Skip to main content
(844) 422-7000

Author: Admin @CloudCentric

Mitsubishi Electric MELSEC-Q Series CPU Module

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3.1 6.8
  • ATTENTION: Exploitable remotely
  • Vendor: Mitsubishi Electric
  • Equipment: MELSEC-Q Series CPU module
  • Vulnerability: Improper Handling of Length Parameter Inconsistency

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial of service (DoS).

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mitsubishi Electric MELSEC-Q Series CPU modules are affected:

  • MELSEC-Q Series Q03UDVCPU: The first 5 digits of serial No. ‘24082’ to ‘27081’
  • MELSEC-Q Series Q04UDVCPU: The first 5 digits of serial No. ‘24082’ to ‘27081’
  • MELSEC-Q Series Q06UDVCPU: The first 5 digits of serial No. ‘24082’ to ‘27081’
  • MELSEC-Q Series Q13UDVCPU: The first 5 digits of serial No. ‘24082’ to ‘27081’
  • MELSEC-Q Series Q26UDVCPU: The first 5 digits of serial No. ‘24082’ to ‘27081’
  • MELSEC-Q Series Q04UDPVCPU: The first 5 digits of serial No. ‘24082’ to ‘27081’
  • MELSEC-Q Series Q06UDPVCPU: The first 5 digits of serial No. ‘24082’ to ‘27081’
  • MELSEC-Q Series Q13UDPVCPU: The first 5 digits of serial No. ‘24082’ to ‘27081’
  • MELSEC-Q Series Q26UDPVCPU: The first 5 digits of serial No. ‘24082’ to ‘27081’

3.2 VULNERABILITY OVERVIEW

3.2.1 Improper Handling of Length Parameter Inconsistency CWE-130

A Denial-of-Service (DoS) vulnerability exists in the MELSEC-Q series CPU module when the user authentication function is enabled, due to improper handling of length parameter inconsistency.

CVE-2025-8531 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric has released the fixed version as shown below, but updating the product to the fixed version is currently unavailable. Consider migrating to the successor model, MELSEC iQ-R Series.

  • MELSEC-QSeries Q03UDVCPU: The first 5 digits of serial No. ‘27082’ or later.
  • MELSEC-QSeries Q04UDVCPU: The first 5 digits of serial No. ‘27082’ or later.
  • MELSEC-QSeries Q06UDVCPU: The first 5 digits of serial No. ‘27082’ or later.
  • MELSEC-QSeries Q13UDVCPU: The first 5 digits of serial No. ‘27082’ or later.
  • MELSEC-QSeries Q26UDVCPU: The first 5 digits of serial No. ‘27082’ or later.
  • MELSEC-QSeries Q04UDPVCPU: The first 5 digits of serial No. ‘27082’ or later.
  • MELSEC-QSeries Q06UDPVCPU: The first 5 digits of serial No. ‘27082’ or later.
  • MELSEC-QSeries Q13UDPVCPU: The first 5 digits of serial No. ‘27082’ or later.
  • MELSEC-QSeries Q26UDPVCPU: The first 5 digits of serial No. ‘27082’ or later.

Mitsubishi Electric recommends users employ the following mitigation measures to minimize the risk of vulnerability exploit.

  • Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
  • Use within a LAN and block access from untrusted networks and hosts through firewalls.
  • Restrict physical access to the affected products, as well as to computers and network devices that can be connected to those products.

See Mitsubishi Electric’s security bulletin for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

  • September 23, 2025: Initial Publication

AutomationDirect CLICK PLUS

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: AutomationDirect
  • Equipment: CLICK PLUS
  • Vulnerabilities: Cleartext Storage of Sensitive Information, Use of Hard-coded Cryptographic Key, Use of a Broken or Risky Cryptographic Algorithm, Predictable Seed in Pseudo-Random Number Generator, Improper Resource Shutdown or Release, Missing Authorization

2. RISK EVALUATION

Successful exploitation of these vulnerabilities disclose sensitive information, modify device settings, escalate privileges, or cause a denial-of-service condition on the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following AutomationDirect products are affected:

  • CLICK PLUS C0-0x CPU firmware: Versions prior to v3.71
  • CLICK PLUS C0-1x CPU firmware: Versions prior to v3.71
  • CLICK PLUS C2-x CPU firmware: Versions prior to v3.71

3.2 VULNERABILITY OVERVIEW

3.2.1 Cleartext Storage of Sensitive Information CWE-312

Cleartext storage of sensitive information was discovered in Click Programming Software version v3.60. The vulnerability can be exploited by a local user with access to the file system, while an administrator session is active, to steal credentials stored in clear text.

