Author: Admin @CloudCentric

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 8.2
• ATTENTION: Low Attack Complexity
• Vendor: Siemens
• Equipment: Engineering Platforms
• Vulnerability: Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a local authenticated attacker to cause a type confusion and execute arbitrary code within the affected application and its privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens SIMATIC PCS neo V4.1: All Versions
• Siemens SIMATIC WinCC V18: All Versions
• Siemens SIMATIC WinCC V19: All versions prior to V19 Update 4
• Siemens SIMATIC WinCC V20: All Versions
• Siemens SIMOCODE ES V17: All Versions
• Siemens SIMOCODE ES V18: All Versions
• Siemens SIMOCODE ES V19: All Versions
• Siemens SIMOCODE ES V20: All Versions
• Siemens SIMOTION SCOUT TIA V5.4: All Versions
• Siemens SIMOTION SCOUT TIA V5.5: All Versions
• Siemens SIMOTION SCOUT TIA V5.6: All versions prior to V5.6 SP1 HF7
• Siemens SIMATIC PCS neo V5.0: All Versions
• Siemens SIMOTION SCOUT TIA V5.7: All Versions
• Siemens SINAMICS Startdrive V17: All Versions
• Siemens SINAMICS Startdrive V18: All Versions
• Siemens SINAMICS Startdrive V19: All Versions
• Siemens SINAMICS Startdrive V20: All Versions
• Siemens SIRIUS Safety ES V17 (TIA Portal): All Versions
• Siemens SIRIUS Safety ES V18 (TIA Portal): All Versions
• Siemens SIRIUS Safety ES V19 (TIA Portal): All Versions
• Siemens SIRIUS Safety ES V20 (TIA Portal): All Versions
• Siemens SIRIUS Soft Starter ES V17 (TIA Portal): All Versions
• Siemens SIMATIC PCS neo V6.0: All Versions
• Siemens SIRIUS Soft Starter ES V18 (TIA Portal): All Versions
• Siemens SIRIUS Soft Starter ES V19 (TIA Portal): All Versions
• Siemens SIRIUS Soft Starter ES V20 (TIA Portal): All Versions
• Siemens TIA Portal Cloud V17: All Versions
• Siemens TIA Portal Cloud V18: All Versions
• Siemens TIA Portal Cloud V19: All versions prior to 5.2.1.1
• Siemens TIA Portal Cloud V20: All Versions
• Siemens TIA Portal Test Suite V20: All Versions
• Siemens SIMATIC S7-PLCSIM V17: All Versions
• Siemens SIMATIC STEP 7 V17: All Versions
• Siemens SIMATIC STEP 7 V18: All Versions
• Siemens SIMATIC STEP 7 V19: All versions prior to V19 Update 4
• Siemens SIMATIC STEP 7 V20: All Versions
• Siemens SIMATIC WinCC V17: All Versions

3.2 VULNERABILITY OVERVIEW

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

Affected products do not properly sanitize Interprocess Communication input received through a Windows Named Pipe accessible to all local users. This could allow an authenticated local attacker to cause a type confusion and execute arbitrary code within the affected application.

CVE-2024-54678 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• All affected products on Desktop systems: Execute affected software on Windows hosts where only a single user is configured
• All affected products on Server systems: Reduce the access on operating system level to administrators only
• SIMATIC PCS neo V4.1, SIMATIC S7-PLCSIM V17: Currently no fix is planned
• SIMATIC PCS neo V5.0, SIMATIC PCS neo V6.0, SIMATIC STEP 7 V17, SIMATIC STEP 7 V18, SIMATIC STEP 7 V20, SIMATIC WinCC V17, SIMATIC WinCC V18, SIMATIC WinCC V20, SIMOCODE ES V17, SIMOCODE ES V18, SIMOCODE ES V19, SIMOCODE ES V20, SIMOTION SCOUT TIA V5.4, SIMOTION SCOUT TIA V5.5, SIMOTION SCOUT TIA V5.7, SINAMICS Startdrive V17, SINAMICS Startdrive V18, SINAMICS Startdrive V19, SINAMICS Startdrive V20, SIRIUS Safety ES V17 (TIA Portal), SIRIUS Safety ES V18 (TIA Portal), SIRIUS Safety ES V19 (TIA Portal), SIRIUS Safety ES V20 (TIA Portal), SIRIUS Soft Starter ES V17 (TIA Portal), SIRIUS Soft Starter ES V18 (TIA Portal), SIRIUS Soft Starter ES V19 (TIA Portal), SIRIUS Soft Starter ES V20 (TIA Portal), TIA Portal Cloud V17, TIA Portal Cloud V18, TIA Portal Cloud V20, TIA Portal Test Suite V20: Currently no fix is available

