Author: Admin @CloudCentric

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 4.5
• ATTENTION: Exploitable remotely
• Vendor: AVEVA
• Equipment: PI Web API
• Vulnerability: Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to disable content security policy protections.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of AVEVA PI Web API are affected:

• PI Web API: Versions 2023 SP1 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

A cross-site scripting vulnerability exists in PI Web API version 2023 SP1 and prior that, if exploited, could allow an authenticated attacker (with privileges to create/update annotations or upload media files) to persist arbitrary JavaScript code that will be executed by users who were socially engineered to disable content security policy protections while rendering annotation attachments from within a web browser.

CVE-2025-2745 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-2745. A base score of 4.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

AVEVA Ethical Disclosure reported this vulnerability to CISA.

4. MITIGATIONS

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users of affected product versions should apply security updates to mitigate the risk of exploit.

From OSISoft Customer Portal, search for “PI Web API” and select version 2023 SP1 Patch 1 or higher.

AVEVA further recommends users follow general defensive measures:

• Review and update the file extensions allowlist for annotation attachments to remove potentially vulnerable of undesired file types (ex: svg, pdf, …).
• Consider implementing IT policies that would prevent users from subverting/disabling content security policy browser protections.
• Inform PI Web API users that annotation attachments should be retrieved through direct REST requests to PI Web API rather than rendering them in the browser interface.
• Audit assigned privileges to ensure that only trusted users are given “Annotate” access rights.

For additional information please refer to AVEVA-2025-003.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• June 12, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 6.9
• ATTENTION: Low attack complexity
• Vendor: AVEVA
• Equipment: PI Connector for CygNet
• Vulnerabilities: Cross-site Scripting, Improper Validation of Integrity Check Value

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to persist arbitrary code in the administrative portal of the product or cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of PI Connector for CygNet are affected:

• PI Connector for CygNet: Version 1.6.14 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79

A cross-site scripting vulnerability exists in PI Connector for CygNet Versions 1.6.14 and prior that, if exploited, could allow an administrator miscreant with local access to the connector admin portal to persist arbitrary JavaScript code that will be executed by other users who visit affected pages.

CVE-2025-4417 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:C/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-4417. A base score of 6.9 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:H/UI:P/VC:N/VI:H/VA:N/SC:H/SI:H/SA:N).

3.2.2 Improper Validation of Integrity Check Value CWE-354

An improper validation of integrity check value vulnerability exists in PI Connector for CygNet Versions 1.6.14 and prior that, if exploited, could allow a miscreant with elevated privileges to modify PI Connector for CygNet local data files (cache and buffers) in a way that causes the connector service to become unresponsive.

CVE-2025-4418 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-4418. A base score of 6.7 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

AVEVA Ethical Disclosure reported these vulnerabilities to CISA.

4. MITIGATIONS

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users of affected product versions should apply security updates to mitigate the risk of exploit.

All affected versions of PI Connector for CygNet can be fixed by upgrading to PI Connector for CygNet v1.7.0 or higher. From OSISoft Customer Portal, search for “PI Connector for CygNet” and select Version 1.7.0 or higher.

AVEVA further recommends users follow general defensive measures:

• Ensure that PI Connector for CygNet administrative access is only provided to trusted entities.
• Audit custom installation folder Access Control Lists (ACLs) to ensure access is only provided to trusted entities.
• Audit and limit membership to the OS Local “Administrators” and “PI Connector Administrators” groups.

For additional information please refer to AVEVA-2025-002.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• June 12, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: ValueHD, PTZOptics, multiCAM Systems, SMTAV
• Equipment: Various pan-tilt-zoom cameras
• Vulnerabilities: Improper Authentication, Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Use of Hard-coded Credentials

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to leak sensitive data, execute arbitrary commands, and access the admin web interface using hard-coded credentials.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following ValueHD, PTZOptics, multiCAM Systems, and SMTAV products are affected:

