Author: Admin @CloudCentric

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 6.8
• ATTENTION: Low attack complexity
• Vendor: Mitsubishi Electric
• Equipment: GX Works2
• Vulnerability: Cleartext Storage of Sensitive Information

2. RISK EVALUATION

Successful exploitation of this vulnerability could open project files protected by user authentication using disclosed credential information, and obtain or modify project information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of GX Works2 are affected:

• GX Works2: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 CLEARTEXT STORAGE OF SENSITIVE INFORMATION CWE-312

An attacker could disclose credential information stored in plaintext from project files. As a result, the attacker may be able to open project files protected by user authentication using disclosed credential information, and obtain or modify project information.

CVE-2025-3784 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-3784. A base score of 6.8 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Jiho Shin of Sungkyunkwan University reported this vulnerability to Mitsubishi Electric. Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

The fixed version for this vulnerability is currently under development by Mitsubishi Electric. Until the fixed version is released, please implement the following mitigations:

• Use the PCs with the affected product installed in the LAN and block remote logins from untrusted networks, hosts, or users.
• Block unauthorized access by using a firewall or a virtual private network (VPN), etc., and allow remote logins only for trusted users when connecting the PCs with the affected product installed to the Internet.
• Restrict physical access to the PCs with the affected product installed, as well as to PCs and network devices that can communicate with those PCs.
• Install an antivirus software on the PCs running the affected product.
• Encrypt project files when sending or receiving them over the Internet.

See Mitsubishi Electric’s security bulletin for information on the availability of the security updates.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• December 4, 2025: Initial Republication of Mitsubishi Electric Advisory Mitsubishi Electric 2025-016

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Low attack complexity
• Vendor: Johnson Controls Inc.
• Equipment: iSTAR eX, iSTAR Edge, iSTAR Ultra LT, iSTAR Ultra, iSTAR Ultra SE
• Vulnerability: Improper Validation of Certificate Expiration

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in the product failing to re-establish communication once the certificate expires.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Johnson Controls iSTAR are affected:

• iSTAR eX: All versions prior to TLS 1.2
• iSTAR Edge: All versions prior to TLS 1.2
• iSTAR Ultra LT (if in TLS 1.2): All versions prior to TLS 1.2
• iSTAR Ultra (if in TLS 1.2): All versions prior to TLS 1.2
• iSTAR Ultra SE (if in TLS 1.2): All versions prior to TLS 1.2

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER VALIDATION OF CERTIFICATE EXPIRATION CWE-298

Under certain circumstances, an iSTAR using the default certificate to connect to the C•CURE Server may fail to re-establish communication, once the certificate expires.

CVE-2025-61736 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-61736. A base score of 7.1 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, Government Facilities, Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Johnson Controls reported this vulnerability to CISA.

4. MITIGATIONS

Johnson Controls recommends the following mitigations:

Host-based certificates using TLS 1.2:

• Quickest solution
• No Upgrade required to specific C•CURE or iSTAR software/firmware versions
• Requires downloading a new certificate to all iSTAR panels simultaneously, resulting in a brief system downtime

Convert encryption mode to TLS 1.3, per cluster:

• Requires firmware 6.9.0 or higher, and C•CURE 9000 v2.90 SP3 or higher
• Enables phased implementation by cluster, minimizing disruption
• Note: TLS 1.3 is not supported on iSTAR eX, iSTAR Edge, and iSTAR Ultra LT panels

Upgrade legacy panels to new G2 hardware:

• Recommended for smaller systems due to time constraints
• Applies primarily to iSTAR eX, iSTAR Edge, and iSTAR LT panels

Johnson Controls strongly encourages users to work with their Software House integrators to audit their systems and determine the most appropriate course of action. Johnson Control’s technical support team provides extensive documentation and instructional videos on the Support Portal, and hosts ongoing webinars covering both host-based certificate implementation and TLS 1.3 migration.

For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2025-12 at the following location: https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• December 04, 2025: Initial Republication of JCI-PSA-2025-12

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Industrial Video & Control
• Equipment: Longwatch
• Vulnerability: IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to gain remote code execution with elevated privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Industrial Video & Control Longwatch, a video surveillance and monitoring system, are affected:

• Longwatch: Versions 6.309 to 6.334

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER CONTROL OF GENERATION OF CODE (‘CODE INJECTION’) CWE-94

A vulnerability in Longwatch devices allows unauthenticated HTTP GET requests to execute arbitrary code via an exposed endpoint, due to the absence of code signing and execution controls. Exploitation results in SYSTEM-level privileges.

CVE-2025-13658 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-13658. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Concerned OT Engineer reported this vulnerability to CISA.

4. MITIGATIONS

Industrial Video & Control recommends users running versions 6.309 to 6.334 should upgrade to version 6.335 or later to ensure protection against this vulnerability.

