Skip to main content
(844) 422-7000

Festo CPX-CEC-C1 and CPX-CMXX

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 7.5
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Festo
  • Equipment: CPX-CEC-C1 and CPX-CMXX
  • Vulnerability: Improper Privilege Management

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow unauthenticated, remote access to critical webpage functions which may cause a denial of service.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Festo reports that the following products are affected:

  • Festo Firmware installed on Festo Hardware Control block CPX-CEC-C1: Versions 2.0.12 and prior
  • Festo Firmware installed on Festo Hardware Control block CPX-CMXX: Versions 1.2.34 rev.404 and prior
  • Festo Firmware installed on Festo Hardware Control block-SET CPX-CEC-C1: Versions 1.2.34 rev.404 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER PRIVILEGE MANAGEMENT CWE-269

Festo control block CPX-CEC-C1 and CPX-CMXX in multiple versions allow unauthenticated, remote access to critical webpage functions which may cause a denial of service.

CVE-2022-3079 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Rob Hulsebos and Daniel dos Santos of Forescout reported this vulnerability to Festo.

4. MITIGATIONS

Festo has identified the following specific remediations users can apply to reduce risk:

  • Limit access to the webserver (TCP port 80) of the device to what is absolutely necessary.
  • Currently, no fix is planned.
  • Replace CPX-CEC-C1 with the follow-up product CPX-CEC-C1-V3.
  • Replace CPX-CMXX with the follow-up product CPX-CEC-M1-V3.

For more information, see the associated Festo security advisory FSA-202207: Festo: CPX-CEC-C1 and CPX-CMXX, Missing Authentication for Critical Webpage Function – HTML and FSA-202207: Festo: CPX-CEC-C1 and CPX-CMXX, Missing Authentication for Critical Webpage Function – CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as virtual private networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • September 30, 2025: Initial Republication of Festo FSA-202207

National Instruments Circuit Design Suite

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.4
  • ATTENTION: Low attack complexity
  • Vendor: National Instruments
  • Equipment: Circuit Design Suite
  • Vulnerabilities: Type Confusion, Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause memory corruption, potentially leading to information disclosure and execution of arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following National Instruments products are affected:

  • Circuit Design Suite: Versions v14.3.1 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 ACCESS OF RESOURCE USING INCOMPATIBLE TYPE (‘TYPE CONFUSION’) CWE-843

The affected product is vulnerable to a memory corruption of a function table, which could allow an attacker to disclose information or execute arbitrary code.

CVE-2025-6033 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-6033. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 OUT-OF-BOUNDS READ CWE-125

The affected product is vulnerable to an out-of-bounds read, which may allow an attacker to execute arbitrary code.

CVE-2025-6034 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-6034. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Communications, Defense Industrial Base, Government Services and Facilities
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA.

4. MITIGATIONS

National Instruments recommends users update to version 14.3.2 or later from NI Package Manager or Software Downloads.

For more information, refer to the National Instruments security pages for each vulnerability:

See the National Instruments security update page for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

  • September 30, 2025: Initial Publication

Festo Controller CECC-S,-LK,-D Family Firmware

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 9.8
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Festo
  • Equipment: Controller CECC-S,-LK,-D Family Firmware
  • Vulnerabilities: Exposure of Resource to Wrong Sphere, Untrusted Pointer Dereference, NULL Pointer Dereference, Files or Directories Accessible to External Parties, Out-of-bounds Write, Improper Privilege Management, Incorrect Permission Assignment for Critical Resource, Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’), Missing Release of Memory after Effective Lifetime, Improper Handling of Exceptional Conditions, Use of a Broken or Risky Cryptographic Algorithm, Weak Password Recovery Mechanism for Forgotten Password, Use of Password Hash With Insufficient Computational Effort, Improper Access Control, Allocation of Resources Without Limits or Throttling, Improper Input Validation, Buffer Over-read, Use of Insufficiently Random Values, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Uncontrolled Recursion, Missing Encryption of Sensitive Data, Improper Restriction of Operations within the Bounds of a Memory Buffer

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to crash services, escalate privileges, bypass authentication, or gain unauthorized access to sensitive systems and data.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Festo reports that the following products are affected:

  • Festo Firmware (R05 (17.06.2016) = 2.3.8.0) installed on Festo Hardware Controller CECC-D (All versions): All versions
  • Festo Firmware (R06 (11.10.2016) = 2.3.8.1) installed on Festo Hardware Controller CECC-LK (All versions): All versions
  • Festo Firmware (R05 (17.06.2016) = 2.3.8.0) installed on Festo Hardware Controller CECC-S (All versions): All versions
  • Festo Firmware (R06 (11.10.2016) = 2.3.8.1) installed on Festo Hardware Controller CECC-LK (All versions): All versions
  • Festo Firmware (R05 (17.06.2016) = 2.3.8.0) installed on Festo Hardware Controller CECC-S (All versions): All versions
  • Festo Firmware (R06 (11.10.2016) = 2.3.8.1) installed on Festo Hardware Controller CECC-S (All versions): All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 EXPOSURE OF RESOURCE TO WRONG SPHERE CWE-668

A remote, authenticated attacker could utilize the control program of the CODESYS Control runtime system to use the vulnerability in order to read and modify the configuration file(s) of the affected products.

CVE-2022-22515 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

3.2.2 UNTRUSTED POINTER DEREFERENCE CWE-822

An authenticated, remote attacker can gain access to a dereferenced pointer contained in a request. The accesses can subsequently lead to local overwriting of memory in the CmpTraceMgr, whereby the attacker can neither gain the values read internally nor control the values to be written. If invalid memory is accessed, this results in a crash.

CVE-2022-22514 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

3.2.3 NULL POINTER DEREFERENCE CWE-476

An authenticated remote attacker can cause a null pointer dereference in the CmpSettings component of the affected CODESYS products which leads to a crash.

CVE-2022-22513 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.4 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552

In CODESYS V3 web server before 3.5.17.10, files or directories are accessible to External Parties.

CVE-2021-36763 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.5 OUT-OF-BOUNDS WRITE CWE-787

CODESYS Control Runtime system before 3.5.17.10 has a Heap-based Buffer Overflow.

CVE-2021-33485 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.6 OUT-OF-BOUNDS WRITE CWE-787

CODESYS V3 web server before 3.5.15.40, as used in CODESYS Control runtime systems, has a buffer overflow.

CVE-2020-10245 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.7 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

An issue was discovered in 3S-Smart CODESYS V3 through 3.5.12.30. A user with low privileges can take full control over the runtime.

CVE-2019-9008 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.8 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

CODESYS 3 web server before 3.5.15.20, as distributed with CODESYS Control runtime systems, has a Buffer Overflow.

CVE-2019-18858 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.9 OUT-OF-BOUNDS WRITE CWE-787

CODESYS V3 web server, all versions prior to 3.5.14.10, allows an attacker to send specially crafted http or https requests which could cause a stack overflow and create a denial-of-service condition or allow remote code execution.

CVE-2019-13548 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.10 NULL POINTER DEREFERENCE CWE-476

3S-Smart Software Solutions GmbH CODESYS V3 OPC UA Server, all versions 3.5.11.0 to 3.5.15.0, allows an attacker to send crafted requests from a trusted OPC UA client that cause a NULL pointer dereference, which may trigger a denial-of-service condition.

CVE-2019-13542 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.11 MISSING RELEASE OF MEMORY AFTER EFFECTIVE LIFETIME CWE-401

CODESYS Control runtime system before 3.5.16.10 allows Uncontrolled Memory Allocation.

CVE-2020-15806 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.12 IMPROPER HANDLING OF EXCEPTIONAL CONDITIONS CWE-755

An issue was discovered in 3S-Smart CODESYS before 3.5.15.0 . Crafted network packets cause the Control Runtime to crash.

CVE-2019-9009 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.13 EXPOSURE OF RESOURCE TO WRONG SPHERE CWE-668

In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), an attacker can identify valid usernames.

CVE-2019-9011 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

3.2.14 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327

An issue was discovered in 3S-Smart CODESYS V3 products. The application may utilize non-TLS based encryption, which results in user credentials being insufficiently protected during transport. All variants of the following CODESYS V3 products in all versions containing the CmpUserMgr component are affected regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS V3 Simulation Runtime (part of the CODESYS Development System), CODESYS Control V3 Runtime System Toolkit, CODESYS HMI V3.

CVE-2019-9013 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.15 WEAK PASSWORD RECOVERY MECHANISM FOR FORGOTTEN PASSWORD CWE-640

In Pilz PMC programming tool 3.x before 3.5.17 (based on CODESYS Development System), a user’s password may be changed by an attacker without knowledge of the current password.

