Author: Admin @CloudCentric

Zenitel TCIV-3+

Written by Admin @CloudCentric on November 26, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Zenitel
Equipment: TCIV-3+
Vulnerabilities: OS Command Injection, Out-of-bounds Write, Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in arbitrary code execution or cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of TCIV-3+ are affected:

TCIV-3+: All versions prior to 9.3.3.0

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

An OS command injection vulnerability exists due to improper input validation. The application accepts a parameter directly from user input without verifying it is a valid IP address or filtering potentially malicious characters. This could allow an unauthenticated attacker to inject arbitrary commands.

CVE-2025-64126 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-64126. A base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

An OS command injection vulnerability exists due to insufficient sanitization of user-supplied input. The application accepts parameters that are later incorporated into OS commands without adequate validation. This could allow an unauthenticated attacker to execute arbitrary commands remotely.

CVE-2025-64127 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-64127. A base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H).

3.2.3 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, which could permit attackers to append arbitrary data. This could allow an unauthenticated attacker to inject arbitrary commands.

CVE-2025-64128 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-64128. A base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H).

3.2.4 OUT-OF-BOUNDS WRITE CWE-787

The affected product is vulnerable to an out-of-bounds write vulnerability, which could allow a remote attacker to crash the device.

CVE-2025-64129 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2025-64129. A base score of 7.0 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.5 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

The affected product is vulnerable to a reflected cross-site scripting vulnerability, which could allow a remote attacker to execute arbitrary JavaScript on the victim’s browser.

CVE-2025-64130 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-64130. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Belgium

3.4 RESEARCHER

Nir Tepper and Noam Moshe of Claroty Team82 reported these vulnerabilities to CISA.

4. MITIGATIONS

Zenitel recommends users to upgrade to Version 9.3.3.0 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

November 25, 2025: Initial Publication

Opto 22 groov View

Written by Admin @CloudCentric on November 26, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 6.1
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: Opto 22
Equipment: groov View
Vulnerability: Exposure of Sensitive Information Through Metadata

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in credential exposure, key exposure, and privilege escalation.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of groov View are affected:

groov View Server for Windows: Versions R1.0a to R4.5d
GRV-EPIC-PR1 Firmware: Versions prior to 4.0.3
GRV-EPIC-PR2 Firmware: Versions prior to 4.0.3

3.2 VULNERABILITY OVERVIEW

3.2.1 Exposure of Sensitive Information Through Metadata CWE-1230

The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. This endpoint requires an Editor role to access and will display API keys for all users, including Administrators.

CVE-2025-13084 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-13084. A base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta reported this vulnerability to CISA.

4. MITIGATIONS

Opto 22 has published a patch to address this vulnerability and recommends that users upgrade to groov View Server for Windows Version R4.5e and GRV-EPIC Firmware Version 4.0.3. Additional information is available from Opto 22 here.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

November 25, 2025: Initial Publication

Festo Compact Vision System, Control Block, Controller, and Operator Unit products

Written by Admin @CloudCentric on November 26, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: Festo
Equipment: Compact Vision System, Control Block, Controller, and Operator Unit products
Vulnerabilities: Exposure of Resource to Wrong Sphere, Initialization of a Resource with an Insecure Default

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in an attacker accessing devices without authentication or modifying configuration files.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Festo reports that the following products are affected:

