Author: Admin @CloudCentric

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 5.4
• ATTENTION: Low attack complexity
• Vendor: Schneider Electric
• Equipment: Trio Q Licensed Data Radio
• Vulnerabilities: Insecure Storage of Sensitive Information, Initialization of a Resource with an Insecure Default

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to access confidential information, compromise the integrity, or affect the availability of the affected product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

• Schneider Electric Trio Q Licensed Data Radio: Versions prior to 2.7.2

3.2 VULNERABILITY OVERVIEW

3.2.1 INSECURE STORAGE OF SENSITIVE INFORMATION CWE-922

An insecure storage of sensitive information vulnerability exists that could potentially lead to unauthorized access to confidential data when a malicious user with physical access and advanced knowledge of the filesystem sets the radio to factory default mode.

CVE-2025-2440 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-2440. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 INITIALIZATION OF A RESOURCE WITH AN INSECURE DEFAULT CWE-1188

An incorrect initialization of resource vulnerability exists that could lead to a loss of confidentiality when a malicious user with physical access sets the radio to factory default mode, causing the product to not correctly initialize all data.

CVE-2025-2441 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-2441. A base score of 4.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 INITIALIZATION OF A RESOURCE WITH AN INSECURE DEFAULT CWE-1188

An initialization of a resource with an insecure default vulnerability exists that could potentially lead to unauthorized access, resulting in the loss of confidentiality, integrity, and availability when a malicious user with physical access sets the radio to factory default mode.

CVE-2025-2442 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-2442. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric CPCERT reported these vulnerabilities to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Version v2.7.2 of the TRIO Q Data Radio firmware includes fixes for the identified vulnerabilities and is available for download.
• Follow the instructions in Section 10 Part J – Firmware Updating and Maintenance in the Trio Q Series Data Radio User Manual. This section provides information on how to download, install, and verify the new firmware version.

If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploitation:

• Install Trio Data Radios in a secure location to prevent physical access by unauthorized personnel, and ensure they are securely disposed of when decommissioned.
• Confirm the firmware loaded in Trio Data Radios using the hash published with the release notes, and follow the instructions in Section 10 Part J – Firmware Updating and Maintenance in the Trio Q Series Data Radio User Manual. This section provides information on how to download, install, and verify the new firmware version.

For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-098-02 Trio Q Licensed Data Radios – SEVD-2025-098-02 PDF Version, Trio Q Licensed Data Radios – SEVD-2025-098-02 CSAF Version.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• April 17, 2025: Initial Republication of Schneider Electric SEVD-2025-098-02

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: Sage series
• Vulnerabilities: Out-of-bounds Write, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Incorrect Default Permissions, Unchecked Return Value, Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’), Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to compromise the impacted device, leading to loss of data, loss of operation, or impacts to the performance of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

• Sage 1410: Versions C3414-500-S02K5_P8 and prior
• Sage 1430: Versions C3414-500-S02K5_P8 and prior
• Sage 1450: Versions C3414-500-S02K5_P8 and prior
• Sage 2400: Versions C3414-500-S02K5_P8 and prior
• Sage 4400: Versions C3414-500-S02K5_P8 and prior
• Sage 3030 Magnum: Versions C3414-500-S02K5_P8 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

An out-of-bounds write vulnerability exists that could result in an authentication bypass when sending a malformed POST request and particular configuration parameters are set.

CVE-2024-37036 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-37036. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

An improper limitation of a pathname to a restricted directory (‘path traversal’) vulnerability exists that could allow an authenticated user with access to the device’s web interface to corrupt files and impact device functionality when sending a crafted HTTP request.

CVE-2024-37037 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-37037. A base score of 7.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 INCORRECT DEFAULT PERMISSIONS CWE-276

An incorrect default permissions vulnerability exists that could allow an authenticated user with access to the device’s web interface to perform unauthorized file and firmware uploads when crafting custom web requests.

CVE-2024-37038 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-37038. A base score of 7.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 UNCHECKED RETURN VALUE CWE-252

An unchecked return value vulnerability exists that could cause denial of service of the device when an attacker sends a specially crafted HTTP request.

CVE-2024-37039 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-37039. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.5 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

A buffer copy without checking size of input (‘classic buffer overflow’) vulnerability exists that could allow a user with access to the device’s web interface to cause a fault on the device when sending a malformed HTTP request.

CVE-2024-37040 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2024-37040. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L).

3.2.6 OUT-OF-BOUNDS READ CWE-125

An out-of-bounds read vulnerability exists that could cause denial of service of the device’s web interface when an attacker sends a specially crafted HTTP request.

CVE-2024-5560 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-5560. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:L/SA:L).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Marlon Schumacher and Alex Armstrong from LLNL and Vishal Madipadga from SNL reported these vulnerabilities to Schneider Electric.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Firmware version C3414-500-S02K5_P9 of SAGE RTU includes a fix for these vulnerabilities and is available for download.

  For more information, see Schneider Electric security notification “SEVD-2024-163-05 SAGE RTU”.

Schneider Electric strongly recommend the following industry cybersecurity best practices.

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the “Program” mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• April 17, 2025: Initial Republication of Schneider Electric Advisory SEVD-2024-163-05

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.4
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: ConneXium Network Manager
• Vulnerabilities: Files or Directories Accessible to External Parties, Improper Input Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to access sensitive data, escalate privileges, or perform remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

• Schneider Electric ConneXium Network Manager: Version 2.0.01 (CVE-2025-2222)
• Schneider Electric ConneXium Network Manager: All versions (CVE-2025-2223)

3.2 VULNERABILITY OVERVIEW

3.2.1 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552

CWE-552: Files or Directories Accessible to External Parties vulnerability over https exists that could leak information and potential privilege escalation following a Man-In-The-Middle attack.

CVE-2025-2222 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-2222. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 IMPROPER INPUT VALIDATION CWE-20

CWE-20: Improper Input Validation vulnerability exists that could cause a loss of confidentiality, integrity, and availability of the engineering workstation when a malicious project file is loaded by a user from the local system.