CVE-2025-54855 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-54855. A base score of 4.1 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 Use of Hard-coded Cryptographic Key CWE-321

The use of a hard-coded cryptographic key was discovered in firmware version 3.60 of the Click Plus PLC. The vulnerability relies on the fact that the software contains a hard-coded AES key used to protect the initial messages of a new KOPS session.

CVE-2025-58069 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-58069. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 Use of a Broken or Risky Cryptographic Algorithm CWE-327

The use of a broken or risky cryptographic algorithm was discovered in firmware version 3.60 of the Click Plus PLC. The vulnerability relies on the fact that the software uses an insecure implementation of the RSA encryption algorithm.

CVE-2025-59484 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2025-59484. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N).

3.2.4 Predictable Seed in Pseudo-Random Number Generator CWE-337

A predictable seed in pseudo-random number generator vulnerability has been discovered in firmware version 3.60 of the Click Plus PLC. The vulnerability relies on the fact that the software implements a predictable seed for its pseudo-random number generator, which compromises the security of the generated private keys.

CVE-2025-55069 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2025-55069. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N).

3.2.5 Improper Resource Shutdown or Release CWE-404

An improper resource shutdown or release vulnerability has been identified in the Click Plus C2-03CPU-2 device running firmware version 3.60. The vulnerability allows an unauthenticated attacker to perform a denial-of-service attack by exhausting all available device sessions of the Click Programming Software.

CVE-2025-58473 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-58473. A base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.6 Missing Authorization CWE-862

An authorization bypass vulnerability has been discovered in the Click Plus C2-03CPU2 device firmware version 3.60. Through the KOPR protocol utilized by the Remote PLC application, authenticated users with low-level access permissions can exploit this vulnerability to read and modify PLC variables beyond their intended authorization level.

CVE-2025-55038 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-55038. A base score of 7.6 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.7 Improper Resource Shutdown or Release CWE-404

An improper resource shutdown or release vulnerability has been identified in the Click Plus C2-03CPU-2 device running firmware version 3.60. The vulnerability allows an unauthenticated attacker to perform a denial-of-service attack by exhausting all available device sessions in the Remote PLC application.

CVE-2025-57882 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-57882. A base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Luca Borzacchiello and Diego Zaffaroni of Nozomi Networks reported these vulnerabilities to Automation Direct.

4. MITIGATIONS

AutomationDirect recommends that users update CLICK PLUS and firmware to V3.80.

If the update cannot be applied right away, the following compensating controls are recommended until the upgrade can be performed:

  • Network Isolation – Disconnect the CLICK PLUS PLC from external networks (e.g., the internet or corporate LAN) to reduce exposure.
  • Secure Communications – Use only trusted, dedicated internal networks or air-gapped systems for device communication.
  • Access Control – Restrict both physical and logical access to authorized personnel only.
  • Application Whitelisting – Configure whitelisting so that only trusted, pre-approved applications are allowed to run. Block any unauthorized software.
  • Endpoint Protection – Use antivirus or EDR tools and configure host-based firewalls to block unauthorized access attempts.
  • Logging & Monitoring – Enable and regularly review system logs to detect suspicious or unauthorized activity.
  • Backup & Recovery – Maintain secure, tested backups of the PLC and its configurations to minimize downtime in case of an incident.
  • Ongoing Risk Assessment – Continuously evaluate risks associated with running outdated firmware and adjust compensating measures accordingly.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • September 23, 2025: Initial Publication

Dover Fueling Solutions ProGauge MagLink LX4 Devices

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/Low attack complexity
  • Vendor: Dover Fueling Solutions
  • Equipment: ProGauge MagLink LX4, ProGauge MagLink LX4 Plus, ProGauge MagLink LX4 Ultimate
  • Vulnerabilities: Integer Overflow or Wraparound, Use of Hard-coded Cryptographic Key, Use of Weak Credentials

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in a remote attacker causing a denial-of-service condition or gaining administrative access to the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ProGauge MagLink LX, a fuel and water tank monitor, are affected:

  • ProGauge MagLink LX 4: Versions prior to 4.20.3
  • ProGauge MagLink LX Plus: Versions prior to 4.20.3
  • ProGauge MagLink LX Ultimate: Versions prior to 5.20.3

3.2 VULNERABILITY OVERVIEW

3.2.1 INTEGER OVERFLOW OR WRAPAROUND CWE-190

Affected devices fail to handle Unix time values beyond a certain point. An attacker can manually change the system time to exploit this limitation, potentially causing errors in authentication and leading to a denial-of-service condition.

