Author: Admin @CloudCentric

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 9.8
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: Communication modules for Modicon M580 and Quantum controllers
• Vulnerability: Out-of-bounds Write

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a stack overflow attack, which could result in loss of confidentiality, integrity, and denial of service of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following communication modules for Modicon M580 and Quantum controllers are affected by a vulnerability in VxWorks operating system:

• Modicon M580 communication modules BMENOC BMENOC0321: Versions prior to SV1.10
• Modicon M580 communication modules BMECRA BMECRA31210: All versions
• Modicon M580/Quantum communication modules BMXCRA BMXCRA31200: All versions
• Modicon M580/Quantum communication modules BMXCRA BMXCRA31210: All versions
• Modicon Quantum communication modules 140CRA 140CRA31908: All versions
• Modicon Quantum communication modules 140CRA 140CRA31200: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

A possible stack overflow in dhcp server was discovered in Wind River VxWorks through 6.8.

CVE-2021-29999 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific remediations and mitigations users can apply to reduce risk:

• Modicon M580 communication modules BMENOC BMENOC0321: Version SV1.10 of BMENOC0321 includes a fix for this vulnerability and is available for download here: https://www.se.com/ww/en/product/BMENOC0321/m580- noc-control/
• Schneider Electric is establishing a remediation plan for all future versions of BMECRA, BMXCRA and 140CRA that will include a fix for this vulnerability. They will update SEVD-2025-014-03 when the remediation is available. Until then, users should immediately implement a firewall to allow only authorized traffic on 67/UDP and 68/UDP ports to reduce the risk of exploit.

Schneider Electric strongly recommends the following industry cybersecurity best practices.

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the “Program” mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best
Practices document.

For more information, see Schneider Electric security notification “SEVD-2025-014-03 Wind River VxWorks DHCP server vulnerability”

Additional information about the vulnerability can be found on the Wind River site.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 27, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/Low attack complexity
• Vendor: Rockwell Automation
• Equipment: PowerFlex 755
• Vulnerability: Cleartext Transmission of Sensitive Information

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in exposure of sensitive data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of PowerFlex 755, a motor application control drive software, is affected:

• PowerFlex 755: Versions 16.002.279 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The affected version of the product is vulnerable to credential exposure due to using HTTP, resulting in credentials being sent in clear text. This can allow sensitive data to be sniffed and captured by an attacker.

CVE-2025-0631 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-0631. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation has provided an updated version of PowerFlex 755 software, v20.3.407, which users are encouraged to apply. For information on how to mitigate security risks on industrial automation control systems, Rockwell Automation also encourages users to implement suggested security best practices to minimize the risk of the vulnerability.

For more information refer to Rockwell Automation’s security advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

February 25, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: ABB
• Equipment: ASPECT-Enterprise, NEXUS, and MATRIX series
• Vulnerability: Use of Hard-coded Credentials

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to obtain access to devices without proper authentication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

ABB reports the following products are affected:

• ABB ASPECT®-Enterprise ASP-ENT-x: Versions 3.08.03 and prior
• ABB NEXUS Series NEX-2x: Versions 3.08.03 and prior
• ABB NEXUS Series: Versions 3.08.03 and prior
• ABB MATRIX Series MAT-x: Versions 3.08.03 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 USE OF HARD-CODED CREDENTIALS CWE-798

Several hard-coded credentials for the products internal use are contained in the firmware as plain text information.

CVE-2024-51547 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-51547. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Gjoko Krstikj of Zero Science Lab reported this vulnerability to CISA.

4. MITIGATIONS

ABB has identified specific workarounds and mitigations users can apply to reduce risk and recommends users to perform the following actions on any released SW version of ASPECT:

• Stop and disconnect any ASPECT products that are exposed directly to the Internet, either via a direct ISP connection or via NAT port forwarding.
• Ensure that physical controls are in place, so no unauthorized personnel can access your devices, components, peripheral equipment, and networks.
• Ensure log-files, downloaded from the equipment is protected against unauthorized access.
• Ensure that all ASPECT products are upgraded to the latest firmware version. Please find the latest version of ASPECT firmware on the respective product homepage.
• When remote access is required, only use secure methods. If a Virtual Private Network (VPN) is used, ensure that the chosen VPN is secure i.e. updated to the most current version available and configured for secure access.