CVE-2025-2223 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-2223. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric CPCERT reported these vulnerabilities to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

Schneider Electric ConneXium Network Manager v2.0.01: Please note that the ConneXium Network Manager product has reached the end of its life and is no longer supported. Customers should immediately apply the following mitigations to reduce the risk of exploit:

• Disable the webserver (disabled by default)
• Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices available for download here: https://www.se.com/ww/en/download/document/7EN52-0390/

Schneider Electric ConneXium Network Manager All versions: Please note that the ConneXium Network Manager product has reached the end of its life and is no longer supported. Customers should immediately apply the following mitigations to reduce the risk of exploit:

• Only open project files received from a trusted source.
• Compute a hash of the project files and regularly check the consistency of this hash to verify the integrity before usage.
• Encrypt project files when stored and restrict the access to only trusted users.
• When exchanging files over the network, use secure communication protocols.
• Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices available for download here: https://www.se.com/ww/en/download/document/7EN52-0390/

For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-098-01 ConneXium Network Manager Software – SEVD-2025-098-01 PDF Version, ConneXium Network Manager Software – SEVD-2025-098-01 CSAF Version.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• April 17, 2025: Initial Republication of Schneider Electric CPCERT SEVD-2025-098-01

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Yokogawa
• Equipment: GX10, GX20, GP10, GP20, GM Data Acquisition System, DX1000, DX2000, DX1000N, FX1000, μR10000, μR20000, MW100, DX1000T, DX2000T, CX1000, CX2000
• Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to manipulate information on the affected products.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Yokogawa recorder products are affected:

• GX10 / GX20 / GP10 / GP20 Paperless Recorders: Versions R5.04.01 and earlier
• GM Data Acquisition System: Versions R5.05.01 and earlier
• DX1000 / DX2000 / DX1000N Paperless Recorders: Versions R4.21 and earlier
• FX1000 Paperless Recorders: Versions R1.31 and earlier
• μR10000 / μR20000 Chart Recorders: Versions R1.51 and earlier
• MW100 Data Acquisition Units: All versions
• DX1000T / DX2000T Paperless Recorders: All versions
• CX1000 / CX2000 Paperless Recorders: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

Authentication is disabled by default on the affected products. When connected to a network with default settings, this could allow anyone to access all functions related to settings and operations. As a result, an attacker can illegally manipulate and configure important data such as measured values and settings.

CVE-2025-1863 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-1863. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Food and Agriculture
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Souvik Kandar of MicroSec (microsec.io) reported this vulnerability to CISA.

4. MITIGATIONS

Yokogawa has provided the following countermeasures for this vulnerability:

• Yokogawa urges users to enable the authentication function when connecting the affected products to the network (login function).
• Be sure to change the password from the default setting after enabling the authentication function.

Yokogawa strongly recommends all users to establish and maintain a full security program. Security program components are patch updates, anti-virus, backup and recovery, zoning, hardening, whitelisting, firewall, etc. Yokogawa can assist in setting up and running the security program continuously. For considering the most effective risk mitigation plan, as a starting point, Yokogawa can perform a security risk assessment.

For more information, contact Yokogawa.

For more information and details on implementing these mitigations, users should see the Yokogawa advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• April 17, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.2
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: ABB
• Equipment: Arctic Wireless Gateways
• Vulnerabilities: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’), Improper Privilege Management, Exposure of Sensitive Information to an Unauthorized Actor, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could run arbitrary code in the product with privileged user permissions or could lead to a denial of service or tampering with unencrypted traffic.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

ABB reports there are vulnerabilities in the Telit PL62-W wireless modem module used in the following products:

• Arctic ARP600, ARC600, ARR600: Firmware versions 3.4.10, 3.4.11, 3.4.12, 3.4.13 (CVE-2024-6387)
• Arctic Wireless Gateways ARG600, ARC600, ARR600: All versions with Telit PLS62-W wireless modem module (CVE-2023-47610, CVE-2023-47611, CVE-2023-47612, CVE-2023-47613, CVE-2023-47614, CVE-2023-47615, CVE-2023-47616)

3.2 VULNERABILITY OVERVIEW

3.2.1 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

A buffer overflow vulnerability could allow a remote unauthenticated attacker to execute arbitrary code on the targeted system by sending a specially crafted short message service (SMS) message.

CVE-2023-47610 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-47610. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER PRIVILEGE MANAGEMENT CWE-269

An improper privilege management vulnerability could allow a local, low-privileged attacker to elevate privileges to “manufacturer” level on the targeted system by sending a specially crafted SMS message.

CVE-2023-47611 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-47611. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

Files or directories accessible to an external parties vulnerability could allow an attacker with physical access to the target system to obtain a read/write access to any files and directories on the wireless modem module, including hidden files and directories.

CVE-2023-47612 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-47612. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

A relative path traversal vulnerability could allow a local, low-privileged attacker to escape from virtual directories and get read/write access to protected files on the wireless modem module.

CVE-2023-47613 has been assigned to this vulnerability. A CVSS v3 base score of 3.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2023-47613. A base score of 2.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.5 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

An exposure of sensitive information to an unauthorized actor vulnerability could allow a local, low-privileged attacker to disclose hidden virtual paths and file names on the wireless modem module.

CVE-2023-47614 has been assigned to this vulnerability. A CVSS v3 base score of 3.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2023-47614. A base score of 2.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.6 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

An exposure of sensitive information through environmental variables vulnerability could allow a local, low-privileged attacker to get access to sensitive data on the wireless modem module.

CVE-2023-47615 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-47615. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.7 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

An exposure of sensitive information to an unauthorized actor vulnerability could allow an attacker with physical access to the target system to get access to sensitive data on the wireless modem module.

CVE-2023-47616 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-47616. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.8 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION (‘RACE CONDITION’) CWE-362

This vulnerability is a signal handler race condition in OpenSSH’s server (sshd) on glibc-based Linux systems, allowing unauthenticated remote code execution as root.

CVE-2024-6387 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-6387. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

ABB reported these vulnerabilities to CISA.

4. MITIGATIONS

ABB recommends users to perform the following actions at their earliest convenience:

• Modem module vulnerability mitigations: Mitigate the cellular module vulnerabilities by contacting the mobile network operator and requesting to disable binary SMS for a mobile subscription. Note that binary SMS service is often disabled by default based on operator restrictions. If SMS services are not used in the solution, consider disabling them completely.
• SSH vulnerability mitigations: Establish remote connections through OpenVPN. If the SSH protocol is used for remote administration of Arctic wireless gateway, it is to be considered logging in to the wireless gateway through an OpenVPN tunnel. Do not expose SSH port to public networks. Keep the SSH port closed to public networks and thus limit the number of potential attackers who can attempt to exploit the vulnerability. This way only devices within the private network or those connected through a secure VPN can access the SSH server.
• Common mitigations: Obtain a private cellular access point to limit impact of any potential exploit. Contact the cellular provider for availability. Restrict physical access to the product. Follow general security recommendations for further advice on how to keep the system secure.