• PTZOptics PT12X-SDI-xx-G2: Versions 6.3.34 and prior (CVE-2025-35451)
• PTZOptics PT12X-NDI-xx: Versions 6.3.34 and prior (CVE-2025-35451)
• PTZOptics PT12X-USB-xx-G2: Versions 6.2.81 and prior (CVE-2025-35451)
• PTZOptics PT20X-SDI-xx-G2: Versions 6.3.20 and prior (CVE-2025-35451)
• PTZOptics PT20X-NDI-xx: Versions 6.3.20 and prior (CVE-2025-35451)
• PTZOptics PT20X-USB-xx-G2: Versions 6.2.73 and prior (CVE-2025-35451)
• PTZOptics PT30X-SDI-xx-G2: Versions 6.3.30 and prior (CVE-2025-35451)
• PTZOptics PT30X-NDI-xx: Versions 6.3.30 and prior (CVE-2025-35451)
• PTZOptics PT12X-ZCAM: Versions 7.2.76 and prior (CVE-2025-35451)
• PTZOptics PT20X-ZCAM: Versions 7.2.82 and prior (CVE-2025-35451)
• PTZOptics PTVL-ZCAM: Versions 7.2.79 and prior (CVE-2025-35451)
• PTZOptics PTEPTZ-ZCAM-G2: Versions 8.1.81 and prior (CVE-2025-35451)
• PTZOptics PTEPTZ-NDI-ZCAM-G2: Versions 8.1.81 and prior (CVE-2025-35451)
• PTZOptics PT12X-SDI-xx-G2: All versions (CVE-2025-35452)
• PTZOptics PT12X-NDI-xx: All versions (CVE-2025-35452)
• PTZOptics PT12X-USB-xx-G2: All versions (CVE-2025-35452)
• PTZOptics PT20X-SDI-xx-G2: All versions (CVE-2025-35452)
• PTZOpticsPT20X-NDI-xx: All versions (CVE-2025-35452)
• PTZOptics PT20X-USB-xx-G2: All versions (CVE-2025-35452)
• PTZOptics PT30X-SDI-xx-G2: All versions (CVE-2025-35452)
• PTZOptics PT30X-NDI-xx: All versions (CVE-2025-35452)
• PTZOptics PT12X-ZCAM: All versions (CVE-2025-35452)
• PTZOptics PT20X-ZCAM: All versions (CVE-2025-35452)
• PTZOptics PTVL-ZCAM: All versions (CVE-2025-35452)
• PTZOptics PTEPTZ-ZCAM-G2: All versions (CVE-2025-35452)
• PTZOptics PTEPTZ-NDI-ZCAM-G2 All versions (CVE-2025-35452)
• PTZOptics PT12X-4K-xx-G3: Versions 0.0.58 and prior (CVE-2025-35452)
• PTZOptics PT20X-4K-xx-G3: Versions 0.0.85 and prior (CVE-2025-35452)
• PTZOptics PT30X-4K-xx-G3: Versions 2.0.64 and prior (CVE-2025-35452)
• PTZOptics PT12X-LINK-4K-xx: Versions 0.0.63 and prior (CVE-2025-35452)
• PTZOptics PT20X-LINK-4K-xx: Versions 0.0.89 and prior (CVE-2025-35452)
• PTZOptics PT30X-LINK-4K-xx: Versions 2.0.71 and prior (CVE-2025-35452)
• PTZOptics PT12X-SE-xx-G3: Versions 9.1.43 and prior (CVE-2025-35452)
• PTZOptics PT20X-SE-xx-G3: Versions 9.1.32 and prior (CVE-2025-35452)
• PTZOptics PT30X-SE-xx-G3: Versions 9.1.33 and prior (CVE-2025-35452)
• PTZOptics PT-STUDIOPRO: Versions 9.0.41 and prior (CVE-2025-35452)
• PTZOptics PTZOptics VL Fixed Camera/NDI Fixed Camera: Versions 7.2.94 and prior
• SMTAV Pan-Tilt-Zoom Cameras: All versions
• multiCAM Systems Pan-Tilt-Zoom Cameras: All versions
• ValueHD Pan-Tilt-Zoom Cameras: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER AUTHENTICATION CWE-287

PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an insufficient authentication issue. The camera does not properly enforce authentication to /cgi-bin/param.cgi when requests are sent without an HTTP Authorization header. The result is a remote and unauthenticated attacker can leak sensitive data such as usernames, password hashes, and configurations details. Additionally, the attacker can update individual configuration values or overwrite the whole file.

CVE-2024-8956 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-8956. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

PTZOptics PT30X-SDI/NDI-xx before firmware 6.3.40 is vulnerable to an OS command injection issue. The camera does not sufficiently validate the ntp_addr configuration value which may lead to arbitrary command execution when ntp_client is started. When chained with CVE-2024-8956, a remote and unauthenticated attacker can execute arbitrary OS commands on affected devices.