For more information, please refer to ABB’s cybersecurity advisory 9AKK108470A6775.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 20, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SiPass integrated
• Vulnerability: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the application server, if a specially crafted backup set is used for a restore.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• SiPass integrated V2.90: Versions prior to V2.90.3.19
• SiPass integrated V2.95: Versions prior to V2.95.3.15

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

Directory traversal vulnerability in DotNetZip versions v.1.16.0 and prior which allows a remote attacker to execute arbitrary code via the src/Zip.Shared/ZipEntry.Extract.cs component. This vulnerability only affects products that are no longer supported by the maintainer. For SiPass integrated V2.90 and V2.95: The product could only be exploitable in situations where a specially crafted backup set is used for a restore.

CVE-2024-48510 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-48510. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Transportation Systems, Energy, Healthcare and Public Health, Financial Services, Government Services and Facilities
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has released a new version for SiPass integrated and recommends updating to the latest version:

• SiPass integrated V2.90: Update to V2.90.3.19 or later version
• SiPass integrated V2.95: Update to V2.95.3.15 or later version

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Ensure that only trusted persons are permitted to initiate a restore via the Configuration Client
• Do not use untrusted backup files for a restore

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-992434 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 20, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Rapid Response Monitoring
• Equipment: My Security Account App
• Vulnerability: Authorization Bypass Through User-Controlled Key

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow attacker to access sensitive information of other users.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Rapid Response Monitoring products are affected:

• My Security Account App API: Versions prior to 7/29/24

3.2 VULNERABILITY OVERVIEW

3.2.1 Authorization Bypass Through User-Controlled Key CWE-639

Rapid Response Monitoring My Security Account App utilizes an API that could be exploited by an attacker to modify request data, potentially causing the API to return information about other users.

CVE-2025-0352 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-0352. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Emergency Services
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

kbots reported this vulnerability to CISA.

4. MITIGATIONS

Rapid Response Monitoring reports that this issue was patched on their end and no action is required by users. For further information, contact Rapid Response Monitoring.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 20, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 10.0
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: ABB
• Equipment: FLXEON Controllers
• Vulnerabilities: Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’), Missing Origin Validation in WebSockets, Insertion of Sensitive Information into Log File

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to send unauthorized HTTPS requests, access sensitive information from HTTPS responses, or use network access to execute remote code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

ABB reports that the following products are affected:

• FLXEON Controllers FBXi: Version 9.3.4 and prior
• FLXEON Controllers FBVi: Version 9.3.4 and prior
• FLXEON Controllers FBTi: Version 9.3.4 and prior
• FLXEON Controllers CBXi: Version 9.3.4 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

Network access can be used to execute arbitrary code with elevated privileges. This issue affects FLXEON version 9.3.4 and prior.

CVE-2024-48841 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-48841. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 MISSING ORIGIN VALIDATION IN WEBSOCKETS CWE-1385

Session management is not sufficient to prevent unauthorized HTTPS requests. This issue affects FLXEON version 9.3.4 and prior.

CVE-2024-48849 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-48849. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 INSERTION OF SENSITIVE INFORMATION INTO LOG FILE CWE-532

Some information may be improperly disclosed through HTTPS access. This issue affects FLXEON version 9.3.4 and prior.

CVE-2024-48852 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-48852. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Gjoko Krstikj of Zero Science Lab reported these vulnerabilities through responsible disclosure.

4. MITIGATIONS

ABB recommends that users update to firmware version 9.3.5.

ABB recommends that users immediately do the following actions on any released version of FLXEON:

• Stop and disconnect any FLXEON products that are exposed directly to the Internet, either via a direct ISP connection or via NAT port forwarding.
• Ensure that physical controls are in place, so no unauthorized personnel can access your devices, components, peripheral equipment, and networks.
• Ensure that all FLXEON products are upgraded to the latest firmware version (9.3.5 or above). Please find the latest version of FLXEON firmware on the respective product homepage.
• When remote access is required, only use secure methods. If a virtual private network (VPN) is used, ensure that the chosen VPN is secure i.e. updated to the most current version available and configured for secure access.

For more information, please refer to ABB’s cybersecurity advisory 9AKK108470A5684.