For more information, please refer to ABB’s Cybersecurity Advisory 2NGA002427.

ABB strongly recommends the following (non-exhaustive) list of cyber security practices for any installation of software-related ABB products:

• Isolate special purpose networks (e.g., for automation systems) and remote devices behind firewalls and separate them from any general purpose network (e.g., office or home networks).
• Install physical controls so no unauthorized personnel can access the devices, components, peripheral equipment, and networks.
• Never connect programming software or computers containing programing software to any network other than the network for the devices that it is intended for.
• Scan all data imported into your environment before use to detect potential malware infections.
• Minimize network exposure for all applications and endpoints to ensure that they are not accessible from the Internet unless they are designed for such exposure and the intended use requires such.
• Ensure all nodes are always up to date in terms of installed software, operating system, and firmware patches as well as anti-virus and firewall.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• April 10, 2025: Initial Re-publication of ABB 2NGA002427.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 6.9
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: Mendix Runtime
• Vulnerability: Observable Response Discrepancy

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to list all valid entities and attribute names of a Mendix Runtime-based application.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Mendix Runtime: V10: Versions prior to 10.21
• Mendix Runtime V8: All versions
• Mendix Runtime V9: All versions
• Mendix Runtime V10.6: All versions
• Mendix Runtime V10.12: All versions
• Mendix Runtime V10.18: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 OBSERVABLE RESPONSE DISCREPANCY CWE-204

Affected applications allow for entity enumeration due to distinguishable responses in certain client actions. This could allow an unauthenticated remote attacker to list all valid entities and attribute names of a Mendix Runtime-based application.

CVE-2025-30280 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-30280. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Mendix Runtime V10.12, V10.18, V10.6, V8, V9: Currently no fix is available
• Mendix Runtime V10: Update to V10.21.0 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-874353 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• April 15, 2025: Initial Republication of Siemens’ Advisory SSA-874353

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: Industrial Edge Device Kit
• Vulnerability: Weak Authentication

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Industrial Edge Device Kit – arm64 V1.19: All versions
• Industrial Edge Device Kit – x86-64 V1.21: Versions prior to V1.21.1-1
• Industrial Edge Device Kit – arm64 V1.17: All versions
• Industrial Edge Device Kit – arm64 V1.21: Versions prior to V1.21.1-1
• Industrial Edge Device Kit – x86-64 V1.19: All versions
• Industrial Edge Device Kit – arm64 V1.18: All versions
• Industrial Edge Device Kit – x86-64 V1.20: Versions prior to V1.20.2-1
• Industrial Edge Device Kit – arm64 V1.20: Versions prior to V1.20.2-1
• Industrial Edge Device Kit – x86-64 V1.18: All versions
• Industrial Edge Device Kit – x86-64 V1.17: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 WEAK AUTHENTICATION CWE-1390

Affected devices do not properly enforce user authentication on specific API endpoints when identity federation is used. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. Successful exploitation requires that identity federation to be currently used or has been previously used and the attacker has learned the identity of a legitimate user.

CVE-2024-54092 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-54092. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Ensure network access to affected products is limited to trusted parties only
• Industrial Edge Device Kit – arm64 V1.17, Industrial Edge Device Kit – arm64 V1.18, Industrial Edge Device Kit – arm64 V1.19, Industrial Edge Device Kit – x86-64 V1.17, Industrial Edge Device Kit – x86-64 V1.18, Industrial Edge Device Kit – x86-64 V1.19: Currently no fix is available
• Industrial Edge Device Kit – arm64 V1.20, Industrial Edge Device Kit – x86-64 V1.20: Update to V1.20.2-1 or later version
• Industrial Edge Device Kit – arm64 V1.21, Industrial Edge Device Kit – x86-64 V1.21: Update to V1.21.1-1 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-819629 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• April 15, 2025: Initial Republication of Siemens Advisory SSA-819629