For more details, view Industrial Video & Control’s advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• December 2, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Iskra
• Equipment: iHUB and iHUB Lite
• Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote attacker to reconfigure devices, update firmware, and manipulate connected systems without any credentials.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Iskra iHUB and iHUB Lite, a Smart Metering Gateway and Data Concentrator, are affected:

• iHUB and iHUB Lite: All Versions

3.2 VULNERABILITY OVERVIEW

3.2.1 Missing Authentication for Critical Function CWE-306

The Iskra iHUB and iHUB Lite smart metering gateway exposes its web management interface without requiring authentication, allowing unauthenticated users to access and modify critical device settings.

CVE-2025-13510 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-13510. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Slovenia

3.4 RESEARCHER

Souvik Kandar reported this vulnerability to CISA.

4. MITIGATIONS

Iskra did not respond to CISA’s request for coordination. Contact Iskra using their contact page for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• December 2, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.5
• ATTENTION: Exploitable remotely
• Vendor: Opto 22
• Equipment: GRV-EPIC-PR1, GRV-EPIC-PR2, groov RIO
• Vulnerability: Improper Neutralization of Special Elements used in an OS Command

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in the execution of arbitrary shell commands with root privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of GRV Programmable Logic Controllers are affected:

• GRV-EPIC-PR1 Firmware: Versions prior to 4.0.3
• GRV-EPIC-PR2 Firmware: Versions prior to 4.0.3
• groov RIO GRV-R7-MM1001-10 Firmware: Versions prior to 4.0.3
• groov RIO GRV-R7-MM2001-10 Firmware: Versions prior to 4.0.3
• groov RIO GRV-R7-I1VAPM-3 Firmware: Versions prior to 4.0.3

3.2 VULNERABILITY OVERVIEW

3.2.1 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) CWE-78

A vulnerability exists in the Opto22 Groov Manage REST API on GRV-EPIC and groov RIO Products that allows remote code execution with root privileges. When a POST request is executed against the vulnerable endpoint, the application reads certain header details and unsafely uses these values to build commands, allowing an attacker with administrative privileges to inject arbitrary commands that execute as root.

CVE-2025-13087 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.2 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2025-13087. A base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta reported this vulnerability to CISA.

4. MITIGATIONS

Opto 22 has published a patch to address this vulnerability and recommends that users upgrade to GRV-EPIC and groov RIO Firmware Version 4.0.3. Additional information is available from Opto 22 here.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolate them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that a VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• November 20, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 8.8
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Festo SE & Co. KG
• Equipment: MSE6-C2M/D2M/E2M
• Vulnerability: Hidden Functionality

2. RISK EVALUATION

Successful exploitation of this vulnerability could lead to a complete loss of confidentiality, integrity, and availability.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Festo reports the following products are affected:

• MSE6-C2M-5000-FB36-D-M-RG-BAR-M12L4-AGD: All versions
• MSE6-C2M-5000-FB36-D-M-RG-BAR-M12L5-AGD: All versions
• MSE6-C2M-5000-FB43-D-M-RG-BAR-M12L4-MQ1-AGD: All versions
• MSE6-C2M-5000-FB43-D-M-RG-BAR-M12L5-MQ1-AGD: All versions
• MSE6-C2M-5000-FB44-D-M-RG-BAR-AMI-AGD: All versions
• MSE6-C2M-5000-FB44-D-RG-BAR-AMI-AGD: All versions
• MSE6-D2M-5000-CBUS-S-RG-BAR-VCB-AGD: All versions
• MSE6-E2M-5000-FB13-AGD: All versions
• MSE6-E2M-5000-FB36-AGD: All versions
• MSE6-E2M-5000-FB37-AGD: All versions
• MSE6-E2M-5000-FB43-AGD: All versions
• MSE6-E2M-5000-FB44-AGD: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 Hidden Functionality CWE-912

In Festo MSE6 product-family, a remote authenticated, low-privileged attacker could use functions of undocumented test mode, which could lead to a complete loss of confidentiality, integrity, and availability.

CVE-2023-3634 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Festo coordinated this vulnerability with CERT@VDE.

4. MITIGATIONS

Festo has updated the user documentation in the next product version to address this issue.

For more information, see the associated Festo SE & Co. KG security advisory FSA-202304 FSA-202304: Festo: MSE6-C2M/D2M/E2M Incomplete User Documentation of Remote Accessible Functions – HTML, FSA-202304: Festo: MSE6-C2M/D2M/E2M Incomplete User Documentation of Remote Accessible Functions – CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as virtual private networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• November 20, 2025: Initial Republication of Festo FSA-202304

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.8
• ATTENTION: Low attack complexity
• Vendor: Festo SE & Co. KG
• Equipment: Didactic products
• Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow the creation or overwriting of arbitrary files in the engineering system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Festo reports that the following products contain affected versions of Siemens TIA-Portal:

• Siemens TIA-Portal V15 prior to V17 Update 6 installed on Festo Hardware MES PC: All versions
• Siemens TIA-Portal V18 prior to V18 Update 1 installed on Festo Hardware MES PC: All versions
• Siemens TIA-Portal V15 prior to V17 Update 6 installed on Festo Hardware TP260 (<June2023): All versions
• Siemens TIA-Portal V18 prior to V18 Update 1 installed on Festo Hardware TP260 (<June2023): All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 Improper Input Validation CWE-20

A vulnerability has been identified in Siemens Totally Integrated Automation Portal (TIA Portal) V15, V16, V17, and V18. The affected products contain a path traversal vulnerability that could allow the creation or overwriting of arbitrary files in the engineering system. If the user is tricked into opening a malicious PC system configuration file, an attacker could exploit this vulnerability to achieve arbitrary code execution.