CVE-2025-55068 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2025-55068. A base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.2 USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321

The secret used for validating authentication tokens is hardcoded in device firmware for affected versions. An attacker who obtains the signing key can bypass authentication, gaining complete access to the system.

CVE-2025-54807 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-54807. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 USE OF WEAK CREDENTIALS CWE-1391

Affected versions of the device have default root credentials that cannot be changed through standard administrative means. An attacker with network access to the device can gain administrative access to the system.

CVE-2025-30519 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30519. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Pedro Umbelino of Bitsight TRACE reported these vulnerabilities to CISA.

4. MITIGATIONS

Dover Fueling Solutions recommends users update their ProGauge MagLink devices to Version 4.20.3 or later for MagLink LX 4 and MagLink LX Plus models. The upgrade can be downloaded from the Dover Fueling Solutions website.

For MagLink LX Ultimate devices, Dover Fueling Solutions recommends users update to version 5.20.3 or later.

Dover Fueling Solutions recommends all users install the software behind a firewall to minimize risk of remote attacks.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • September 18, 2025: Initial Publication

Schneider Electric Saitel DR & Saitel DP Remote Terminal Unit

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 5.8
  • ATTENTION: Low Attack Complexity
  • Vendor: Schneider Electric
  • Equipment: Saitel DR RTU
  • Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could enable an attacker to execute arbitrary shell commands on the affected devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

  • Schneider Electric Saitel DR RTU: Versions 11.06.29 and prior
  • Schneider Electric Saitel DP RTU: Versions 11.06.33 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

An OS command injection vulnerability exists that could cause the execution of any shell command when executing a netstat command using BLMon Console in an SSH session.

CVE-2025-9996 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-9996. A base score of 5.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

CWE-78: Improper Neutralization of Special Elements used in an OS Command vulnerability exists that could cause command injection in BLMon that is executed in the operating system console when in an SSH session.

CVE-2025-9997 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-9997. A base score of 5.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Robin Senn of GAI NetConsult GmbH reported CVE-2025-9996 to Schneider Electric. Sebastian Krause of GAI NetConsult GmbH reported CVE-2025-9997 to Schneider Electric. Schneider Electric reported these vulnerabilities to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Schneider Electric Saitel DR RTU Versions 11.06.29 and prior: HUe Firmware version 11.06.30 of Saitel DR includes a fix for this vulnerability and is available for download. A reboot is necessary to complete the firmware upgrade.
  • Schneider Electric Saitel DP RTU Versions 11.06.33 and prior: Firmware SM_CPU866e version 11.06.34 of Saitel DP includes a fix for this vulnerability and is available for download. A reboot is necessary to complete the firmware upgrade.

Schneider Electric recommends that users follow appropriate patching methodologies when applying these patches to their systems. They strongly recommend the use of back-ups and evaluating the impact of these patches in a Test and Development environment or on an offline infrastructure. Contact Schneider Electric’s Customer Care Center for assistance removing a patch.

If users are unable to apply these patches, Schneider Electric recommends immediately applying the following mitigations to reduce the risk of exploitation:

  • Restrict access to BLMon by assigning permissions only to a limited set of user roles.
  • Ensure users are assigned the least privileged role that still allows them to perform their designated tasks.
  • Implement firewall rules to restrict SSH connections to the device.

Schneider Electric strongly recommends the following industry cybersecurity best practices.

  • Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
  • Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
  • Place all controllers in locked cabinets and never leave them in the “Program” mode.
  • Never connect programming software to any network other than the network intended for that device.
  • Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
  • Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
  • Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.