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-693808 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• August 14, 2025: Initial Republication of Siemens ProductCERT SSA-693808

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.8
• ATTENTION: Low Attack Complexity
• Vendor: Siemens
• Equipment: Simcenter Femap
• Vulnerabilities: Out-of-bounds Write, Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the current process.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens Simcenter Femap V2406: vers:intdot/<2406.0003
• Siemens Simcenter Femap V2412: vers:intdot/<2412.0002

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

The affected applications contain an out of bounds write vulnerability when parsing a specially crafted STP file. This could allow an attacker to execute code in the context of the current process.(ZDI-CAN-26692)

CVE-2025-40762 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 OUT-OF-BOUNDS READ CWE-125

The affected applications contains an out of bounds read vulnerability while parsing specially crafted BMP files. This could allow an attacker to execute code in the context of the current process.

CVE-2025-40764 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Michael Heinzl reported CVE-2025-40764 to Siemens ProductCERT. Trend Micro Zero Day Initiative reported CVE-2025-40762 to Siemens ProductCERT. Siemens ProductCERT reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Simcenter Femap V2406: Update to V2406.0003 or later version
• Simcenter Femap V2412: Update to V2412.0002 or later version
• (CVE-2025-40762) All affected products: Do not open untrusted STP files in affected applications
• (CVE-2025-40764) All affected products: Do not open untrusted BMP files in affected applications

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-674084 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• August 14, 2025: Initial Republication of Siemens ProductCERT SSA-674084

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 8.2
• ATTENTION: Low Attack Complexity
• Vendor: Siemens
• Equipment: COMOS
• Vulnerability: Out-of-bounds Write

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a crash, potentially enabling a denial-of-service attack (Crash, Exit, or Restart) or possible code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens COMOS: all versions prior to V10.6

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

Out-of-bounds Write vulnerability was discovered in Open Design Alliance Drawings SDK before 2025.10. Reading crafted DWF file and missing proper checks on received SectionIterator data can trigger an unhandled exception. This can allow attackers to cause a crash, potentially enabling a denial-of-service attack (Crash, Exit, or Restart) or possible code execution.

CVE-2024-8894 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• COMOS: Ensure all files imported into the affected product originate from a trusted source and are transmitted over secure channels
• COMOS: Update to V10.6 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-769791 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• August 14, 2025: Initial Republication of Siemens ProductCERT SSA-769791

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 6.3
• ATTENTION: Low Attack Complexity
• Vendor: Siemens
• Equipment: SIMATIC RTLS Locating Manager
• Vulnerabilities: Reachable Assertion, Insufficiently Protected Credentials

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause a denial of service condition or escalate to higher access rights.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens SIMATIC RTLS Locating Manager: all versions prior to 3.3

3.2 VULNERABILITY OVERVIEW

3.2.1 REACHABLE ASSERTION CWE-617

Affected devices do not properly validate input sent to its listening port on the local loopback interface. This could allow an unauthenticated local attacker to cause a denial of service condition.

CVE-2025-30034 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.2 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

Affected SIMATIC RTLS Locating Manager Report Clients do not properly protect credentials that are used to authenticate to the server. This could allow an authenticated local attacker to extract the credentials and use them to escalate their access rights from the Manager to the Systemadministrator role.