CVE-2020-12067 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

3.2.16 USE OF PASSWORD HASH WITH INSUFFICIENT COMPUTATIONAL EFFORT CWE-916

In CODESYS V3 products in all versions prior V3.5.16.0 containing the CmpUserMgr, the CODESYS Control runtime system stores the online communication passwords using a weak hashing algorithm. This can be used by a local attacker with low privileges to gain full control of the device.

CVE-2020-12069 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.17 NULL POINTER DEREFERENCE CWE-476

In CODESYS Gateway V3 before 3.5.17.10, there is a NULL Pointer Dereference. Crafted communication requests may cause a Null pointer dereference in the affected CODESYS products and may result in a denial-of-service condition.

CVE-2021-36764 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.18 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

An issue was discovered in 3S-Smart CODESYS V3 products. A crafted communication request may cause uncontrolled memory allocations in the affected CODESYS products and may result in a denial-of-service condition. All variants of the following CODESYS V3 products in all versions prior to v3.5.14.20 that contain the CmpGateway component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control V3 Runtime System Toolkit, CODESYS Gateway V3, CODESYS V3 Development System.

CVE-2019-9012 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.19 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

CODESYS Control V3, Gateway V3, and HMI V3 before 3.5.15.30 allow uncontrolled memory allocation which can result in a remote denial of service condition.

CVE-2020-7052 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

3.2.20 OUT-OF-BOUNDS WRITE CWE-787

An exploitable memory corruption vulnerability exists in the Name Service Client functionality of 3S-Smart Software Solutions CODESYS GatewayService. A specially crafted packet can cause a large memcpy, resulting in an access violation and termination of the process. An attacker can send a packet to a device running the GatewayService.exe to trigger this vulnerability. All variants of the CODESYS V3 products in all versions prior V3.5.16.10 containing the CmpRouter or CmpRouterEmbedded component are affected, regardless of the CPU type or operating system: CODESYS Control for BeagleBone, CODESYS Control for emPC-A/iMX6, CODESYS Control for IOT2000, CODESYS Control for Linux, CODESYS Control for PLCnext, CODESYS Control for PFC100, CODESYS Control for PFC200, CODESYS Control for Raspberry Pi, CODESYS Control RTE V3, CODESYS Control RTE V3 (for Beckhoff CX), CODESYS Control Win V3 (also part of the CODESYS Development System setup), CODESYS Control V3 Runtime System Toolkit, CODESYS V3 Embedded Target Visu Toolkit, CODESYS V3 Remote Target Visu Toolkit, CODESYS V3 Safety SIL2, CODESYS Edge Gateway V3, CODESYS Gateway V3, CODESYS HMI V3, CODESYS OPC Server V3, CODESYS PLCHandler SDK, CODESYS V3 Simulation Runtime (part of the CODESYS Development System).

CVE-2019-5105 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.21 NULL POINTER DEREFERENCE CWE-476

CODESYS Gateway 3 before 3.5.16.70 has a NULL pointer dereference that may result in a denial of service (DoS).

CVE-2021-29241 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.22 IMPROPER INPUT VALIDATION CWE-20

CODESYS Control Runtime system before 3.5.17.0 has improper input validation. Attackers can send crafted communication packets to change the router’s addressing scheme and may re-route, add, remove or change low level communication packages.

CVE-2021-29242 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

3.2.23 BUFFER OVER-READ CWE-126

A remote, unauthenticated attacker can send a specific crafted HTTP or HTTPS requests causing a buffer over-read resulting in a crash of the webserver of the CODESYS Control runtime system.

CVE-2022-22519 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.24 USE OF INSUFFICIENTLY RANDOM VALUES CWE-330

An unauthenticated, remote attacker can disrupt existing communication channels between CODESYS products by guessing a valid channel ID and injecting packets. This results in the communication channel to be closed.

CVE-2022-22517 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.25 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

CODESYS V3 web server, all versions prior to 3.5.14.10, allows an attacker to send specially crafted http or https requests which may allow access to files outside the restricted working directory of the controller.

CVE-2019-13532 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.26 USE OF INSUFFICIENTLY RANDOM VALUES CWE-330

Use of Insufficiently Random Values exists in CODESYS V3 products versions prior V3.5.14.0.

CVE-2018-20025 has been assigned to this vulnerability. A CVSS v3.0 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.27 UNCONTROLLED RECURSION CWE-674

Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).