Festo Software Compact Vision System SBO-Q-: All Versions
Festo Software Control block CPX-CEC-C1 Codesys V2: All Versions
Festo Software Control block CPX-CEC-C1-V3 Codesys V3: All Versions
Festo Software Control block CPX-CEC Codesys V2: All Versions
Festo Software Control block CPX-CEC-M1 Codesys V2: All Versions
Festo Software Control block CPX-CEC-M1-V3 Codesys V3: All Versions
Festo Software Control block CPX-CEC-S1-V3 Codesys V3: All Versions
Festo Software Control block CPX-CMXX: All Versions
Festo Software Controller CECC-D: All Versions
Festo Software Controller CECC-D-BA: All Versions
Festo Software Controller CECC-D-CS: All Versions
Festo Software Controller CECC-LK: All Versions
Festo Software Controller CECC-S: All Versions
Festo Software Controller CECC-X-M1: All Versions
Festo Software Controller CECC-X-M1-MV: All Versions
Festo Software Controller CECC-X-M1-S1: All Versions
Festo Software Controller CECX-X-C1: All Versions
Festo Software Controller CECX-X-M1: All Versions
Festo Software Controller CPX-E-CEC-C1: All Versions
Festo Software Controller CPX-E-CEC-C1-EP: All Versions
Festo Software Controller CPX-E-CEC-C1-PN: All Versions
Festo Software Controller CPX-E-CEC-M1: All Versions
Festo Software Controller CPX-E-CEC-M1-EP: All Versions
Festo Software Controller CPX-E-CEC-M1-PN: All Versions
Festo Software Controller FED-CEC: All Versions
Festo Software Operator unit CDPX-X-A-S-10: All Versions
Festo Software Operator unit CDPX-X-A-W-13: All Versions
Festo Software Operator unit CDPX-X-A-W-4: All Versions
Festo Software Operator unit CDPX-X-A-W-7: All Versions
Festo Software Operator unit CDPX-X-E1-W-10: All Versions
Festo Software Operator unit CDPX-X-E1-W-15: All Versions
Festo Software Operator unit CDPX-X-E1-W-7: All Versions

3.2 VULNERABILITY OVERVIEW

3.2.1 EXPOSURE OF RESOURCE TO WRONG SPHERE CWE-668

A remote, authenticated attacker could utilize the control program of the CODESYS Control runtime system to use the vulnerability in order to read and modify the configuration file(s) of the affected products.

CVE-2022-22515 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

3.2.2 INITIALIZATION OF A RESOURCE WITH AN INSECURE DEFAULT CWE-1188

In CODESYS V2 PLCWinNT and Runtime Toolkit 32 in versions prior to V2.4.7.57 password protection is not enabled by default and there is no information or prompt to enable password protection at login in case no password is set at the controller.

CVE-2022-31806 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

CERT@VDE coordinated and supported publication with Festo. Rob Hulsebos and Daniel dos Santos of Forescout reported this vulnerability to Festo.

4. MITIGATIONS

Festo has identified the following specific workarounds and mitigations users can apply to reduce risk:

For CVE-2022-22515: Using the online user management prevents an attacker from downloading and executing malicious code, but also suppresses start, stop, debug, or other actions on a known working application that could potentially disrupt a machine or system.
For CVE-2022-31806: Enable password protection at login in case no password is set at the controller. Please note that the password configuration file is not covered via default FFT backup & Restore mechanism, you must select the related file manually.

For more information see the associated Festo SE & Co. KG security advisory FSA-202208 FSA-202208: Festo: Multiple Festo products contain an unsafe default Codesys configuration – HTML, FSA-202208: Festo: Multiple Festo products contain an unsafe default Codesys configuration – CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

November 25, 2025: Initial Republication of Festo SE & Co. KG FSA-202208

SiRcom SMART Alert (SiSA)

Written by Admin @CloudCentric on November 26, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: SiRcom
Equipment: SMART Alert (SiSA)
Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could enable an attacker to remotely activate or manipulate emergency sirens.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SiRcom SMART Alert (SiSA), a central control system, are affected:

SMART Alert (SiSA): Version 3.0.48

3.2 VULNERABILITY OVERVIEW

3.2.1 Missing Authentication for Critical Function CWE-306

SiRcom SMART Alert (SiSA) allows unauthorized access to backend APIs. This allows an unauthenticated attacker to bypass the login screen using browser developer tools, gaining access to restricted parts of the application.

CVE-2025-13483 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-13483. A base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Emergency Services, Government Services and Facilities, Defense Industrial Base
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Souvik Kandar of Microsec (microsec.io) reported this vulnerability to CISA.

4. MITIGATIONS

SiRcom did not respond to CISA’s request for coordination. Contact SiRcom using their contact page for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

November 25, 2025: Initial Publication

Siemens Solid Edge

Written by Admin @CloudCentric on November 18, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: Solid Edge
Vulnerability: Improper Certificate Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform man in the middle attacks.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

Siemens Solid Edge SE2025: All versions prior to V225.0 Update 11

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER CERTIFICATE VALIDATION CWE-295

Affected applications do not properly validate client certificates to connect to License Service endpoint. This could allow an unauthenticated remote attacker to perform man in the middle attacks.