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 6.9
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SIMOCODE, SIMATIC, SIPLUS, SIDOOR, SIWAREX
• Vulnerability: Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow remote attackers to affect the availability of the devices under certain conditions.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• SIMOCODE pro V PROFINET: All versions
• SIMATIC S7-1200 CPU 1215C AC/DC/Rly (6ES7215-1BG40-0XB0): Versions prior to V4.4
• SIPLUS S7-1200 CPU 1215C DC/DC/DC (6AG1215-1AG40-5XB0): Versions prior to V4.4
• SIMATIC PN/PN Coupler (6ES7158-3AD10-0XA0): All versions
• SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-4XB0): Versions prior to V4.4
• SIDOOR ATD430W: All versions
• SIMATIC ET 200SP IM 155-6 MF HF (6ES7155-6MU00-0CN0): All versions
• SIMATIC S7-300 CPU 317F-2 PN/DP (6ES7317-2FK14-0AB0): All versions
• SIMATIC S7-300 CPU 315T-3 PN/DP (6ES7315-7TJ10-0AB0): All versions
• SIPLUS HCS4300 CIM4310 (6BK1943-1AA00-0AA0): All versions
• SIMATIC ET 200SP IM 155-6 PN ST (6ES7155-6AU01-0BN0): All versions
• SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN00-2AB0): All versions
• SIMATIC S7-300 CPU 319-3 PN/DP (6ES7318-3EL01-0AB0): All versions
• SIMATIC ET 200pro IM 154-8F PN/DP CPU (6ES7154-8FB01-0AB0): All versions
• SIMATIC ET 200SP IM 155-6 PN HF (6ES7155-6AU00-0CN0): All versions
• SIMATIC ET 200pro IM 154-4 PN HF (6ES7154-4AB10-0AB0): All versions
• SIPLUS ET 200M IM 153-4 PN IO HF (6AG1153-4BA00-7XB0): All versions
• SIMATIC S7-1200 CPU 1212C DC/DC/Rly (6ES7212-1HE40-0XB0): Versions prior to V4.4
• SIPLUS ET 200SP IM 155-6 PN ST (6AG1155-6AU00-7BN0): All versions
• SIPLUS ET 200SP IM 155-6 PN ST (6AG1155-6AU01-7BN0): All versions
• SIMATIC CFU DIQ (6ES7655-5PX31-1XX0): Versions prior to V2.0.0
• SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0): All versions
• SIPLUS ET 200SP IM 155-6 PN ST BA (6AG1155-6AA00-7BN0): All versions
• SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-2CN0): All versions
• SIMATIC ET 200SP IM 155-6 PN HS (6ES7155-6AU00-0DN0): All versions
• SIPLUS ET 200S IM151-3 PN HF (6AG1151-3BA23-7AB0): All versions
• SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-4XB0): Versions prior to V4.4
• SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-5XB0): Versions prior to V4.4
• SIMATIC ET 200SP IM 155-6 PN ST BA (6ES7155-6AA00-0BN0): All versions
• SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0): All versions
• SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-4XB0): Versions prior to V4.4
• SIMATIC ET 200M IM 153-4 PN IO ST (6ES7153-4AA01-0XB0): All versions
• SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-7CN0): All versions
• SIPLUS S7-1200 CPU 1214C DC/DC/DC RAIL (6AG2214-1AG40-1XB0): Versions prior to V4.4
• SIMATIC ET 200MP IM 155-5 PN ST (6ES7155-5AA01-0AB0): All versions
• SIMATIC TDC CPU555: All versions
• SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-2XB0): Versions prior to V4.4
• SIPLUS S7-300 CPU 315F-2 PN/DP (6AG1315-2FJ14-2AB0): All versions
• SIPLUS ET 200SP IM 155-6 PN ST TX RAIL (6AG2155-6AU01-4BN0): All versions
• SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0): Versions prior to V4.4
• SIMATIC ET 200SP IM 155-6 PN/3 HF (6ES7155-6AU30-0CN0): All versions
• SIMATIC S7-1200 CPU 1214C AC/DC/Rly (6ES7214-1BG40-0XB0): Versions prior to V4.4
• SIPLUS S7-300 CPU 317F-2 PN/DP (6AG1317-2FK14-2AB0): All versions
• SIMATIC S7-1200 CPU 1215C DC/DC/Rly (6ES7215-1HG40-0XB0): Versions prior to V4.4
• SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL00-2AB0): All versions
• SIMATIC S7-300 CPU 314C-2 PN/DP (6ES7314-6EH04-0AB0): All versions
• SIMATIC S7-1200 CPU 1212FC DC/DC/DC (6ES7212-1AF40-0XB0): Versions prior to V4.4
• SIMATIC S7-300 CPU 315-2 PN/DP (6ES7315-2EH14-0AB0): All versions
• SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0): All versions
• SIPLUS S7-1200 CPU 1214FC DC/DC/RLY (6AG1214-1HF40-5XB0): Versions prior to V4.4
• SIWAREX WP251 (7MH4960-6AA01): All versions
• SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-2XB0): Versions prior to V4.4
• SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL00-2AB0): All versions
• SIMATIC ET 200SP IM 155-6 PN HA (incl. SIPLUS variants): Versions priror to V1.3
• SIMATIC S7-300 CPU 315F-2 PN/DP (6ES7315-2FJ14-0AB0): All versions
• SIMATIC TDC CP51M1: All versions
• SIPLUS ET 200MP IM 155-5 PN ST (6AG1155-5AA00-7AB0): All versions
• SIMATIC ET 200pro IM 154-8 PN/DP CPU (6ES7154-8AB01-0AB0): All versions
• SIPLUS ET 200MP IM 155-5 PN ST TX RAIL (6AG2155-5AA00-4AB0): All versions
• SIPLUS ET 200MP IM 155-5 PN ST TX RAIL (6AG2155-5AA01-4AB0): All versions
• SIPLUS ET 200SP IM 155-6 PN ST TX RAIL (6AG2155-6AU00-4BN0): All versions
• SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-2XB0): Versions prior to V4.4
• SIPLUS ET 200M IM 153-4 PN IO ST (6AG1153-4AA01-7XB0): All versions
• SIMATIC S7-300 CPU 319F-3 PN/DP (6ES7318-3FL01-0AB0): All versions
• SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-7AB0): All versions
• SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-5XB0): Versions prior to V4.4
• SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0): All versions
• SIPLUS ET 200S IM 151-8F PN/DP CPU (6AG1151-8FB01-2AB0): All versions
• SIPLUS NET PN/PN Coupler (6AG2158-3AD10-4XA0): All versions
• SIMATIC S7-1200 CPU 1214FC DC/DC/DC (6ES7214-1AF40-0XB0): Versions prior to V4.4
• SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-2XB0): Versions prior to V4.4
• SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0): Versions prior to V4.4
• SIMATIC ET 200S IM 151-8F PN/DP CPU (6ES7151-8FB01-0AB0): All versions
• SIPLUS ET 200SP IM 155-6 PN ST BA TX RAIL (6AG2155-6AA00-4BN0): All versions
• SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK00-2AB0): All versions
• SIMATIC ET 200S IM 151-3 PN HS (6ES7151-3BA60-0AB0): All versions
• SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-2XB0): Versions prior to V4.4
• SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0): All versions
• SIPLUS ET 200S IM 151-8 PN/DP CPU (6AG1151-8AB01-7AB0): All versions
• SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-4XB0): Versions prior to V4.4
• SIMATIC ET 200MP IM 155-5 PN BA (6ES7155-5AA00-0AA0): All versions
• SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0): All versions
• SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK00-2AB0): All versions
• SIMATIC ET 200M IM 153-4 PN IO HF (6ES7153-4BA00-0XB0): All versions
• SIMATIC S7-1200 CPU 1212FC DC/DC/Rly (6ES7212-1HF40-0XB0): Versions prior to V4.4
• SIMATIC CFU PA (6ES7655-5PX11-1XX0): Versions prior to V2.0
• SIMATIC ET 200S IM 151-3 PN HF (6ES7151-3BA23-0AB0): All versions
• SIMATIC S7-410 V8 CPU family (incl. SIPLUS variants): Versions prior to V8.3
• SIPLUS S7-1200 CPU 1212C DC/DC/DC RAIL (6AG2212-1AE40-1XB0): Versions prior to V4.4
• SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-2XB0): Versions prior to V4.4
• SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-4XB0): Versions prior to V4.4
• SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0): All versions
• SIWAREX WP231 (7MH4960-2AA01): All versions
• SIMATIC S7-1200 CPU 1215C DC/DC/DC (6ES7215-1AG40-0XB0): Versions prior to V4.4
• SIPLUS ET 200SP IM 155-6 PN HF T1 RAIL (6AG2155-6AU01-1CN0): All versions
• SIMATIC CFU PA (6ES7655-5PX11-0XX0): Versions prior to V2.0.0
• SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-2XB0): Versions prior to V4.4
• SIMATIC ET 200S IM 151-8 PN/DP CPU (6ES7151-8AB01-0AB0): All versions
• SIPLUS ET 200SP IM 155-6 PN HF T1 RAIL (6AG2155-6AU00-1CN0): All versions
• SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-5XB0): Versions prior to V4.4
• SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-5XB0): Versions prior to V4.4
• SIMATIC S7-1200 CPU 1214C DC/DC/DC (6ES7214-1AG40-0XB0): Versions prior to V4.4
• SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU00-4CN0): All versions
• SIMATIC S7-1200 CPU 1212C DC/DC/DC (6ES7212-1AE40-0XB0): Versions prior to V4.4
• SIMATIC S7-400 H V6 CPU family (incl. SIPLUS variants): All versions
• SINUMERIK 840D sl: All versions
• SIMATIC ET 200SP IM 155-6 PN/2 HF (6ES7155-6AU01-0CN0): All versions
• SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL00-0AB0): All versions
• SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-4XB0): Versions prior to V4.4
• SIMOCODE pro V Ethernet/IP (incl. SIPLUS variants): All versions
• SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0): Versions prior to V4.4
• SIMATIC ET 200S IM 151-3 PN FO (6ES7151-3BB23-0AB0): All versions
• SIPLUS S7-300 CPU 315-2 PN/DP (6AG1315-2EH14-7AB0): All versions
• SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK00-0AB0): All versions
• SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU00-2CN0): All versions
• SIMATIC ET 200pro IM 154-8FX PN/DP CPU (6ES7154-8FX00-0AB0): All versions
• SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-4XB0): Versions prior to V4.4
• SIMATIC S7-1200 CPU 1214C DC/DC/Rly (6ES7214-1HG40-0XB0): Versions prior to V4.4
• SIMATIC S7-300 CPU 317T-3 PN/DP (6ES7317-7TK10-0AB0): All versions
• SIPLUS ET 200S IM151-3 PN ST (6AG1151-3AA23-2AB0): All versions
• SIMATIC ET 200SP IM 155-6 PN BA (6ES7155-6AR00-0AN0): All versions
• SIPLUS ET 200MP IM 155-5 PN HF T1 RAIL (6AG2155-5AA00-1AC0): All versions
• SIPLUS ET 200SP IM 155-6 PN ST BA (6AG1155-6AA01-7BN0): All versions
• SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0): All versions
• SIMATIC S7-1200 CPU 1215FC DC/DC/DC (6ES7215-1AF40-0XB0): Versions prior to V4.4
• SIMATIC S7-300 CPU 317-2 PN/DP (6ES7317-2EK14-0AB0): All versions
• SIMATIC S7-410 V10 CPU family (incl. SIPLUS variants): All versions
• SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-5XB0): Versions prior to V4.4
• SIMATIC S7-400 PN/DP V7 CPU family (incl. SIPLUS variants): All versions
• SIPLUS HCS4200 CIM4210C (6BK1942-1AA00-0AA1): All versions
• SIPLUS ET 200SP IM 155-6 PN ST BA TX RAIL (6AG2155-6AA01-4BN0): All versions
• SIMATIC ET 200SP IM 155-6 PN ST (6ES7155-6AU00-0BN0): All versions
• SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-2AC0): All versions
• SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-2XB0): Versions prior to V4.4
• SIDOOR ATE530G COATED (6FB1221-5SM10-7BP0): All versions
• SIMATIC ET 200SP IM 155-6 PN ST BA (6ES7155-6AA01-0BN0): All versions
• SIPLUS ET 200MP IM 155-5 PN ST (6AG1155-5AA01-7AB0): All versions
• SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-4XB0): Versions prior to V4.4
• SIPLUS S7-1200 CPU 1215FC DC/DC/DC (6AG1215-1AF40-5XB0): Versions prior to V4.4
• SIMATIC S7-300 CPU 317TF-3 PN/DP (6ES7317-7UL10-0AB0): All versions
• SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK00-2AB0): All versions
• SIPLUS HCS4200 CIM4210 (6BK1942-1AA00-0AA0): All versions
• SIMATIC Power Line Booster PLB, Modem Module ST (6ES7972-5AA51-0AB0): All versions
• SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0): All versions
• SIPLUS ET 200SP IM 155-6 PN HF TX RAIL (6AG2155-6AU01-4CN0): All versions
• SIMATIC ET 200S IM 151-3 PN ST (6ES7151-3AA23-0AB0): All versions
• SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-4XB0): Versions prior to V4.4
• SIMATIC ET 200MP IM 155-5 PN ST (6ES7155-5AA00-0AB0): All versions
• SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-2AB0): All versions
• SIMATIC S7-1200 CPU 1215FC DC/DC/Rly (6ES7215-1HF40-0XB0): Versions prior to V4.4
• SIWAREX WP241 (7MH4960-4AA01): All versions
• SIDOOR ATE530S COATED: All versions
• SIWAREX WP521 ST (7MH4980-1AA01): All versions
• SIPLUS S7-300 CPU 314C-2 PN/DP (6AG1314-6EH04-7AB0): All versions
• SIMATIC S7-1200 CPU 1217C DC/DC/DC (6ES7217-1AG40-0XB0): Versions prior to V4.4
• SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0): All versions
• SIMATIC Power Line Booster PLB, Base Module (6ES7972-5AA10-0AB0): All versions
• SIMATIC S7-1200 CPU 1214FC DC/DC/Rly (6ES7214-1HF40-0XB0): Versions prior to V4.4
• SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-7AC0): All versions
• SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-2XB0): Versions prior to V4.4
• SIMATIC ET 200pro IM 154-3 PN HF (6ES7154-3AB00-0AB0): All versions
• SIPLUS S7-300 CPU 317-2 PN/DP (6AG1317-2EK14-7AB0): All versions
• SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0): All versions
• SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0): All versions
• SIWAREX WP522 ST (7MH4980-2AA01): All versions
• SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0): Versions prior to V4.4
• SIPLUS S7-1200 CPU 1214FC DC/DC/DC (6AG1214-1AF40-5XB0): Versions prior to V4.4