CVE-2025-40751 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• SIMATIC RTLS Locating Manager: Update to V3.3 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-707630 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• August 14, 2025: Initial Republication of Siemens ProductCERT SSA-707630

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Low attack complexity
• Vendor: Rockwell Automation
• Equipment: 1756-ENT2R, 1756-EN4TR, 1756-EN4TRXT
• Vulnerabilities: Improper Input Validation, Improper Handling of Exceptional Conditions

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in an attacker causing a denial of service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Rockwell Automation products are affected:

• 1756-ENT2R: Versions prior to 7.001
• 1756-EN4TR: Versions prior to 7.001
• 1756-EN4TRXT: Versions prior to 7.001

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER INPUT VALIDATION CWE-20

A security issue exists in the protected mode of 1756-EN4TR and 1756-ENT2R communication modules, where a Concurrent Forward Close operation can trigger a Major Non-Recoverable (MNFR) fault. This condition may lead to unexpected system crashes and loss of device availability.

CVE-2025-8007 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-8007. A base score of 7.1 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER HANDLING OF EXCEPTIONAL CONDITIONS CWE-755

A security issue exists in the protected mode of EN4TR devices, where sending specifically crafted messages during a Forward Close operation can cause the device to crash.

CVE-2025-8008 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-8008. A base score of 7.1 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation recommends users upgrade their devices to 7.001 or later. The update can be downloaded from Rockwell Automation’s website.

Rockwell Automation also recommends users follow their published Security Best Practices.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• August 14, 2025: Initial Republication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.4
• ATTENTION: Low attack complexity
• Vendor: Ashlar-Vellum
• Equipment: Cobalt, Xenon, Argon, Lithium, Cobalt Share
• Vulnerabilities: Out-of-bounds Write, Out-of-bounds Read, Heap-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose information and execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Ashlar-Vellum products are affected:

• Cobalt: All versions prior to 12.6.1204.204
• Xenon: All versions prior to 12.6.1204.204
• Argon: All versions prior to 12.6.1204.204
• Lithium: All versions prior to 12.6.1204.204
• Cobalt Share: All versions prior to 12.6.1204.204

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12.6.1204.204, the affected applications lack proper validation of user-supplied data when parsing CO files. This could lead to an out-of-bounds write. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.

CVE-2025-53705 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-53705. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 OUT-OF-BOUNDS READ CWE-125

In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12.6.1204.204, the affected applications lack proper validation of user-supplied data when parsing AR files. This could lead to an out-of-bounds read. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.

CVE-2025-41392 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-41392. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 HEAP-BASED BUFFER OVERFLOW CWE-122

In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12.6.1204.204, the affected applications lack proper validation of user-supplied data when parsing XE files. This could lead to a heap-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.

CVE-2025-52584 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-52584. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 HEAP-BASED BUFFER OVERFLOW CWE-122

In Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share versions prior to 12.6.1204.204, the affected applications lack proper validation of user-supplied data when parsing VC6 files. This could lead to a heap-based buffer overflow. An attacker could leverage this vulnerability to execute arbitrary code in the context of the current process.

CVE-2025-46269 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CCVE-2025-46269. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA.

4. MITIGATIONS

Ashlar-Vellum recommends users update to Versions 12.6.1204.204 and above of the affected products.

• Ashlar-Vellum strongly recommends that all users update Cobalt, Xenon, Argon, Lithium, and Cobalt Share to the latest supported version by selecting Help > Check Web for Updates from the application’s main menu.
• Users should only open CO/XE/AR/LI files or import supported file formats from trusted sources.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. This these vulnerabilities is are not exploitable remotely.

