Author: Admin @CloudCentric

Rockwell Automation Analytics LogixAI

Written by Admin @CloudCentric on September 9, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable from an adjacent network/low attack complexity
Vendor: Rockwell Automation
Equipment: Analytics LogixAI
Vulnerability: Exposure of Sensitive System Information to an Unauthorized Control Sphere

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to access sensitive information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation Analytics LogixAI are affected:

Analytics LogixAI: Versions 3.00 and 3.01

3.2 VULNERABILITY OVERVIEW

3.2.1 EXPOSURE OF SENSITIVE SYSTEM INFORMATION TO AN UNAUTHORIZED CONTROL SPHERE CWE-497

An open database issue exists in the affected product and version. The security issue stems from an over permissive Redis instance. This could result in an attacker on the intranet accessing sensitive data and potential alteration of data.

CVE-2025-9364 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-9364. A base score of 8.7 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation released a product update addressing this vulnerability:

Versions 3.02 and later

Users of the affected software unable to upgrade to one of the corrected versions should use Rockwell Automation’s security best practices.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

September 9, 2025: Initial Republication of Rockwell Automation advisory

Rockwell Automation 1783-NATR

Written by Admin @CloudCentric on September 9, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 6.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: 1783-NATR
Vulnerability: Use of Platform-Dependent Third Party Components

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a memory corruption on the product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Rockwell Automation 1783-NATR are affected:

1783-NATR: All versions prior to 1.007

3.2 VULNERABILITY OVERVIEW

3.2.1 USE OF PLATFORM-DEPENDENT THIRD PARTY COMPONENTS CWE-1103

In Wind River VxWorks, memory allocator has a possible overflow in calculating the memory block’s size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.

CVE-2020-28895 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2020-28895. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation released a product update addressing this vulnerability:

Version 1.007

Users of the affected software unable to upgrade to one of the corrected versions should follow Rockwell Automation’s security best practices.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

September 9, 2025: Initial Republication of Rockwell Automation advisory

Rockwell Automation FactoryTalk Optix

Written by Admin @CloudCentric on September 9, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 7.3
ATTENTION: Exploitable remotely
Vendor: Rockwell Automation
Equipment: FactoryTalk Optix
Vulnerability: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in an attacker achieving remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of FactoryTalk Optix, a scalable, cloud-enabled visualization platform, is affected:

FactoryTalk Optix: Versions 1.5.0 through 1.5.7

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER INPUT VALIDATION CWE-20

A security issue exists within FactoryTalk Optix MQTT broker due to the lack of URI sanitization. This flaw enables the loading of remote Mosquito plugins, which can be used to achieve remote code execution.

CVE-2025-9161 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-9161. A base score of 7.3 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation recommends users update FactoryTalk Optix software to Version 1.6.0 or later.

If users are not able to upgrade to one of the corrected versions, Rockwell Automation recommends following their security best practices.

For more information, see the Rockwell Automation security advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

September 09, 2025: Initial Republication of Rockwell Automation advisory

Rockwell Automation Stratix IOS

Written by Admin @CloudCentric on September 9, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.6
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: Stratix IOS
Vulnerability: Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to run malicious configurations without authentication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Stratix IOS are affected:

Stratix IOS: Versions 15.2(8)E5 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT USED BY A DOWNSTREAM COMPONENT (‘INJECTION’) CWE-74

A security issue affecting multiple Cisco devices also directly impacts Stratix® 5410, 5700, and 8000 devices. This can lead to remote code execution by uploading and running malicious configurations without authentication.

CVE-2025-7350 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-7350. A base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation has provided an update that mitigates this vulnerability. Users are recommended to update to version 15.2(8)E6 or later.

If users are not able to upgrade to the corrected version, Rockwell Automation recommends referring to their security best practices.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

September 09, 2025: Initial Republication of Rockwell Automation advisory

Rockwell Automation ControlLogix 5580

Written by Admin @CloudCentric on September 9, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.2
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: Rockwell Automation
Equipment: ControlLogix 5580
Vulnerability: NULL Pointer Dereference

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in a major nonrecoverable fault on the controller.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of ControlLogix 5580 is affected:

ControlLogix 5580: Version 35.013

3.2 VULNERABILITY OVERVIEW

3.2.1 NULL POINTER DEREFERENCE CWE-476

A denial-of-service vulnerability that exists in the affected product and version. The vulnerability stems from the controller repeatedly attempting to forward messages which could result in a major nonrecoverable fault on the controller.