CVE-2025-40744 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-40744. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Solid Edge SE2025: Update to V225.0 Update 11 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-522291 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

November 13, 2025: Initial Republication of Siemens ProductCERT SSA-522291

Rockwell Automation Studio 5000 Simulation Interface

Written by Admin @CloudCentric on November 18, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Low attack complexity
Vendor: Rockwell Automation
Equipment: Studio 5000 Simulation Interface
Vulnerabilities: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Server-Side Request Forgery (SSRF)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow attackers to trigger outbound SMB requests to capture NTLM hashes and execute scripts with Administrator privileges upon system reboot.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation Studio 5000 Simulation Interface are affected:

Studio 5000 Simulation Interface: Version 2.02 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

A local code execution security issue exists within Studio 5000 Simulation Interface via the API. This vulnerability allows any Windows user on the system to extract files using path traversal sequences, resulting in execution of scripts with Administrator privileges on system reboot.

CVE-2025-11696 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-11696. A base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918

A local server-side request forgery (SSRF) security issue exists within Studio 5000 Simulation Interface via the API. This vulnerability allows any Windows user on the system to trigger outbound SMB requests, enabling the capture of NTLM hashes.

CVE-2025-11697 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-11697. A base score of 8.8 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation recommends that users upgrade to version 3.0.0 or later.

Users who are unable to upgrade to the corrected version are encouraged to follow Rockwell Automation’s security best practices.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

November 13, 2025: Initial republication of Rockwell Automation advisory ‘Studio 5000 Simulation Interface – Multiple Vulnerabilities’

Siemens COMOS

Written by Admin @CloudCentric on November 18, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: COMOS
Vulnerabilities: Incomplete List of Disallowed Inputs, Cleartext Transmission of Sensitive Information

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code or lead to data infiltration.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

Siemens COMOS with COMOS Web deployed: Versions prior to 10.4.5 (CVE-2023-45133)
Siemens COMOS that use COMOS Snapshots component: Versions prior to 10.4.5 (CVE-2024-0056)

3.2 VULNERABILITY OVERVIEW

3.2.1 INCOMPLETE LIST OF DISALLOWED INPUTS CWE-184

Babel is a compiler for writing JavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate() or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any “polyfill provider” plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected] and @babel/[email protected]. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.

CVE-2023-45133 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.2 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass Vulnerability

CVE-2024-0056 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

COMOS: Update to V10.4.5 or later version

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-682326 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

November 13, 2025: Initial Republication of Siemens ProductCERT SSA-682326

Shelly Pro 3EM

Written by Admin @CloudCentric on November 18, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.3
ATTENTION: Low attack complexity
Vendor: Shelly
Equipment: Pro 3EM
Vulnerability: Out-of-Bounds Read

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of Pro 3EM, a smart DIN rail switch, is affected:

Pro 3EM: all versions

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS READ CWE-125

By sending a specially crafted Modbus request, an attacker can direct the device to access an illegal data address without standard error handling, causing the device to reboot and leading to a denial-of-service condition.

CVE-2025-12056 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-12056. A base score of 8.3 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Bulgaria

3.4 RESEARCHER

Gabriele Quagliarella of Nozomi Networks reported this vulnerability to CISA.

4. MITIGATIONS

Shelly did not respond to CISA’s attempts at coordination. Users of Shelly Pro 3EM devices are encouraged to contact Shelly and keep their systems up to date.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

November 18, 2025: Initial Publication

Shelly Pro 4PM

Written by Admin @CloudCentric on November 18, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.3
ATTENTION: Low attack complexity
Vendor: Shelly
Equipment: Pro 4PM
Vulnerability: Allocation of Resources Without Limits or Throttling

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of Pro 4PM, a smart DIN rail switch, is affected:

Pro 4PM: prior to v1.6

3.2 VULNERABILITY OVERVIEW

3.2.1 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

Due to lack of input bounds checking, an attacker can send a specially crafted request to any RPC endpoint. The malicious request causes the device’s JSON parser to overallocate memory, leading the device to reboot and creating a denial-of-service condition.