5. UPDATE HISTORY

• August 12, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Johnson Controls
• Equipment: iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR, ULTRA G2 SE, iSTAR Edge G2
• Vulnerabilities: OS Command Injection, Insufficient Verification of Data Authenticity, Use of Default Credentials, Missing Protection Mechanism for Alternate Hardware Interface, Insecure Storage of Sensitive Information

2. RISK EVALUATION

Successful exploitation of these vulnerabilities may allow an attacker to modify firmware and access the space that is protected by the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Software House iSTAR Ultra and Edge door controllers are affected:

• iSTAR Ultra: Versions 6.9.2.CU02 and prior (CVE-2025-53695, CVE-2025-53696, CVE-2025-53697, CVE-2025-53700)
• iSTAR Ultra SE: Versions 6.9.2.CU02 and prior (CVE-2025-53695, CVE-2025-53696, CVE-2025-53697, CVE-2025-53700)
• iSTAR Ultra G2: Versions 6.9.2.CU02 and prior (CVE-2025-53695, CVE-2025-53697, CVE-2025-53700)
• iSTAR Ultra G2 SE: Versions 6.9.2.CU02 and prior (CVE-2025-53695, CVE-2025-53697, CVE-2025-53700)
• iSTAR Edge G2: Versions 6.9.2.CU02 and prior (CVE-2025-53695, CVE-2025-53697, CVE-2025-53700)
• iSTAR Ultra: All versions (CVE-2025-53698, CVE-2025-53699)
• iSTAR Ultra SE: All versions (CVE-2025-53698, CVE-2025-53699)
• iSTAR Ultra G2: All versions (CVE-2025-53699)
• iSTAR Ultra G2 SE: All versions (CVE-2025-53699)
• iSTAR Edge G2: All versions (CVE-2025-53699)

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

OS command injection in iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, Edge G2 versions 6.9.2 and prior web application allows an authenticated attacker to gain even more privileged access (‘root’ user) to the device firmware. This is fixed in versions 6.9.3 and newer.

CVE-2025-53695 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-53695. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345

iSTAR Ultra and Ultra SE versions 6.9.2 and prior performs a firmware verification on boot, however the verification does not inspect certain portions of the firmware. These firmware parts may contain malicious code. Versions 6.9.3 and newer reduce the risk of this vulnerability.

CVE-2025-53696 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-53696. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 USE OF DEFAULT CREDENTIALS CWE-1392

There is a default ‘root’ password for iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, Edge G2 versions 6.9.2 and prior which can be changed through the command shell. iSTAR Ultra and Ultra SE Versions 6.9.3 and newer reduces the risk of this vulnerability. iSTAR Ultra G2, Ultra G2 SE and Edge G2 version 6.9.3 and newer fixes this vulnerability.

CVE-2025-53697 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-53697. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 MISSING PROTECTION MECHANISM FOR ALTERNATE HARDWARE INTERFACE CWE-1299

There is an undocumented RJ11 serial console on the iSTAR GCM (General Controller Module) which provides access to Uboot. On older firmware versions, an attacker with physical access to this console can get direct access to a shell with ‘root’ privileges. In firmware Version 6.8.1 or newer, the console is disabled once the system has fully booted, however the console may be re-enabled due to lack of protection of the Uboot bootloader.

CVE-2025-53698 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-53698. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 MISSING PROTECTION MECHANISM FOR ALTERNATE HARDWARE INTERFACE CWE-1299

USB ports on the GCM board are typically used to connect an ACM (Access Control Module) board. The ACM is what reads badge data, ‘push to exit’ signals, fire alarm signals, and operates relays to unlock doors. Physical access to GCM USB ports also allows USB devices, such as keyboards, to be connected and the system will treat the input from a connected keyboard as though it were typed on a local console.

CVE-2025-53699 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-53699. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.6 INSECURE STORAGE OF SENSITIVE INFORMATION CWE-922

The software signing key for Tyco NVR products is included in the firmware of iSTAR Ultra, Ultra SE, Ultra G2, Ultra G2 SE, Edge G2 versions 6.9.2 and prior. iSTAR Ultra and Ultra SE Versions 6.9.3 and newer reduces the risk of this vulnerability. iSTAR Ultra G2, Ultra G2 SE and Edge G2 version 6.9.3 and newer fixes this vulnerability.