For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-252-02 Saitel DR & Saitel DP Remote Terminal Unit – SEVD-2025-252-02 PDF Version, Saitel DR & Saitel DP Remote Terminal Unit – SEVD-2025-252-02 CSAF Version.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

  • September 18, 2025: Initial Republication of Schneider Electric SEVD-2025-252-02

Westermo Network Technologies WeOS 5

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely
  • Vendor: Westermo Network Technologies
  • Equipment: WeOS 5
  • Vulnerability: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker with administrative permissions to execute commands that would typically be inaccessible. This could allow the execution of commands with privileges beyond those normally granted to the attacker.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Westermo reports following versions of WeOS 5, an industrial network operating system, are affected:

  • WeOS 5: Versions 5.24 and later

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEAUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

Westermo has identified a vulnerability in WeOS 5 that could potentially be used to inject OS commands due to unsafe handling of media definitions.

CVE-2025-46418 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-46418. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Sweden

3.4 RESEARCHER

Westermo reported this vulnerability to CISA.

4. MITIGATIONS

Westermo recommends the following mitigations which do not require a software update:

  • Limit administration account access to trusted parties.
  • Use best practices for passwords related to administration accounts.

For more information refer to Westermo’s security advisory Westermo-25-07.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

  • September 18, 2025 – Initial Republication of Westermo’s security advisory Westermo-25-07

Westermo Network Technologies WeOS 5

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.2
  • ATTENTION: Exploitable remotely
  • Vendor: Westermo Network Technologies
  • Equipment: WeOS 5
  • Vulnerability: Improper Validation of Syntactic Correctness of Input

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause the device to reboot.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Westermo reports following versions of WeOS 5, an industrial network operating system, are affected:

  • WeOS 5: Versions 5.23.0 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER VALIDATION OF SYNTACTIC CORRECTNESS OF INPUT CWE-1286

When configured for IPSec, a Westermo device running WeOS 5 could be vulnerable to a denial-of-service attack. A specifically crafted ESP packet could trigger an immediate reboot of the device.

CVE-2025-46419 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-46419. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Sweden

3.4 RESEARCHER

Westermo Network Technologies reported this vulnerability to CISA.

4. MITIGATIONS

Westermo recommends upgrading to the latest WeOS 5 version available. The vulnerability has been addressed and removed in WeOS 5 Version 5.24.0. This version is available for download on the Westermo Network Technologies support site.

For more information refer to Westermo’s security advisory Westermo-25-02.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

  • September 18, 2025: Initial Republication of Westermo’s security advisory Westermo-25-02

Hitachi Energy Asset Suite

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Hitachi Energy
  • Equipment: Asset Suite
  • Vulnerabilities: Server-Side Request Forgery (SSRF), Deserialization of Untrusted Data, Cleartext Storage of Sensitive Information, Uncontrolled Resource Consumption, URL Redirection to Untrusted Site (‘Open Redirect’), Improper Authentication

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow attackers to trigger resource consumption or information disclosure through SSRF in Apache XML Graphics Batik, mount a Denial-Of-Service attack via poisoned data in logback, discover cleartext passwords in H2 Database Engine, fill up the file system in Apache CXF, perform open redirect or SSRF attacks through UriComponentsBuilder, and execute arbitrary code in Apache ActiveMQ.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports that the following products are affected:

  • Asset Suite: Versions 9.6.4.5 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918

Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik. This issue affects Apache XML Graphics Batik: 1.16. On version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure.

CVE-2022-44729 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2022-44729. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.2 DESERIALIZATION OF UNTRUSTED DATA CWE-502

A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-of-Service attack by sending poisoned data. This vulnerability affects logback versions prior to 1.2.13, 1.3.12 and 1.4.12.

CVE-2023-6378 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-6378. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.3 CLEARTEXT STORAGE OF SENSITIVE INFORMATION CWE-312

The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. The issue was fixed in 2.2.220 by the vendor H2.

CVE-2022-45868 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2022-45868. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

A potential denial of service vulnerability is present in versions of Apache CXF before 3.5.10, 3.6.5 and 4.0.6. In some edge cases, the CachedOutputStream instances may not be closed and, if backed by temporary files, may fill up the file system (it applies to servers and clients).

CVE-2025-23184 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-23184. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.5 URL REDIRECTION TO UNTRUSTED SITE (‘OPEN REDIRECT’) CWE-601

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.