CVE-2025-11243 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-11243. A base score of 8.3 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Bulgaria

3.4 RESEARCHER

Gabriele Quagliarella of Nozomi Networks reported this vulnerability to CISA.

4. MITIGATIONS

Shelly did not respond to CISA’s attempts at coordination. Users of Shelly Pro 4PM devices are encouraged to contact Shelly and keep their systems up to date, as versions later than 1.6.0 are not vulnerable to the exploit.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

November 18, 2025: Initial Publication

Schneider Electric PowerChute Serial Shutdown

Written by Admin @CloudCentric on November 18, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: Schneider Electric
Equipment: PowerChute Serial Shutdown
Vulnerabilities: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Improper Restriction of Excessive Authentication Attempts, Incorrect Default Permissions

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to access user accounts or gain elevated system access.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of Schneider Electric PowerChute Serial Shutdown are affected:

Schneider Electric PowerChute Serial Shutdown: Versions 1.3 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

A path traversal vulnerability exists that could cause elevated system access when a Web Admin user on the local network tampers with the POST/REST/UpdateJRE request payload.

CVE-2025-11565 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.0 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.2 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307

An improper restriction of excessive authentication attempts vulnerability exists that could allow an attacker on the local network to gain access to the user account by performing an arbitrary number of authentication attempts with different credentials on the /REST/shutdownnow endpoint.

CVE-2025-11566 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

3.2.3 INCORRECT DEFAULT PERMISSIONS CWE-276

An incorrect default permissions vulnerability exists that could cause elevated system access when the target installation folder is not properly secured.

CVE-2025-11567 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Aleksandar Djurdjevic reported these vulnerabilities to Schneider Electric. Schneider Electric reported these vulnerabilities to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

PowerChute Serial Shutdown Versions v1.3 and prior: Version v1.4 of PowerChute Serial Shutdown includes a fix for these vulnerabilities and is available for download here:
- Windows: https://www.se.com/ww/en/download/document/SPD-PCSS_WIN_EN/
- Linux: https://www.se.com/ww/en/download/document/SPD-PCSS_LNX_EN/
(CVE-2025-11567) PowerChute Serial Shutdown Versions v1.3 and prior: To ensure remediation of CVE-2025-11567, users should immediately apply the following steps. If PowerChute is installed in a custom folder, ensure that the required permissions are set on the custom folder. NOTE: It is recommended to set administrative permissions on the custom folder. Specific instructions for these mitigations can be found in the Security Handbook.

The following product versions have been fixed:

PowerChute Serial Shutdown Version v1.4 installed on Microsoft Windows is a fixed version for CVE-2025-11565
PowerChute Serial Shutdown Version v1.4 installed on Red Hat Enterprise Linux is a fixed version for CVE-2025-11565
PowerChute Serial Shutdown Version v1.4 installed on SuSE Linux is a fixed version for CVE-2025-11565
PowerChute Serial Shutdown Version v1.4 installed on Microsoft Windows is a fixed version for CVE-2025-11566
PowerChute Serial Shutdown Version v1.4 installed on Red Hat Enterprise Linux is a fixed version for CVE-2025-11566
PowerChute Serial Shutdown Version v1.4 installed on SuSE Linux is a fixed version for CVE-2025-11566
PowerChute Serial Shutdown Version v1.4 installed on Microsoft Windows is a fixed version for CVE-2025-11567
PowerChute Serial Shutdown Version v1.4 installed on Red Hat Enterprise Linux is a fixed version for CVE-2025-11567
PowerChute Serial Shutdown Version v1.4 installed on SuSE Linux is a fixed version for CVE-2025-11567

For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-315-01 PowerChute Serial Shutdown – SEVD-2025-315-01 PDF Version, PowerChute Serial Shutdown – SEVD-2025-315-01 CSAF Version.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

November 18, 2025: Initial Republication of Schneider Electric CPCERT SEVD-2025-315-01