CVE-2025-53700 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-53700. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Reid Wightman of Dragos reported these vulnerabilities to Johnson Controls.

4. MITIGATIONS

Johnson Controls made firmware version 6.9.3 available in 2024 to fix CVE-2025-53695 and lower the risk of exploitation for CVE-2025-53696, CVE-2025-53697, and CVE-2025-53700.

According to Johnson Controls, the iSTAR Ultra is an older device that has a planned end of service date within a year from this publication. Johnson Controls recommends users consider upgrading to a newer control unit. The hardware installation manual for iSTAR Ultra requires all control units be installed in a restricted access, protected area to lower the risk of physical tampering.

For more detailed mitigation instructions, see Johnson Controls Product Security Advisory.

For assistance and additional information, contact Johnson Controls Trust Center.

Dragos recommends end users place the following network restrictions around iSTAR controllers, regardless of model or firmware version:

• Pro Mode on iSTAR Ultra and iSTAR Ultra door controllers should be disabled. Use “Ultra Mode.”

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• August 12, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: EcoStruxure Power Monitoring Expert
• Vulnerabilities: Path Traversal, Deserialization of Untrusted Data, Server-Side Request Forgery

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a remote attacker to read arbitrary files from the target machine, or to access internal services directly.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports the following versions of EcoStruxure Power Monitoring Expert are affected:

• EcoStruxure Power Monitoring Expert: Version 13.1

3.2 VULNERABILITY OVERVIEW

3.2.1 PATH TRAVERSAL CWE-22

Schneider Electric EcoStruxure Power Monitoring Expert contains a directory traversal vulnerability, which may enable remote code execution when an authenticated attacker with admin privileges uploads a malicious file over HTTP which then gets executed. Authentication is required to exploit this vulnerability.

CVE-2025-54926 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-54926. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 PATH TRAVERSAL CWE-22

Schneider Electric EcoStruxure Power Monitoring Expert contains a directory traversal vulnerability, which may allow for unauthorized access to sensitive files when an authenticated attacker uses a crafted path input that is processed by the system. Authentication is required to exploit this vulnerability.

CVE-2025-54927 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-54927. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 DESERIALIZATION OF UNTRUSTED DATA CWE-502

Schneider Electric EcoStruxure Power Monitoring Expert exposes a random TCP port (which changes on every restart) that may allow unsafe deserialization of untrusted data. Authentication is required to exploit this vulnerability.

CVE-2025-54923 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-54923. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 SERVER-SIDE REQUEST FORGERY CWE-918

Schneider Electric EcoStruxure Power Monitoring Expert is vulnerable to pre-authentication server-side request forgery. This vulnerability may allow a remote attacker to access internal services directly when the attacker sends a specially crafted document to a vulnerable endpoint.

CVE-2025-54924 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-54924. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.5 SERVER-SIDE REQUEST FORGERY CWE-918

Schneider Electric EcoStruxure Power Monitoring Expert is vulnerable to pre-authentication server-side request forgery. This vulnerability may allow a remote attacker to access internal services directly when the attacker configures the application to access a malicious url.

CVE-2025-54925 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-54925. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

An anonymous researcher working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Schneider Electric will include fixes for these vulnerabilities as part of the next release of the product PME 2024 R3, planned for November 11, 2025. Until then, users are recommended to:

• Ensure PME is running in an isolated network.
• Deploy and configure the Windows firewall to limit access to appropriate network segments.
• Enforce complex password policies.
• Review Server Access Permissions
• Conduct an audit of all Windows-authenticated users who currently have access to PME. Repeat this audit of your system periodically.
• Identify all accounts with access rights, especially those with elevated privileges or remote access.
• Limit access to essential users only.
• Revoke access for any user accounts that are not critical for system functionality or daily operations.
• Apply the principle of least privilege to ensure users have only the access necessary for their role(s).

Additionally, users should ensure the deployment of PME has followed the cybersecurity hardening guidelines provided with the product.