3.2 VULNERABILITY OVERVIEW

3.2.1 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

The integrated ICMP service of the network stack of affected devices can be forced to exhaust its available memory resources when receiving specially crafted messages targeting IP fragment re-assembly. This could allow an unauthenticated remote attacker to cause a temporary denial-of-service condition of the ICMP service, other communication services are not affected. Affected devices will resume normal operation after the attack terminates.

CVE-2024-23814 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-23814. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Implement packet filtering rules at network perimeter devices (firewalls, routers, IDS/IPS) to block ICMP messages with large payloads if viable in your environment
• SIMATIC S7-400 H V6 CPU family (incl. SIPLUS variants): Disable the ethernet ports on the CPU and use a communication module (like CP) for communication instead
• SIDOOR ATD430W, SIDOOR ATE530G COATED (6FB1221-5SM10-7BP0), SIDOOR ATE530S COATED, SIMATIC ET 200AL IM 157-1 PN (6ES7157-1AB00-0AB0), SIMATIC ET 200M IM 153-4 PN IO HF (6ES7153-4BA00-0XB0), SIMATIC ET 200M IM 153-4 PN IO ST (6ES7153-4AA01-0XB0), SIMATIC ET 200MP IM 155-5 PN BA (6ES7155-5AA00-0AA0), SIMATIC ET 200MP IM 155-5 PN HF (6ES7155-5AA00-0AC0), SIMATIC ET 200MP IM 155-5 PN ST (6ES7155-5AA00-0AB0), SIMATIC ET 200MP IM 155-5 PN ST (6ES7155-5AA01-0AB0), SIMATIC ET 200pro IM 154-3 PN HF (6ES7154-3AB00-0AB0), SIMATIC ET 200pro IM 154-4 PN HF (6ES7154-4AB10-0AB0), SIMATIC ET 200pro IM 154-8 PN/DP CPU (6ES7154-8AB01-0AB0), SIMATIC ET 200pro IM 154-8F PN/DP CPU (6ES7154-8FB01-0AB0), SIMATIC ET 200pro IM 154-8FX PN/DP CPU (6ES7154-8FX00-0AB0), SIMATIC ET 200S IM 151-3 PN FO (6ES7151-3BB23-0AB0), SIMATIC ET 200S IM 151-3 PN HF (6ES7151-3BA23-0AB0), SIMATIC ET 200S IM 151-3 PN HS (6ES7151-3BA60-0AB0), SIMATIC ET 200S IM 151-3 PN ST (6ES7151-3AA23-0AB0), SIMATIC ET 200S IM 151-8 PN/DP CPU (6ES7151-8AB01-0AB0), SIMATIC ET 200S IM 151-8F PN/DP CPU (6ES7151-8FB01-0AB0), SIMATIC ET 200SP CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0), SIMATIC ET 200SP CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0), SIMATIC ET 200SP CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0), SIMATIC ET 200SP CPU 1512SP-1 PN (6ES7512-1DK00-0AB0), SIMATIC ET 200SP IM 155-6 MF HF (6ES7155-6MU00-0CN0), SIMATIC ET 200SP IM 155-6 PN BA (6ES7155-6AR00-0AN0), SIMATIC ET 200SP IM 155-6 PN HF (6ES7155-6AU00-0CN0), SIMATIC ET 200SP IM 155-6 PN HS (6ES7155-6AU00-0DN0), SIMATIC ET 200SP IM 155-6 PN ST (6ES7155-6AU00-0BN0), SIMATIC ET 200SP IM 155-6 PN ST (6ES7155-6AU01-0BN0), SIMATIC ET 200SP IM 155-6 PN ST BA (6ES7155-6AA00-0BN0), SIMATIC ET 200SP IM 155-6 PN ST BA (6ES7155-6AA01-0BN0), SIMATIC ET 200SP IM 155-6 PN/2 HF (6ES7155-6AU01-0CN0), SIMATIC ET 200SP IM 155-6 PN/3 HF (6ES7155-6AU30-0CN0), SIMATIC Power Line Booster PLB, Base Module (6ES7972-5AA10-0AB0), SIMATIC Power Line Booster PLB, Modem Module ST (6ES7972-5AA51-0AB0), SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0), SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0), SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0), SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL00-0AB0), SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0), SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0), SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0), SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0), SIMATIC S7-300 CPU 314C-2 PN/DP (6ES7314-6EH04-0AB0), SIMATIC S7-300 CPU 315-2 PN/DP (6ES7315-2EH14-0AB0), SIMATIC S7-300 CPU 315F-2 PN/DP (6ES7315-2FJ14-0AB0), SIMATIC S7-300 CPU 315T-3 PN/DP (6ES7315-7TJ10-0AB0), SIMATIC S7-300 CPU 317-2 PN/DP (6ES7317-2EK14-0AB0), SIMATIC S7-300 CPU 317F-2 PN/DP (6ES7317-2FK14-0AB0), SIMATIC S7-300 CPU 317T-3 PN/DP (6ES7317-7TK10-0AB0), SIMATIC S7-300 CPU 317TF-3 PN/DP (6ES7317-7UL10-0AB0), SIMATIC S7-300 CPU 319-3 PN/DP (6ES7318-3EL01-0AB0), SIMATIC S7-300 CPU 319F-3 PN/DP (6ES7318-3FL01-0AB0), SIMATIC S7-400 H V6 CPU family (incl. SIPLUS variants), SIMATIC S7-400 PN/DP V7 CPU family (incl. SIPLUS variants), SIMATIC S7-410 V10 CPU family (incl. SIPLUS variants), SIMATIC TDC CP51M1, SIMATIC TDC CPU555, SINUMERIK 840D sl, SIPLUS ET 200M IM 153-4 PN IO HF (6AG1153-4BA00-7XB0), SIPLUS ET 200M IM 153-4 PN IO ST (6AG1153-4AA01-7XB0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-2AC0), SIPLUS ET 200MP IM 155-5 PN HF (6AG1155-5AA00-7AC0), SIPLUS ET 200MP IM 155-5 PN HF T1 RAIL (6AG2155-5AA00-1AC0), SIPLUS ET 200MP IM 155-5 PN ST (6AG1155-5AA00-7AB0), SIPLUS ET 200MP IM 155-5 PN ST (6AG1155-5AA01-7AB0), SIPLUS ET 200MP IM 155-5 PN ST TX RAIL (6AG2155-5AA00-4AB0), SIPLUS ET 200MP IM 155-5 PN ST TX RAIL (6AG2155-5AA01-4AB0), SIPLUS ET 200S IM151-3 PN HF (6AG1151-3BA23-7AB0), SIPLUS ET 200S IM151-3 PN ST (6AG1151-3AA23-2AB0), SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK00-2AB0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU00-2CN0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU00-4CN0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-2CN0), SIPLUS ET 200SP IM 155-6 PN HF (6AG1155-6AU01-7CN0), SIPLUS ET 200SP IM 155-6 PN HF T1 RAIL (6AG2155-6AU00-1CN0), SIPLUS ET 200SP IM 155-6 PN HF T1 RAIL (6AG2155-6AU01-1CN0), SIPLUS ET 200SP IM 