CVE-2025-9166 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-9166. A base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation recommends users to update to version 35.014 or later if possible. If users of the affected software are unable to upgrade the version, security best practices should be applied.

For more information, see the Rockwell Automation security advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

September 09, 2025: Initial Republication of Rockwell Automation advisory

Honeywell OneWireless Wireless Device Manager (WDM)

Written by Admin @CloudCentric on September 4, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Honeywell
Equipment: OneWireless Wireless Device Manager (WDM)
Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Sensitive Information in Resource Not Removed Before Reuse, Integer Underflow (Wrap or Wraparound), Deployment of Wrong Handler

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in information exposure, denial of service, or remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Honeywell reports these vulnerabilities affect the following:

OneWireless WDM: All releases prior to R322.5
OneWireless WDM: All releases prior to R331.1

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

The Honeywell OneWireless WDM contains a memory buffer vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to buffer overread, which could result in improper index validation against buffer borders leading to remote code execution.

CVE-2025-2521 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2025-2521. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N).

3.2.2 SENSITIVE INFORMATION IN RESOURCE NOT REMOVED BEFORE REUSE CWE-226

The Honeywell OneWireless WDM contains a sensitive information in resource vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to a communication channel manipulation, which could result in buffer reuse which may cause incorrect system behavior.

CVE-2025-2522 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-2522. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.3 INTEGER UNDERFLOW (WRAP OR WRAPAROUND) CWE-191

The Honeywell OneWireless WDM contains an integer underflow vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to a communication channel manipulation, which could result in a failure during subtraction, allowing remote code execution.

CVE-2025-2523 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-2523. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 DEPLOYMENT OF WRONG HANDLER CWE-430

The Honeywell OneWireless WDM contains a deployment of wrong handler vulnerability in the component Control Data Access (CDA). An attacker could potentially exploit this vulnerability, leading to input data manipulation, which could result in incorrect handling of packets, leading to remote code execution.

CVE-2025-3946 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2025-3946. A base score of 8.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Demid Uzenkov and Kirill Kutaev of Positive Technologies reported these vulnerabilities to Honeywell.

4. MITIGATIONS

Honeywell recommends updating OneWireless WDM to R322.5 or R331.1. For more information, see the security notice.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

September 4, 2025: Initial Republication of Honeywell security notification

Delta Electronics EIP Builder

Written by Admin @CloudCentric on September 2, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 6.7
ATTENTION: Low attack complexity
Vendor: Delta Electronics
Equipment: EIP Builder
Vulnerability: Improper Restriction of XML External Entity Reference

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to potentially process dangerous external entities, resulting in disclosure of sensitive information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Delta Electronics products are affected:

EIP Builder: Versions 1.11 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER RESTRICTION OF XML EXTERNAL ENTITY REFERENCE CWE-611

The affected product is vulnerable to an XML external entity vulnerability, which could allow an attacker to disclose sensitive information.

CVE-2025-57704 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-57704. A base score of 6.7 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

kimiya working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Delta Electronics recommends users updating to V1.12.

For more information refer to Delta Electronics’ security advisory Delta-PCSA-2025-00013.

Delta Electronics offers the following general recommendations:

Do not click on untrusted Internet links or open unsolicited email attachments.
Avoid exposing control systems and equipment to the Internet.
Place systems and devices behind a firewall and isolate them from the business network.
When remote access is required, use a secure access method, such as a virtual private network (VPN).

If you have any product-related support concerns, find a contact from the Delta Electronics portal page for any information or materials you may require.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

September 2, 2025: Initial Publication

SunPower PVS6

Written by Admin @CloudCentric on September 2, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.4
ATTENTION: Exploitable from an adjacent network/low attack complexity
Vendor: SunPower
Equipment: PVS6
Vulnerability: Use of Hard-Coded Credentials

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow attackers to gain full access to the device, enabling them to replace firmware, modify settings, disable the device, create SSH tunnels, and manipulate attached devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SunPower PVS6 are affected:

PVS6: Versions 2025.06 build 61839 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 USE OF HARD-CODED CREDENTIALS CWE-798

The SunPower PVS6’s BluetoothLE interface is vulnerable due to its use of hardcoded encryption parameters and publicly accessible protocol details. An attacker within Bluetooth range could exploit this vulnerability to gain full access to the device’s servicing interface. This access allows the attacker to perform actions such as firmware replacement, disabling power production, modifying grid settings, creating SSH tunnels, altering firewall settings, and manipulating connected devices.