CVE-2024-8957 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-8957. A base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 USE OF HARD-CODED CREDENTIALS CWE-798

Certain PTZOptics and possibly other ValueHD-based cameras have SSH or telnet or both enabled by default. Operating system users with administrative privileges (including the root user) have default passwords that are trivial to crack. The passwords cannot be changed by the user, nor can the SSH or telnet service be disabled by the user.

CVE-2025-35451 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-35451. A base score of 9.2 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 USE OF HARD-CODED CREDENTIALS CWE-798

PTZOptics and possibly other ValueHD-based cameras use a default, shared password for the administrative web interface. The table below shows the affected firmware. This has been patched on production firmware for the current generation of devices.

CVE-2025-35452 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-35452. A base score of 9.2 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Government Services and Facilities, Healthcare and Public Health
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: PTZOptics – United States; multiCAM Systems – United States; ValueHD – China; SMTAV – China

3.4 RESEARCHER

An anonymous researcher reported these vulnerabilities to CISA.

4. MITIGATIONS

PTZOptics has provided a fix to the affected versions for the listed CVEs. The fix for each product can be obtained on the PTZOptics Known Vulnerabilities and Fixes site.

ValueHD, multiCAM Systems, and SMTAV did not respond to requests for coordination. Contact the respective companies through the following means for more information:

• SMTAV Contact Us page.
• multiCAM Systems Contact Us page.
• ValueHD Contact Us page.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• June 12, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: CyberData
• Equipment: 011209 SIP Emergency Intercom
• Vulnerabilities: Authentication Bypass Using an Alternate Path or Channel, Missing Authentication for Critical Function, SQL Injection, Insufficiently Protected Credentials, Path Traversal: ‘…/…//’

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, cause a denial-of-service condition, or achieve code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following CyberData products are affected:

• 011209 SIP Emergency Intercom: Versions prior to 22.0.1

3.2 VULNERABILITY OVERVIEW

3.2.1 Authentication Bypass Using an Alternate Path or Channel CWE-288

011209 Intercom could allow an unauthenticated user access to the Web Interface through an alternate path.

CVE-2025-30184 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30184. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Missing Authentication for Critical Function CWE-306

011209 Intercom exposes features that could allow an unauthenticated to gain access and cause a denial-of-service condition or system disruption.

CVE-2025-26468 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-26468. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.3 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CWE-89

011209 Intercom could allow an unauthenticated user to gather sensitive information through blind SQL injections.

CVE-2025-30507 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-30507. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.4 Insufficiently Protected Credentials CWE-522

011209 Intercom does not properly store or protect web server admin credentials.

CVE-2025-30183 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-30183. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.5 Path Traversal: ‘…/…//’ CWE-35

011209 Intercom could allow an authenticated attacker to upload arbitrary files to multiple locations within the system.

CVE-2025-30515 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30515. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Communications, Emergency Services, Commercial Facilities
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Vera Mens of Claroty Team82 reported these vulnerabilities to CISA.

4. MITIGATIONS

CyberData recommends users update to v22.0.1

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• June 5, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 9.8
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: Relion 670, Relion 650, SAM600-IO
• Vulnerabilities: Integer Overflow or Wraparound

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause memory corruption on the products.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports that the following products are affected:

• Relion 670/650/SAM600-IO series: Version 2.2.5 revisions up to 2.2.5.1
• Relion 670/650 series: Version 2.2.4 revisions up to 2.2.4.2
• Relion 670 series: Version 2.2.3 revisions up to 2.2.3.4
• Relion 670 series: Version 2.2.2 revisions up to 2.2.2.4
• Relion 670/650/SAM600-IO series: Version 2.2.1 revisions up to 2.2.1.7
• Relion 670/650 series version 2.2.0: All revisions
• Relion 670/650 series version 2.1: All revisions
• Relion 670 series version 2.0: All revisions
• Relion 670 series version 1.2: All revisions
• Relion 670 series version 1.1: All revisions
• Relion 650 series version 1.3: All revisions
• Relion 650 series version 1.2: All revisions
• Relion 650 series version 1.1: All revisions
• Relion 650 series version 1.0: All revisions

3.2 VULNERABILITY OVERVIEW

3.2.1 INTEGER OVERFLOW OR WRAPAROUND CWE-190

In Wind River VxWorks, memory allocator has a possible overflow in calculating the memory block’s size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.

