation and implement a firewall to block all unauthorized access to Port 443/TCP.
• EVLink Pro AC: Follow the

Schneider Electric strongly recommends the following industry cybersecurity best practices.

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the "Program" mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the

For more information, see Schneider Electric security notification

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 4, 2025: Initial Publication

1. EXECUTIVE SUMMARY

• CVSS v4 6.1
• ATTENTION: Exploitable remotely
• Vendor: Schneider Electric
• Equipment: Pro-face GP-Pro EX and Remote HMI
• Vulnerability: Improper Enforcement of Message Integrity During Transmission in a Communication Channel

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow man-in-the-middle attacks, resulting in information disclosure, integrity issues, and operational failures.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Pro-face GP-Pro EX and Remote HMI are affected:

• Pro-face GP-Pro EX: All versions
• Pro-face Remote HMI: All versions

3.2 VULNERABILITY OVERVIEW 3.2.1

The affected products are vulnerable to an improper enforcement of message integrity during transmission in a communication channel vulnerability that could cause partial loss of confidentiality, loss of integrity, and availability of the HMI when attacker performs man-in-the-middle attack by intercepting the communication.

has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 6.1 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Haichuan Xu from the Georgia Institute of Technology reported this vulnerability to Schneider Electric.

4. MITIGATIONS

Schneider Electric is establishing a remediation plan for all future versions of Pro-face GP-Pro EX and Pro-face Remote HMI that will include a fix for this vulnerability. Schneider Electric will provide an update when the remediation is available. Until then, users should immediately apply the following mitigations to reduce the risk of exploit:

For users requiring the use of Pro-face Remote HMI, Schneider Electric recommends using following mitigations:

• Use of or any other VPN solutions for securing the remote access by encrypting the communication between Pro-face Remote HMI and Pro-face GP-ProEX.
• Always connect the products to only trusted networks and follow the .
• Set up a connection password. For more details refer to the in section "Remote Viewer - Pro-face Remote HMI".

For users not using the Pro-face Remote HMI, Schneider Electric recommends using following mitigations to reduce the risk of exploit:

• Disabling the Pro-face Remote HMI feature (deactivated by default). For more details refer to the section "Pro-face Remote HMI Settings."

Schneider Electric strongly recommends the following industry cybersecurity best practices.

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the "Program" mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the

For more information, see Schneider Electric security notification

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to for more information on avoiding email scams.
• Refer to for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 4, 2025: Initial Publication

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Rockwell Automation
• Equipment: GuardLogix 5380 and 5580
• Vulnerability: Improper Handling of Exceptional Conditions

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote, non-privileged user to send malicious requests resulting in a major nonrecoverable fault causing a denial-of-service condition.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following Rockwell Automation products are affected:

• GuardLogix 5580 (SIL 3 with the safety partner 3): Versions prior to V33.017, V34.014, V35.013, V36.011
• Compact GuardLogix 5380 SIL 3: Versions prior to V33.017, V34.014, V35.013, V36.011

3.2 VULNERABILITY OVERVIEW 3.2.1

A denial-of-service vulnerability exists in the affected products. The vulnerability could allow a remote, non-privileged user to send malicious requests resulting in a major nonrecoverable fault causing a denial-of-service.

has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 7.1 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation recommends users of the affected software to apply the risk mitigations, if possible.

• Update to V33.017, V34.014, V35.013, V36.011, or the latest version.
• Restrict access to the task object via CIP Security and Hard Run.
• For information on how to mitigate security risks on industrial automation control systems, Rockwell Automation encourages users to implement their suggested to minimize the risk of the vulnerability.

can be used to generate more environment-specific prioritization.

For more information about this issue, please see the advisory on the .

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are .
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to for more information on avoiding email scams.
• Refer to for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 4, 2025: Initial Publication
• February 18, 2025: Update A - Updated title, product list, and versions.

1. EXECUTIVE SUMMARY

• CVSS v4 6.0
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Western Telematic Inc
• Equipment: NPS Series, DSM Series, CPM Series
• Vulnerability: External Control of File Name or Path

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated attacker to gain privileged access to files on the device's filesystem.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following Western Telematic Inc products are affected:

• Network Power Switch (NPS Series): Firmware Version 6.62 and prior
• Console Server (DSM Series): Firmware Version 6.62 and prior
• Console Server + PDU Combo Unit (CPM Series): Firmware Version 6.62 and prior

3.2 VULNERABILITY OVERVIEW 3.2.1

Multiple Western Telematic (WTI) products contain a web interface that is vulnerable to a Local File Inclusion Attack (LFI), where any authenticated user has privileged access to files on the device's filesystem.

has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is ().

A CVSS v4 score has also been calculated for . A base score of 6.0 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Communications
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

notnotnotveg (notnotnotveg@gmail.com) reported this vulnerability to CISA.

4. MITIGATIONS

Western Telematic Inc reports this issue was discovered and patched in 2020. Western Telematic Inc recommends users follow best practices and update to the latest version.

• For DSM/CPM units:
• For NPS units:
• Ensure the default passwords are changed prior to deployment

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are .
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 4, 2025: Initial Publication

1. EXECUTIVE SUMMARY

• CVSS v3 7.5
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Rockwell Automation
• Equipment: KEPServer
• Vulnerability: Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause the device to crash.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation's KEPServer are affected:

• KEPServer: Versions 6.0 - 6.14.263

3.2 Vulnerability Overview 3.2.1

KEPServerEX Versions 6.0 to 6.14.263 are vulnerable to being made to read a recursively defined object that leads to uncontrolled resource consumption. KEPServerEX uses OPC UA, a protocol which defines various object types that can be nested to create complex arrays. It does not implement a check to see if such an object is recursively defined, so an attack could send a maliciously created message that the decoder would try to decode until the stack overflowed and the device crashed.

has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is ().

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell automation recommends that users upgrade to KEPServer Version 6.15 or higher.

Rockwell Automation also encourages users using the affected software to apply the following risk mitigations, if possible.

• For information on how to mitigate Security Risks on industrial automation control systems, Rockwell Automation encourages users to implement our suggested to minimize the risk of the vulnerability.
  Users can use to generate more environment-specific prioritization.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are .
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for on the ICS webpage on . Several CISA products detailing cyber defense best practices are available for reading and download, including .

CISA encourages organizations to implement recommended cybersecurity strategies for .

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at in the technical information paper, .

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to for more information on avoiding email scams.
• Refer to for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• January 30, 2025: Initial Publication