CVE-2025-9696 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.6 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-9696. A base score of 9.4 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Dagan Henderson reported this vulnerability to CISA.

4. MITIGATIONS

SunPower did not respond to CISA’s attempt to coordinate these vulnerabilities. Users should contact SunPower for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

September 2, 2025: Initial Publication

Fuji Electric FRENIC-Loader 4

Written by Admin @CloudCentric on September 2, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 8.4
ATTENTION: Low attack complexity
Vendor: Fuji Electric
Equipment: FRENIC-Loader 4
Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Fuji Electric products are affected:

FRENIC-Loader 4: Versions prior to 1.4.0.1

3.2 VULNERABILITY OVERVIEW

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

The affected product is vulnerable to a deserialization of untrusted data when importing a file through a specified window, which may allow an attacker to execute arbitrary code.

CVE-2025-9365 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-9365. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

kimiya working with Trend Micro Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Fuji Electric recommends users update to v1.4.0.1 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

September 2, 2025: Initial Publication

Mitsubishi Electric MELSEC iQ-F Series CPU Module

Written by Admin @CloudCentric on August 28, 2025. Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 6.9
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric
Equipment: MELSEC iQ-F Series CPU module
Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to read or write the device values of the product. In addition, the attacker may be able to stop the operation of the programs.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports the following versions of MELSEC iQ-F Series are affected:

MELSEC iQ-F Series FX5U-32MT/ES: 1.060 and later
MELSEC iQ-F Series FX5U-32MT/DS: 1.060 and later
MELSEC iQ-F Series FX5U-32MT/ESS: 1.060 and later
MELSEC iQ-F Series FX5U-32MT/DSS: 1.060 and later
MELSEC iQ-F Series FX5U-64MT/ES: 1.060 and later
MELSEC iQ-F Series FX5U-64MT/DS: 1.060 and later
MELSEC iQ-F Series FX5U-64MT/ESS: 1.060 and later
MELSEC iQ-F Series FX5U-64MT/DSS: 1.060 and later
MELSEC iQ-F Series FX5U-80MT/ES: 1.060 and later
MELSEC iQ-F Series FX5U-80MT/DS: 1.060 and later
MELSEC iQ-F Series FX5U-80MT/ESS: 1.060 and later
MELSEC iQ-F Series FX5U-80MT/DSS: 1.060 and later
MELSEC iQ-F Series FX5U-32MR/ES: 1.060 and later
MELSEC iQ-F Series FX5U-32MR/DS: 1.060 and later
MELSEC iQ-F Series FX5U-64MR/ES: 1.060 and later
MELSEC iQ-F Series FX5U-64MR/DS: 1.060 and later
MELSEC iQ-F Series FX5U-80MR/ES: 1.060 and later
MELSEC iQ-F Series FX5U-80MR/DS: 1.060 and later
MELSEC iQ-F Series FX5UC-32MT/D: 1.060 and later
MELSEC iQ-F Series FX5UC-32MT/DSS: 1.060 and later
MELSEC iQ-F Series FX5UC-64MT/D: 1.060 and later
MELSEC iQ-F Series FX5UC-64MT/DSS: 1.060 and later
MELSEC iQ-F Series FX5UC-96MT/D: 1.060 and later
MELSEC iQ-F Series FX5UC-96MT/DSS: 1.060 and later
MELSEC iQ-F Series FX5UC-32MT/DS-TS: 1.060 and later
MELSEC iQ-F Series FX5UC-32MT/DSS-TS: 1.060 and later
MELSEC iQ-F Series FX5UC-32MR/DS-TS: 1.060 and later
MELSEC iQ-F Series FX5UJ-24MT/ES: All versions
MELSEC iQ-F Series FX5UJ-24MT/DS: All versions
MELSEC iQ-F Series FX5UJ-24MT/ESS: All versions
MELSEC iQ-F Series FX5UJ-24MT/DSS: All versions
MELSEC iQ-F Series FX5UJ-40MT/ES: All versions
MELSEC iQ-F Series FX5UJ-40MT/DS: All versions
MELSEC iQ-F Series FX5UJ-40MT/ESS: All versions
MELSEC iQ-F Series FX5UJ-40MT/DSS: All versions
MELSEC iQ-F Series FX5UJ-60MT/ES: All versions
MELSEC iQ-F Series FX5UJ-60MT/DS: All versions
MELSEC iQ-F Series FX5UJ-60MT/ESS: All versions
MELSEC iQ-F Series FX5UJ-60MT/DSS: All versions
MELSEC iQ-F Series FX5UJ-24MR/ES: All versions
MELSEC iQ-F Series FX5UJ-24MR/DS: All versions
MELSEC iQ-F Series FX5UJ-40MR/ES: All versions
MELSEC iQ-F Series ‘FX5UJ-40MR/DS: All versions
MELSEC iQ-F Series FX5UJ-60MR/ES: All versions
MELSEC iQ-F Series FX5UJ-60MR/DS: All versions
MELSEC iQ-F Series FX5UJ-24MT/ES-A: All versions
MELSEC iQ-F Series FX5UJ-24MR/ES-A: All versions
MELSEC iQ-F Series FX5UJ-40MT/ES-A: All versions
MELSEC iQ-F Series FX5UJ-40MR/ES-A: All versions
MELSEC iQ-F Series FX5UJ-60MT/ES-A: All versions
MELSEC iQ-F Series FX5UJ-60MR/ES-A: All versions
MELSEC iQ-F Series FX5S-30MT/ES: All versions
MELSEC iQ-F Series FX5S-30MT/DS: All versions
MELSEC iQ-F Series FX5S-30MT/ESS: All versions
MELSEC iQ-F Series FX5S-30MT/DSS: All versions
MELSEC iQ-F Series FX5S-40MT/ES: All versions
MELSEC iQ-F Series FX5S-40MT/DS: All versions
MELSEC iQ-F Series FX5S-40MT/ESS: All versions
MELSEC iQ-F Series FX5S-40MT/DSS: All versions
MELSEC iQ-F Series FX5S-60MT/ES: All versions
MELSEC iQ-F Series FX5S-60MT/DS: All versions
MELSEC iQ-F Series FX5S-60MT/ESS: All versions
MELSEC iQ-F Series FX5S-60MT/DSS: All versions
MELSEC iQ-F Series FX5S-80MT/ES: All versions
MELSEC iQ-F Series FX5S-80MT/DS: All versions
MELSEC iQ-F Series FX5S-80MT/ESS: All versions
MELSEC iQ-F Series FX5S-80MT/DSS: All versions
MELSEC iQ-F Series FX5S-30MR/ES: All versions
MELSEC iQ-F Series FX5S-30MR/DS: All versions
MELSEC iQ-F Series FX5S-40MR/ES: All versions
MELSEC iQ-F Series FX5S-40MR/DS: All versions
MELSEC iQ-F Series FX5S-60MR/ES: All versions
MELSEC iQ-F Series FX5S-60MR/DS: All versions
MELSEC iQ-F Series FX5S-80MR/ES: All versions
MELSEC iQ-F Series FX5S-80MR/DS: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

An information disclosure, information tampering, and denial-of-service vulnerability exists in MELSEC iQ-F series CPU module due to missing authentication for critical function. Since MODBUS/TCP in the products does not have authentication features, an attacker may be able to read or write the device values of the product. In addition, the attacker may be able to stop the operation of the programs.

CVE-2025-7405 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-7405. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Thai Do, Minh Pham, Quan Le and Loc Nguyen of Unit 515, OPSWAT reported this vulnerability to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric Corporation advises that there are no plans to release a fixed version. Mitsubishi Electric recommends users take the following mitigation measures to minimize the risk of vulnerability exploit:

Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when internet access is required.
Use within a LAN and block access from untrusted networks and hosts through firewalls.
Use IP filter function to block access from untrusted hosts. For details on the IP filter function, please refer to the following manual for each product.
“13.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Communication) Please download the manual from the following URL.
https://www.mitsubishielectric.com/fa/download/index.html
Restrict physical access to the affected products and the LAN that is connected by them.

Mitsubishi Electric Corporation recommends users contact their local Mitsubishi Electric representative with questions.

For more information, see Mitsubishi Electric’s security advisory.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

August 28, 2025: Initial Republication of Mitsubishi Electric 2025-011