CVE-2020-28895 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

3.2.2 INTEGER OVERFLOW OR WRAPAROUND CWE-190

An issue was discovered in Wind River VxWorks 7. The memory al-locator has a possible integer overflow in calculating a memory block’s size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.

CVE-2020-35198 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users may apply to reduce risk:

• Relion 670 series version 2.2.5 revisions up to 2.2.5.1, Relion 650 series version 2.2.5 revisions up to 2.2.5.1, SAM-IO series version 2.2.5 revisions up to 2.2.5.1: Update to 2.2.5.2 version or latest
• Relion 670 series version 2.2.4 revisions up to 2.2.4.2, Relion 650 series version 2.2.4 revisions up to 2.2.4.2: Update to 2.2.4.3 version or latest
• Relion 670 series version 2.2.3 revisions up to 2.2.3.4: Update to 2.2.3.5 version or latest
• Relion 670 series version 2.2.2 revisions up to 2.2.2.4: Update to 2.2.2.5 version or latest
• Relion 670 series version 2.2.1 revisions up to 2.2.1.7, Relion 650 series version 2.2.1 revisions up to 2.2.1.7, SAM-IO series version 2.2.1 revisions up to 2.2.1.7: Update to 2.2.1.8 version or latest
• Relion 670 series version 1.1 to 2.2.0 all revisions, Relion 650 series version 1.0 to 2.2.0 all revisions: Refer to the Mitigation Factors/Workaround Section for the current mitigation strategy.

For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000070 Cybersecurity Advisory – BadAlloc – Memory Allocation Vulnerabilities in Hitachi Energy Relion 670, 650 series and SAM600-IO Product.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• June 5, 2025: Initial Republication of Hitachi Energy 8DBD000070

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: Wiser AvatarOn 6K Freelocate, Wiser Cuadro H 5P Socket
• Vulnerability: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to inject code or bypass authentication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Schneider Electric products are affected:

• Wiser AvatarOn 6K Freelocate: All versions
• Wiser Cuadro H 5P Socket: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) CWE-120

Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’), Out-of-bounds Write, Download of Code Without Integrity Check vulnerability in Silicon Labs Gecko Bootloader on ARM (Firmware Update File Parser modules) allows Code Injection, Authentication Bypass. This issue affects “Standalone” and “Application” versions of Gecko Bootloader.

CVE-2023-4041 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-4041. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

The Wiser AvatarOn 6K Freelocate and Wiser Cuadro H 5P Socket products have reached their end of life and are no longer supported. Users should immediately either disable the firmware update in the Zigbee Trust Center or remove the products from service to reduce the risk of exploitation.

To stay informed about all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here: https://www.se.com/en/work/support/cybersecurity/securitynotifications.jsp

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• June 3, 2025: Initial Republication of Schneider Electric SEVD-2025-133-02

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 4.6
• ATTENTION: Low attack complexity
• Vendor: Schneider Electric
• Equipment: EcoStruxure Power Build Rapsody
• Vulnerability: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to achieve arbitrary code execution on the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Schneider Electric product is affected:

• EcoStruxure Power Build Rapsody: v2.7.12 FR and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

Stack-based Buffer Overflow vulnerability exists that could cause local attackers being able to exploit these issues to potentially execute arbitrary code while the end user opens a malicious project file (SSD file) provided by the attacker.

CVE-2025-3916 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-3916. A base score of 4.6 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Michael Heinzl reported this vulnerability to Schneider Electric.
Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric recommends users take the following actions:

• Update to Version v2.8.1 FR of EcoStruxure Power Build-Rapsody, which includes a fix for this vulnerability. Reboot after installing the new version.