155-6 PN HF TX RAIL (6AG2155-6AU01-4CN0), SIPLUS ET 200SP IM 155-6 PN ST (6AG1155-6AU00-7BN0), SIPLUS ET 200SP IM 155-6 PN ST (6AG1155-6AU01-7BN0), SIPLUS ET 200SP IM 155-6 PN ST BA (6AG1155-6AA00-7BN0), SIPLUS ET 200SP IM 155-6 PN ST BA (6AG1155-6AA01-7BN0), SIPLUS ET 200SP IM 155-6 PN ST BA TX RAIL (6AG2155-6AA00-4BN0), SIPLUS ET 200SP IM 155-6 PN ST BA TX RAIL (6AG2155-6AA01-4BN0), SIPLUS ET 200SP IM 155-6 PN ST TX RAIL (6AG2155-6AU00-4BN0), SIPLUS ET 200SP IM 155-6 PN ST TX RAIL (6AG2155-6AU01-4BN0), SIPLUS HCS4200 CIM4210 (6BK1942-1AA00-0AA0), SIPLUS HCS4200 CIM4210C (6BK1942-1AA00-0AA1), SIPLUS HCS4300 CIM4310 (6BK1943-1AA00-0AA0), SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK00-2AB0), SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK00-2AB0), SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL00-2AB0), SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL00-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-2AB0), SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-7AB0), SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN00-2AB0), SIWAREX WP231 (7MH4960-2AA01), SIWAREX WP241 (7MH4960-4AA01), SIWAREX WP251 (7MH4960-6AA01), SIWAREX WP521 ST (7MH4980-1AA01), SIWAREX WP522 ST (7MH4980-2AA01): Currently no fix is planned
• SIMATIC PN/PN Coupler (6ES7158-3AD10-0XA0), SIMOCODE pro V Ethernet/IP (incl. SIPLUS variants), SIMOCODE pro V PROFINET, SIPLUS ET 200S IM 151-8 PN/DP CPU (6AG1151-8AB01-7AB0), SIPLUS ET 200S IM 151-8F PN/DP CPU (6AG1151-8FB01-2AB0), SIPLUS NET PN/PN Coupler (6AG2158-3AD10-4XA0), SIPLUS S7-300 CPU 314C-2 PN/DP (6AG1314-6EH04-7AB0), SIPLUS S7-300 CPU 315-2 PN/DP (6AG1315-2EH14-7AB0), SIPLUS S7-300 CPU 315F-2 PN/DP (6AG1315-2FJ14-2AB0), SIPLUS S7-300 CPU 317-2 PN/DP (6AG1317-2EK14-7AB0), SIPLUS S7-300 CPU 317F-2 PN/DP (6AG1317-2FK14-2AB0): Currently no fix is available
• SIMATIC ET 200SP IM 155-6 PN HA (incl. SIPLUS variants): Update to V1.3 or later version
• SIMATIC CFU PA (6ES7655-5PX11-1XX0): Update to V2.0.0 or later version
• SIMATIC CFU DIQ (6ES7655-5PX31-1XX0), SIMATIC CFU PA (6ES7655-5PX11-0XX0): Update to V2.0.0 or later version
• SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-2XB0), SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-4XB0), SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-2XB0), SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-4XB0), SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-2XB0), SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-4XB0), SIPLUS S7-1200 CPU 1212C DC/DC/DC RAIL (6AG2212-1AE40-1XB0), SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-2XB0), SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-4XB0), SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-5XB0), SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-2XB0), SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-4XB0), SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-5XB0), SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-2XB0), SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-4XB0), SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-5XB0), SIPLUS S7-1200 CPU 1214C DC/DC/DC RAIL (6AG2214-1AG40-1XB0), SIPLUS S7-1200 CPU 1214FC DC/DC/DC (6AG1214-1AF40-5XB0), SIPLUS S7-1200 CPU 1214FC DC/DC/RLY (6AG1214-1HF40-5XB0), SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-2XB0), SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-4XB0), SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-5XB0), SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-2XB0), SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-4XB0), SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-2XB0), SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-4XB0), SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-5XB0), SIPLUS S7-1200 CPU 1215C DC/DC/DC (6AG1215-1AG40-5XB0), SIPLUS S7-1200 CPU 1215FC DC/DC/DC (6AG1215-1AF40-5XB0): Update to V4.4 or later version
• SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0), SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0), SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0), SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0), SIMATIC S7-1200 CPU 1212C DC/DC/DC (6ES7212-1AE40-0XB0), SIMATIC S7-1200 CPU 1212C DC/DC/Rly (6ES7212-1HE40-0XB0), SIMATIC S7-1200 CPU 1212FC DC/DC/DC (6ES7212-1AF40-0XB0), SIMATIC S7-1200 CPU 1212FC DC/DC/Rly (6ES7212-1HF40-0XB0), SIMATIC S7-1200 CPU 1214C AC/DC/Rly (6ES7214-1BG40-0XB0), SIMATIC S7-1200 CPU 1214C DC/DC/DC (6ES7214-1AG40-0XB0), SIMATIC S7-1200 CPU 1214C DC/DC/Rly (6ES7214-1HG40-0XB0), SIMATIC S7-1200 CPU 1214FC DC/DC/DC (6ES7214-1AF40-0XB0), SIMATIC S7-1200 CPU 1214FC DC/DC/Rly (6ES7214-1HF40-0XB0), SIMATIC S7-1200 CPU 1215C AC/DC/Rly (6ES7215-1BG40-0XB0), SIMATIC S7-1200 CPU 1215C DC/DC/DC (6ES7215-1AG40-0XB0), SIMATIC S7-1200 CPU 1215C DC/DC/Rly (6ES7215-1HG40-0XB0), SIMATIC S7-1200 CPU 1215FC DC/DC/DC (6ES7215-1AF40-0XB0), SIMATIC S7-1200 CPU 1215FC DC/DC/Rly (6ES7215-1HF40-0XB0), SIMATIC S7-1200 CPU 1217C DC/DC/DC (6ES7217-1AG40-0XB0): Update to V4.4 or later version
• SIMATIC S7-410 V8 CPU family (incl. SIPLUS variants): Update to V8.3 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-725549 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• April 15, 2025: Initial Republication of Siemen’s Advisory SSA-725549