For more information, see the associated Schneider Electric CPCERT security advisory, SEVD-2025-224-02 EcoStruxure Power Monitoring Expert (PME) – PDF Version, CSAF Version.

Schneider Electric recommends the following general security practices:

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls to ensure that no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the “Program” mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc., before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• August 12, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: AVEVA
• Equipment: PI Integrator
• Vulnerabilities: Unrestricted Upload of File with Dangerous Type, Insertion of Sensitive Information into Sent Data

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, or upload and execute files.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following AVEVA products are affected:

• PI Integrator for Business Analytics: Versions 2020 R2 SP1 and prior.

3.2 VULNERABILITY OVERVIEW

3.2.1 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

The vulnerability, if exploited, could allow an authenticated miscreant (with privileges to create or access publication targets of type Text File or HDFS) to upload and persist files that could potentially be executed.

CVE-2025-54460 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2025-54460. A base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:L/SC:H/SI:H/SA:H).

3.2.2 INSERTION OF SENSITIVE INFORMATION INTO SENT DATA CWE-201

The vulnerability, if exploited, could allow an authenticated miscreant (with privileges to access publication targets) to retrieve sensitive information that could then be used to gain additional access to downstream resources.

CVE-2025-41415 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-41415. A base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Information Technology, Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

Maxime Escourbiac, Michelin CERT, and Adam Bertrand, Abicom for Michelin CERT reported these vulnerabilities to AVEVA.

AVEVA reported these vulnerabilities to CISA.

4. MITIGATIONS

AVEVA recommends organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users of affected product versions should apply security updates to mitigate the risk of exploit.

• Upgrade to PI Integrator for Business Analytics 2020 R2 SP2 or higher.
• From [OSISoft Customer Portal](PI Integrator for Business Analytics), search for “PI Integrator for Business Analytics” and select version 2020 R2 SP2 or higher.

Additionally, AVEVA recommends the following general defensive measures:

• Audit assigned permissions to ensure that only trusted users are given access rights to publication targets: https://docs.aveva.com/bundle/pi-integrator-for-business-analytics/page/1013185.html
• Ensure publication targets of type Text File or HDFS are configured to limit allowed output file extensions and limit output folders to be logically isolated from critical system components or executable paths:
• https://docs.aveva.com/bundle/pi-integrator-for-business-analytics/page/1023019.html
• https://docs.aveva.com/bundle/pi-integrator-for-business-analytics/page/1023009.html
• Consider applying Windows Defender Application Control (WDAC) to prevent execution of unauthorized executables: https://learn.microsoft.com/en-us/intune/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• August 12, 2025: Initial Republication of AVEVA-2025-004

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Delta Electronics
• Equipment: DIAView
• Vulnerability: Improper Limitation of a Pathname to a Restricted Directory

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow a remote attacker to read or write files on the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Delta Electronics reports the following versions of DIAView industrial automation management system for providing real-time system control are affected:

• DIAView: Versions 4.2.0.0

3.2 VULNERABILITY OVERVIEW

3.2.1 Improper Limitation of a Pathname to a Restricted Directory CWE-22

Delta Electronics DIAView is vulnerable to a path traversal vulnerability, which may allow an attacker to read or write files remotely on the system.

CVE-2025-53417 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-53417. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Chemical, Commercial Facilities, Critical Manufacturing, Energy, Transportation Systems, Water and Wastewater Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

hir0ot, working with Trend Micro Zero Day Initiative, reported this vulnerability to CISA.

4. MITIGATIONS

Delta Electronics recommends users update to DIAView v4.3.0 or later.

For more information, see Delta Electronics advisory Delta-PCSA-2025-00010.

Delta Electronics offers users the following general recommendations:

• Do not click on untrusted Internet links or open unsolicited attachments in emails.
• Avoid exposing control systems and equipment to the Internet.
• Place control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is required, use a secure access method, such as a virtual private network (VPN).

If you have any product-related support concerns, contact Delta via the portal page for any information or materials you may require.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• August 7, 2025: Initial Publication