CVE-2023-26293 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Communications, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Festo coordinated this vulnerability with CERT@VDE.

4. MITIGATIONS

Festo recommends users of affected devices update TIA-Portal. Refer to Siemens SSA-116924 for more details.

For more information, see the associated Festo SE & Co. KG security advisory FSA-202303 FSA-202303: Festo: Vulnerable Siemens TIA-Portal in multiple Festo Didactic products – HTML and FSA-202303: Festo: Vulnerable Siemens TIA-Portal in multiple Festo Didactic products – CSAF.

CISA recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• November 20, 2025: Initial Republication of Festo FSA-202303

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Emerson
• Equipment: Appleton UPSMON-PRO
• Vulnerability: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow remote attackers to execute arbitrary code on affected installations of Appleton UPSMON-PRO.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Emerson products are affected:

• Appleton UPSMON-PRO: Versions 2.6 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

A crafted UDP packet sent to the default UDP port 2601 can cause an overflow of the buffer stack, overwriting critical memory locations. This could allow unauthorized individuals to execute arbitrary code with SYSTEM privileges if the UPSMONProService service communication is not properly validated.

CVE-2024-3871 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-3871. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Healthcare and Public Health
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

kimiya working with Trend Micro’s Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

According to Emerson, Appleton UPSMON-PRO is End of Life and unsupported. Any users still using the product are recommended to replace the product or apply the following mitigations based on your company policies and Cybersecurity Operational recommendations.

Recommended Actions if not replaced:

• Block UDP port 2601 at firewall level for all UPSMON-PRO installations
• Isolate UPS monitoring networks from general corporate networks
• Implement network-level packet filtering to reject oversized UDP packets to port 2601
• Monitor for UPSMONProSer.exe service crashes as potential indicators of exploitation attempts

Long-term Strategy Recommendation:

• Replace UPSMON-PRO with actively supported UPS monitoring solution
• Implement defense-in-depth strategies for critical power infrastructure monitoring

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• November 20, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.4
• ATTENTION: Low attack complexity
• Vendor: Ashlar-Vellum
• Equipment: Cobalt, Xenon, Argon, Lithium, Cobalt Share
• Vulnerabilities: Out-of-Bounds Write, Heap-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose information or execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Ashlar-Vellum products are affected:

• Cobalt: Versions 12.6.1204.207 and prior
• Xenon: Versions 12.6.1204.207 and prior
• Argon: Versions 12.6.1204.207 and prior
• Lithium: Versions 12.6.1204.207 and prior
• Cobalt Share: Versions 12.6.1204.207 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

An Out-of-Bounds Write vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.207 and prior that could allow an attacker to disclose information or execute arbitrary code.

CVE-2025-65084 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-65084. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 HEAP-BASED BUFFER OVERFLOW CWE-122

A Heap-based Buffer Overflow vulnerability is present in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions 12.6.1204.207 and prior that could allow an attacker to disclose information or execute arbitrary code.

CVE-2025-65085 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-65085. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA.

4. MITIGATIONS

Ashlar-Vellum recommends users update to the following versions:

• Cobalt: Versions 12.6.1204.208 or higher
• Xenon: Versions 12.6.1204.208 or higher
• Argon: Versions 12.6.1204.208 or higher
• Lithium: Versions 12.6.1204.208 or higher
• Cobalt Share: Versions 12.6.1204.208 or higher

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• November 25, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Exploitable from a local network
• Vendor: Rockwell Automation
• Equipment: Arena Simulation
• Vulnerability: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow local attackers to execute arbitrary code on affected installations of Arena.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Rockwell Automation products are affected:

• Arena Simulation: Version 16.20.10 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

Arena suffers from a stack-based buffer overflow vulnerability. The specific flaw exists within the parsing of DOE files. Local attackers are able to exploit this issue to potentially execute arbitrary code on affected installations of Arena. Exploiting the vulnerability requires opening a malicious DOE file.

CVE-2025-11918 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.0 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-11918. A base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Michael Heinzl reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation recommends users upgrade Arena Simulation to version 16.20.11 or later.

Users who are unable to upgrade the affected software to a correct version should use Rockwell Automation’s security best practices.

For more information about this issue, see advisory SD1763 on the Rockwell Automation security page.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• November 25, 2025: Initial publication