CVE-2024-22262 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-22262. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.6 IMPROPER AUTHENTICATION CWE-287

In Apache ActiveMQ, once a user is authenticated on Jolokia, the user can potentially trigger arbitrary code execution. In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handle request to /api/jolokia org.jolokia.http.HttpRequestHandler#handlePostRequest is able to create JmxRequest through JSONObject. And calls to org.jolokia.http.HttpRequestHandler#executeRequest. Into deeper calling stacks, org.jolokia.handler.ExecHandler#doHandleRequest can be invoked through reflection. This could lead to RCE through via various mbeans.

CVE-2022-41678 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2022-41678. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy PSIRT reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Asset Suite versions 9.6.4.5 and prior: Apply general mitigation factors
  • (CVE-2022-44729, CVE-2023-6378, CVE-2022-45868, CVE-2025-23184, CVE-2024-22262) Asset Suite versions 9.6.4.5 and prior: Upgrade to version 9.7
  • (CVE-2022-41678) Asset Suite versions 9.6.4.5 and prior: Upgrade to version 9.8 when available

For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000221 Multiple Open-Source Software Vulnerabilities in Hitachi Energy Asset Suite Product.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • September 18, 2025: Initial Republication of Hitachi Energy PSIRT 8DBD000221

Cognex In-Sight Explorer and In-Sight Camera Firmware

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.6
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Cognex
  • Equipment: In-Sight Explorer, In-Sight Camera Firmware
  • Vulnerabilities: Use of Hard-coded Password, Cleartext Transmission of Sensitive Information, Incorrect Default Permissions, Improper Restriction of Excessive Authentication Attempts, Incorrect Permission Assignment for Critical Resource, Authentication Bypass by Capture-replay, Client-Side Enforcement of Server-Side Security

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, steal credentials, modify files, or cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Cognex products are affected:

  • In-Sight 2000 series: Versions 5.x up to and including 6.5.1
  • In-Sight 7000 series: Versions 5.x up to and including 6.5.1
  • In-Sight 8000 series: Versions 5.x up to and including 6.5.1
  • In-Sight 9000 series: Versions 5.x up to and including 6.5.1
  • In-Sight Explorer: Versions 5.x up to and including 6.5.1

3.2 VULNERABILITY OVERVIEW

3.2.1 Use of Hard-coded Password CWE-259

An attacker with adjacent access, without authentication, can exploit this vulnerability to retrieve a hard-coded password embedded in publicly available software. This password can then be used to decrypt sensitive network traffic, affecting the Cognex device.

CVE-2025-54754 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-54754. A base score of 8.6 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Cleartext Transmission of Sensitive Information CWE-319

An adjacent attacker without authentication can exploit this vulnerability to retrieve a set of user-privileged credentials. These credentials are present during the firmware upgrade procedure.

CVE-2025-47698 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-47698. A base score of 8.6 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Incorrect Default Permissions CWE-276

A local attacker with low privileges on the Windows system where the software is installed can exploit this vulnerability to corrupt sensitive data. A data folder is created with very weak privileges, allowing any user logged into the Windows system to modify its content.

CVE-2025-53947 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.7 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-53947. A base score of 6.9 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 Improper Restriction of Excessive Authentication Attempts CWE-307

The device exposes a telnet-based service on port 23 in order to allow management operations on the device such as firmware upgrades and device reboot requiring an authentication. A wrong management of login failures of the service causes a DoS attack, leaving the telnet service into an unreachable state.

CVE-2025-54860 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.7 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-54860. A base score of 6.9 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 Incorrect Permission Assignment for Critical Resource CWE-732

The device exposes a Telnet-based service on port 23 to allow management operations such as firmware upgrades and device reboots, which require authentication. A user with protected privileges can successfully invoke the SetSystemConfig functionality to modify relevant device properties (such as network settings), contradicting the security model proposed in the user manual.

CVE-2025-52873 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-52873. A base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.6 Incorrect Permission Assignment for Critical Resource CWE-732

The device exposes a Telnet-based service on port 23 to allow management operations such as firmware upgrades and device reboots, which require authentication. A user with protected privileges can successfully invoke the SetSerialPort functionality to modify relevant device properties (such as serial interface settings), contradicting the security model proposed in the user manual.

CVE-2025-54497 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-54497. A base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.7 Cleartext Transmission of Sensitive Information CWE-319

The device exposes a proprietary protocol on TCP port 1069 to perform management operations such as modifying system properties. The user management functionality handles sensitive data such as registered usernames and passwords over an unencrypted channel, allowing an adjacent attacker to intercept valid credentials to gain access to the device.