ABB states that these vulnerabilities are only exploitable if attackers can access the network segment where FLXEON is installed and exposed directly to the internet. ABB therefore recommends the following guidelines in order to protect users networks:

• FLXEON devices should never be exposed directly to the Internet either via a direct ISP connection nor via NAT port forwarding. If remote access to a FLXEON system is a user requirement, the system shall operate behind a firewall. Users accessing FLXEON remotely shall do this using a VPN gateway allowing access to the particular network segment where FLXEON is in stalled and configured.
• It is crucial that the VPN gateway and network are set up in accordance with best industry standards and maintained in terms of security patches for all related components.
• Change default passwords if they are still in use.
• Ensure that all FLXEON products are upgraded to the latest firmware version. Please find the latest version of FLXEON firmware on the respective product homepage.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• February 20, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Carrier
• Equipment: Block Load
• Vulnerability: Uncontrolled Search Path Element

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a malicious actor to execute arbitrary code with escalated privileges .

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Carrier product, which is a HVAC load calculation program, are affected:

• Block Load: Version 4.16

3.2 VULNERABILITY OVERVIEW

3.2.1 UNCONTROLLED SEARCH PATH ELEMENT CWE-427

The vulnerability could allow a malicious actor to perform DLL hijacking and execute arbitrary code with escalated privileges.

CVE-2024-10930 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-10930. A base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
• COUNTRIES/AREAS DEPLOYED: United States
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

An anonymous researcher reported this vulnerability to Carrier.

4. MITIGATIONS

Carrier recommends users to upgrade the product to v4.2 or later. If any issues arise, users are encouraged to contact Carrier directly. For more information refer to Carrier’s security advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 20, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.4
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Elseta
• Equipment: Vinci Protocol Analyzer
• Vulnerability: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to escalate privileges and perform code execution on the affected system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Elseta products are affected:

Vinci Protocol Analyzer: Versions prior to 3.2.3.19

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

An OS command injection vulnerability exists in Vinci Protocol Analyzer that could allow an attacker to escalate privileges and perform code execution on affected system.

CVE-2025-1265 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-1265. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Communications
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Lithuania

3.4 RESEARCHER

Nguyen Huu Thien Duc reported this vulnerability to CISA.

4. MITIGATIONS

Elseta recommends affected users update to version 3.2.3.19 or later. Contact Elseta for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 20, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Dingtian
• Equipment: DT-R0 Series
• Vulnerability: Authentication Bypass Using an Alternate Path or Channel

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to modify the device settings and gain administrator access.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Dingtian DT-R0 Series are affected:

• DT-R002: Version V3.1.3044A
• DT-R008: Version V3.1.1759A
• DT-R016: Version V3.1.2776A
• DT-R032: Version V3.1.3826A

3.2 Vulnerability Overview

3.2.1 Authentication Bypass Using an Alternate Path or Channel CWE-288

The Dingtian DT-R0 Series is vulnerable to an exploit that allows attackers to bypass login requirements by directly navigating to the main page.

CVE-2025-1283 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-1283. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER

Cumhur Kizilari (Zeus) reported this vulnerability to CISA.

4. MITIGATIONS

Dingtian has not responded to requests to work with CISA to mitigate this vulnerability, thus no mitigation is available at this time. Users of affected versions of Dingtian DT-R002 are invited to contact Dingtian customer support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 13, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SIMATIC PCS neo and TIA Administrator
• Vulnerability: Insufficient Session Expiration

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user’s session even after logout.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• SIMOCODE ES V19: Versions prior to V19 Update 1
• TIA Administrator: Versions 3.0.4 and prior
• SIMATIC PCS neo V4.1: Versions prior to V4.1 Update 2
• SIMATIC PCS neo V4.0: All versions
• SIRIUS Safety ES V19 (TIA Portal): Versions prior to V19 Update 1
• SIRIUS Soft Starter ES V19 (TIA Portal): Versions prior to V19 Update 1
• SIMATIC PCS neo V5.0: Versions prior to V5.0 Update 1

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENT SESSION EXPIRATION CWE-613

Affected products do not correctly invalidate user sessions upon user logout. This could allow a remote unauthenticated attacker, who has obtained the session token by other means, to re-use a legitimate user’s session even after logout.

CVE-2024-45386 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-45386. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Close browser and client after logout and remove all locally stored session tokens
• SIMATIC PCS neo V4.0: Currently no fix is planned
• SIMOCODE ES V19: Update to V19 Update 1 or later version
• SIRIUS Soft Starter ES V19 (TIA Portal): Update to V19 Update 1 or later version
• SIRIUS Safety ES V19 (TIA Portal): Update to V19 Update 1 or later version
• TIA Administrator: Update to V3.0.4 or later version
• SIMATIC PCS neo V4.1: Update to V4.1 Update 2 or later version
• SIMATIC PCS neo V5.0: Update to V5.0 Update 1 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-342348 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 13, 2025: Initial Publication