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Growatt
• Equipment: Cloud Applications
• Vulnerabilities: Cross-site Scripting, Authorization Bypass Through User-Controlled Key, Insufficient Type Distinction, External Control of System or Configuration Setting

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to compromise confidentiality, achieve cross-site scripting, or code execution on affected devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Growatt products are affected:

• Growatt cloud portal: Versions 3.6.0 and prior.

3.2 VULNERABILITY OVERVIEW

3.2.1 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79

An authenticated attacker can achieve stored XSS by exploiting improper sanitization of the plant name value while adding or editing a plant.

CVE-2025-30511 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30511. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can check the existence of usernames in the system by querying an API.

CVE-2025-31933 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-CVE-2025-31933. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 Authorization Bypass Through User-Controlled Key CWE-639

An authenticated attacker can obtain any plant name by knowing the plant ID.

CVE-2025-31949 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-31949. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.4 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can obtain a user’s plant list by knowing the username.

CVE-2025-31357 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-31357. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.5 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can obtain a list of smart devices by knowing a valid username.

CVE-2025-31941 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-31941. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.6 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can infer the existence of usernames in the system by querying an API.

CVE-2025-24487 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-24487. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.7 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can get users’ emails by knowing usernames. A password reset email will be sent in response to this unsolicited request.

CVE-2025-27568 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27568. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.8 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner’s username.

CVE-2025-30254 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-30254. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.9 Authorization Bypass Through User-Controlled Key CWE-639

An attacker can change registered email addresses of other users and take over arbitrary accounts.

CVE-2025-27939 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27939. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.10 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can obtain restricted information about a user’s smart device collections (i.e., “rooms”).

CVE-2025-27938 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27938. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.11 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can obtain restricted information about a user’s smart device collections (i.e., “scenes”).

CVE-2025-30514 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-30514. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.12 Authorization Bypass Through User-Controlled Key CWE-639

An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., “rooms”).

CVE-2025-31654 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-31654. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.13 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can query an API endpoint and get device details.

CVE-2025-27719 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27719. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.14 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers).

CVE-2025-26857 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-26857. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.15 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can obtain other users’ charger information.

CVE-2025-31945 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-31945. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.16 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can obtain EV charger energy consumption information of other users.

CVE-2025-31950 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-31950. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.17 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID.

CVE-2025-27575 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27575. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.18 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can delete any user’s “rooms” by knowing the user’s and room IDs.

CVE-2025-27565 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27565. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.19 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can hijack other users’ devices and potentially control them.

CVE-2025-25276 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-25276. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.20 Authorization Bypass Through User-Controlled Key CWE-639

An attacker can export other users’ plant information.

CVE-2025-24850 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-24850. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.21 Insufficient Type Distinction CWE-351

An attacker can upload an arbitrary file instead of a plant image.

CVE-2025-30510 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30510. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.22 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79

Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal.

CVE-2025-24297 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-24297. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.23 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API.

CVE-2025-27927 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27927. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.24 External Control of System or Configuration Setting CWE-15

Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off).

CVE-2025-30512 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-30512. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N).

3.2.25 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can trigger device actions associated with specific “scenes” of arbitrary users.

CVE-2025-31360 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-31360. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N).

3.2.26 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users.

CVE-2025-31147 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-31147. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.27 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account.

CVE-2025-30257 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-30257. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.28 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can rename “rooms” of arbitrary users.

CVE-2025-27561 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27561. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.29 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).

CVE-2025-24315 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-24315. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.30 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.

CVE-2025-27929 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27929. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER

Forescout Technologies reported these vulnerabilities to CISA.

4. MITIGATIONS

Growatt reports the cloud-based vulnerabilities were patched and no user action is needed. Additionally, Growatt strongly recommends that their users take proactive steps in securing their devices and take the following actions:

• Update all devices to the latest firmware version when available. (Updates are automatic, no user action needed.)
• Use strong passwords and enable multi-factor authentication where applicable.
• Report any security concerns to Service@Growatt.com.
• Stay vigilant. Users and installers should regularly review security settings, follow best practices, and report any unusual activity.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• April 15, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Lantronix
• Equipment: Xport

• Vulnerability: Missing Authentication for Critical Function

  2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker unauthorized access to the configuration interface and cause disruption to monitoring and operations.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Lantronix products are affected:

• Xport: Versions 6.5.0.7 to 7.0.0.3

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

An attacker could modify or disable settings, disrupt fuel monitoring and supply chain operations, leading to disabling of ATG monitoring. This would result in potential safety hazards in fuel storage and transportation.

CVE-2025-2567 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-2567. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Transportation Systems, Water and Wastewater Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Souvik Kandar from Microsec(microsec.io) reported this vulnerability to CISA.

4. MITIGATIONS

Lantronix recommends users upgrade to their Xport Edge product, which brings in more cutting edge security suite. Xport edge is not affected by these vulnerabilities. Users should contact Lantronix directly for assistance.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• April 15, 2025: Initial Publication