CVE-2025-54818 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-54818. A base score of 8.6 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.8 Authentication Bypass by Capture-replay CWE-294

The device exposes three protocols that require user authentication to be accessible, which share the same authentication scheme. The authentication mechanism is based on a username and password. Communication occurs over an unencrypted channel, with the password encrypted to mitigate data leakage. However, the same encryption key is repeatedly used across multiple sessions, allowing an attacker monitoring network traffic to capture the encrypted password and carry out a replay attack to gain unauthorized access.

CVE-2025-54810 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-54810. A base score of 8.6 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.9 Client-Side Enforcement of Server-Side Security CWE-602

The device exposes a service implementing a proprietary protocol on TCP port 1069 to allow the client-side software, such as the In-Sight Explorer tool, to perform management operations such as changing network settings or modifying users’ access to the device.

CVE-2025-53969 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-53969. A base score of 8.6 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Diego Giubertoni of Nozomi Networks reported these vulnerabilities to CISA.

4. MITIGATIONS

Cognex reports that In-Sight Explorer based vision systems are legacy products not intended for new applications. To reduce risk, asset owners are advised to switch to next generation In-Sight Vision Suite based vision systems, such as the In-Sight 2800, In-Sight 3800, In-Sight 8900 series embedded cameras.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • September 18, 2025: Initial Publication

Hitachi Energy Service Suite

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Hitachi Energy
  • Equipment: Service Suite
  • Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow attackers to compromise Oracle WebLogic Server, resulting in potential impacts on confidentiality, integrity, and availability.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports that the following products are affected:

  • Service Suite: Versions prior to 9.6.0.4 EP4

3.2 VULNERABILITY OVERVIEW

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

Easily exploitable vulnerability allows unauthenticated attacker with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

CVE-2020-2883 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2020-2883. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy PSIRT reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Service Suite versions prior to 9.6.0.4 EP4: Update to version 9.8.2 or latest- Hitachi Energy recommends that customers apply the update at the earliest convenience – While reviewing the recommended immediate actions, assess the risk exposure of affected products within the operational environment and update or upgrade if necessary.
  • Service Suite versions prior to 9.6.0.4 EP4: Apply general Mitigation Factors.

For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000215 Remote Code Execution Vulnerability in Hitachi Energy Service Suite Product.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • September 18, 2025: Initial Republication of Hitachi Energy PSIRT 8DBD000215

Hitachi Energy RTU500 Series

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.2
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Hitachi Energy
  • Equipment: RTU500 series
  • Vulnerabilities: NULL Pointer Dereference, Improper Validation of Integrity Check Value, Improper Restriction of XML External Entity Reference, Heap-based Buffer Overflow, Integer Overflow or Wraparound, Improper Restriction of Recursive Entity References in DTDs (‘XML Entity Expansion’), Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could cause a Denial-of-Service condition in RTU500 devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports that the following products are affected:

  • Hitachi Energy RTU500 series: Version 13.6.1 (CVE-2023-2953, CVE-2025-39203, CVE-2025-6021)
  • Hitachi Energy RTU500 series: Versions 12.7.1 through 12.7.7 (CVE-2023-2953, CVE-2025-39203, CVE-2025-6021)
  • Hitachi Energy RTU500 series: Versions 13.4.1 through 13.4.4 (CVE-2025-39203)
  • Hitachi Energy RTU500 series: Versions 13.5.1 through 13.5.3 (CVE-2023-2953, CVE-2025-39203, CVE-2025-6021)
  • Hitachi Energy RTU500 series: Versions 13.7.1 through 13.7.6

3.2 VULNERABILITY OVERVIEW

3.2.1 NULL POINTER DEREFERENCE CWE-476

A vulnerability has been identified in the openLDAP library used in Central Account Management (CAM) client. This issue can lead to a Denial of Service (DoS) condition when a specially crafted request may cause a null pointer to dereference, resulting in affected CMU to automatically recovering itself by rebooting.

CVE-2023-2953 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-2953. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER VALIDATION OF INTEGRITY CHECK VALUE CWE-354

A vulnerability exists in the IEC 61850 protocol of the RTU500 product series. An IEC 61850-8 crafted message content from a device (e.g. an IED) or remote system can cause a Denial of Service (DoS) resulting in disconnection of the device to the RTU 500 until next reboot.