Additionally, Schneider Electric recommends that if users choose not to apply the remediation provided above, the following mitigations should be applied immediately to reduce the risk of exploitation:

• Store the project files in a secure storage and restrict access to only trusted users.
• When exchanging files over the network, use secure communication protocols.
• Encrypt project files when stored.
• Only open project files received from trusted sources.
• Compute a hash of the project files and regularly check the consistency of this hash to verify the integrity before usage.
• Harden the workstation running EcoStruxure™ Power Build Rapsody.
• To ensure you are informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here: https://www.se.com/en/work/support/cybersecurity/security-notifications.jsp

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• June 3, 2025: Initial Republication of Schneider Electric SEVD-2025-133-03

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 9.1
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Mitsubishi Electric
• Equipment: MELSEC iQ-F Series
• Vulnerability: Improper Validation of Specified Index, Position, or Offset in Input

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to read confidential information, cause a denial-of-service condition, or stop operations by sending specially crafted packets.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mitsubishi Electric MELSEC iQ-F Series are affected. Products with [Note *1] are sold in limited regions:

• FX5U-xMy/z x=32, 64, 80, y=T, R, z=ES,DS, ESS, DSS: All versions
• FX5UC-xMy/z x=32, 64, 96, y=T, z=D, DSS: All versions
• FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: All versions
• FX5UJ-xMy/z x=24, 40, 60, y=T, R, z=ES,DS,ESS,DSS: All versions
• FX5UJ-xMy/ES-A[Note *1] x=24, 40, 60, y=T, R: All versions
• FX5S-xMy/z x=30, 40, 60, 80[Note *1], y=T, R, z= ES,DS,ESS,DSS: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER VALIDATION OF SPECIFIED INDEX, POSITION, OR OFFSET IN INPUT CWE-1285

This vulnerability allows a remote attacker to read information in the product, cause a Denial-of-Service (DoS) condition in MELSOFT connection communication with Mitsubishi Electric FA products such as GX Works3 and GOT, or stop the operation of the CPU module (causing a DoS condition on the CPU module), by sending specially crafted packets. The product is needed to reset for recovery.

CVE-2025-3755 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric recommends users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

• Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
• Use within a LAN and block access from untrusted networks and hosts through firewalls.
• Use IP filter function to block access from untrusted hosts.
• Restrict physical access to the affected products and the LAN that is connected by them.

For details on the IP filter function, please refer to the following manual for each product.
“13.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Communication)
Please download the manual from the following URL: https://www.mitsubishielectric.com/fa/download/index.html

For more information, see Mitsubishi Electric advisory 2025-003.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• June 3, 2025: Initial Republication of Mitsubishi Electric 2025-003

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 6.3
• ATTENTION: Low attack complexity
• Vendor: Johnson Controls Inc.
• Equipment: iSTAR Configuration Utility (ICU) tool
• Vulnerability: Use of Uninitialized Variable

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow an attacker to gain access to memory leaked from the ICU. This utility is only used to configure products that are no longer manufactured or supported. ICU is not used to configure the iSTAR Ultra and the current iSTAR G2 series of controllers. Furthermore, this vulnerability only impacts ICU and the Windows PC it is running on. This vulnerability does not impact iSTARs, including the legacy iSTARs.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Johnson Controls reports the following versions of ICU are affected:

• ICU: All versions prior to 6.9.5

3.2 VULNERABILITY OVERVIEW

3.2.1 USE OF UNINITIALIZED VARIABLE CWE-457

The iSTAR Configuration Utility (ICU) tool leaks memory, which could result in the unintended exposure of unauthorized data from the Windows PC that ICU is running on.

CVE-2025-26383 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-26383. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy, Government Services and Facilities, Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Reid Wightman of Dragos reported this vulnerability to Johnson Controls Inc.

4. MITIGATIONS

Johnson Controls recommends users update ICU to Version 6.9.5 or greater.

For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2025-06

For assistance and additional information, please contact Johnson Controls Trust Center
[email protected]

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• May 27, 2025: Initial Republication of Johnson Controls security advisory

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.2
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SiPass
• Vulnerability: Improper Verification of Cryptographic Signature

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to upload a maliciously modified firmware onto the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens SiPass integrated AC5102 (ACC-G2): All versions
• Siemens SiPass integrated ACC-AP: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347

Affected devices do not properly check the integrity of firmware updates. This could allow a local attacker to upload a maliciously modified firmware onto the device. In a second scenario, a remote attacker who is able to intercept the transfer of a valid firmware from the server to the device could modify the firmware “on the fly”.

CVE-2022-31807 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2022-31807. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• All affected products: Enable TLS for communication between servers and affected devices; this mitigates the risk of on-path attackers that intercept and modify the firmware during transmission
• All affected products: Currently no fix is available

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-367714 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• May 29, 2025: Initial Republishing of Siemens SSA-367714