CVE-2025-39203 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2025-39203. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.3 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611

A vulnerability has been identified in the libexpat library used in IEC 61850 client and server components of the RTU500 product series. An authenticated and authorized malicious user could load a crafted XML input which may lead to memory mismanagement potentially causing RTU500 to reboot.

CVE-2024-45490 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-45490. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.4 HEAP-BASED BUFFER OVERFLOW CWE-122

A vulnerability has been identified in libexpat library used in the IEC 61850 client and server components of the RTU500 product series. An authenticated and authorized malicious user could load a crafted XML input which may lead to heap corruption potentially causing RTU500 to reboot.

CVE-2024-45491 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-45491. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.5 INTEGER OVERFLOW OR WRAPAROUND CWE-190

A vulnerability has been identified in libexpat library used in the IEC 61850 client and server components of the RTU500 product series. An authenticated and authorized malicious user could load a crafted XML input which leads to an integer overflow potentially causing RTU500 to reboot.

CVE-2024-45492 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-45492. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.6 IMPROPER RESTRICTION OF RECURSIVE ENTITY REFERENCES IN DTDS (‘XML ENTITY EXPANSION’) CWE-776

A vulnerability has been identified in libexpat library used in the IEC 61850 client and server components of the RTU500 product series. An authenticated and authorized malicious user could load a crafted XML input which may lead to a memory mismanagement potentially causing RTU500 to reboot.

CVE-2024-28757 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-28757. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.7 STACK-BASED BUFFER OVERFLOW CWE-121

A vulnerability exists in libxml library used by RTU500 Web server functionality. An authenticated and authorized malicious user could send a crafted XML message which may lead to buffer overflow potentially causing RTU500 to reboot.

CVE-2025-6021 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-6021. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • (CVE-2023-2953, CVE-2025-39203, CVE-2025-6021) RTU500 series CMU Firmware version 12.7.1 – 12.7.7: Update to CMU Firmware version 12.7.8 when available
  • (CVE-2023-2953, CVE-2025-39203, CVE-2025-6021) RTU500 series CMU Firmware version 13.5.1 – 13.5.3: Update to CMU Firmware version 13.5.4
  • (CVE-2023-2953, CVE-2025-39203, CVE-2025-6021) RTU500 series CMU Firmware version 13.6.1: Update to CMU Firmware version 13.6.3
  • (CVE-2023-2953) RTU500 series CMU Firmware version 12.7.1 – 12.7.7: Follow general mitigation factors /workarounds
  • (CVE-2023-2953, CVE-2025-39203) RTU500 series CMU Firmware version 13.6.1, RTU500 series CMU Firmware version 13.5.1 – 13.5.3, RTU500 series CMU Firmware version 13.7.1 – 13.7.6: Follow general mitigation factors/workarounds.
  • (CVE-2023-2953, CVE-2024-45490, CVE-2024-45491, CVE-2024-45492, CVE-2024-28757, CVE-2025-6021) RTU500 series CMU Firmware version 13.7.1 – 13.7.6: Update to CMU Firmware version 13.7.7
  • (CVE-2025-39203) RTU500 series CMU Firmware version 12.7.1 – 12.7.7: Follow general mitigation factors/ workarounds.
  • (CVE-2025-39203) RTU500 series CMU Firmware version 13.4.1 – 13.4.4, RTU500 series CMU Firmware version 13.7.1 – 13.7.6: Update to CMU Firmware version 13.7.7
  • (CVE-2025-39203) RTU500 series CMU Firmware version 13.4.1 – 13.4.4: Follow General Mitigation Factors/Workarounds.
  • (CVE-2024-45490, CVE-2024-45491, CVE-2024-45492, CVE-2024-28757) RTU500 series CMU Firmware version 13.7.1 – 13.7.6: Follow general mitigation factors/workarounds.
  • (CVE-2025-6021) RTU500 series CMU Firmware version 13.6.1, RTU500 series CMU Firmware version 12.7.1 – 12.7.7, RTU500 series CMU Firmware version 13.5.1 – 13.5.3, RTU500 series CMU Firmware version 13.7.1 – 13.7.6: Follow general mitigation factors/workarounds.

For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000220 Multiple Vulnerabilities in Hitachi Energy’s RTU500 series Product.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • September 16, 2025: Initial Republication of Hitachi Energy PSIRT 8DBD000220