CVE-2018-0739 has been assigned to this vulnerability. A CVSS v3.0 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H).

3.2.28 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

In 3S-Smart Software Solutions GmbH CODESYS Control V3 products prior to version 3.5.14.0, user access management and communication encryption is not enabled by default, which could allow an attacker access to the device and sensitive information, including user credentials.

CVE-2018-10612 has been assigned to this vulnerability. A CVSS v3.0 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.29 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g.

CVE-2017-3735 has been assigned to this vulnerability. A CVSS v3.0 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

CERT@VDE coordinated and supported publication with Festo. Festo reported these vunerabilities to CISA.

4. MITIGATIONS

Festo has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • (CVE-2022-22515, CVE-2022-22514, CVE-2022-22513, CVE-2021-36763, CVE-2021-33485, CVE-2020-10245, CVE-2020-15806, CVE-2019-9011, CVE-2019-9013, CVE-2020-12067, CVE-2020-12069, CVE-2021-36764, CVE-2019-5105, CVE-2021-29241, CVE-2021-29242, CVE-2022-22519, CVE-2022-22517, CVE-2018-0739) (Product Group: Festo Firmware (R05 (17.06.2016) = 2.3.8.0) installed on Festo Hardware Controller CECC-D(All versions), Festo Firmware (R06 (11.10.2016) = 2.3.8.1) installed on Festo Hardware Controller CECC-LK(All versions), Festo Firmware (R05 (17.06.2016) = 2.3.8.0) installed on Festo Hardware Controller CECC-S(All versions)): No fix planned. This issue will be handled with next hardware generation release.
  • (CVE-2019-9008, CVE-2019-18858, CVE-2019-13548, CVE-2019-13542, CVE-2019-9009, CVE-2019-9012, CVE-2020-7052, CVE-2019-13532, CVE-2018-20025, CVE-2018-10612, CVE-2017-3735) (Product Group: Festo Firmware (R05 (17.06.2016) = 2.3.8.0) installed on Festo Hardware Controller CECC-D(All versions), Festo Firmware (R06 (11.10.2016) = 2.3.8.1) installed on Festo Hardware Controller CECC-LK(All versions), Festo Firmware (R05 (17.06.2016) = 2.3.8.0) installed on Festo Hardware Controller CECC-S(All versions)): Update to version 2.4.2.0. This also fixes CODESYS Advisory 2017-01, CODESYS Advisory 2017-03, CODESYS Advisory 2017-06, CODESYS Advisory 2017-07, CODESYS Advisory 2017-09, CODESYS Advisory 2018-04, CODESYS Advisory 2018-05, CODESYS Advisory 2018-07, CODESYS Advisory 2018-11.

The following product versions have been fixed:

  • Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2019-9008
  • Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2019-9008
  • Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2019-18858
  • Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2019-18858
  • Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2019-13548
  • Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2019-13548
  • Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2019-13542
  • Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2019-13542
  • Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2019-9009
  • Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2019-9009
  • Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2019-9012
  • Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2019-9012
  • Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2020-7052
  • Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2020-7052
  • Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2019-13532
  • Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2019-13532
  • Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2018-20025
  • Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2018-20025
  • Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2018-0739
  • Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2018-0739
  • Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2018-10612
  • Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2018-10612
  • Firmware 2.4.2.0 installed on Controller CECC-D are fixed versions for CVE-2017-3735
  • Firmware 2.4.2.0 installed on Controller CECC-LK are fixed versions for CVE-2017-3735

For more information see the associated Festo SE & Co. KG security advisory FSA-202202 FSA-202202: Festo: Controller CECC-S,LK,D family <= 2.3.8.1 – multiple vulnerabilities in CODESYS V3 runtime system – HTML, FSA-202202: Festo: Controller CECC-S,LK,D family <= 2.3.8.1 – multiple vulnerabilities in CODESYS V3 runtime system – CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • September 30, 2025: Initial Republication of Festo FSA-202202

MegaSys Enterprises Telenium Online Web Application

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Megasys Enterprises
  • Equipment: Telenium Online Web Application
  • Vulnerability: OS Command Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to inject arbitrary operating system commands through a crafted HTTP request, leading to remote code execution on the server in the security context of the web application service account.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following MegaSys Enerprises products are affected:

  • Telenium Online Web Application: Versions 8.4.21 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

The Telenium Online Web Application is vulnerable due to a PHP endpoint accessible to unauthenticated network users that improperly handles user-supplied input. This vulnerability occurs due to the insecure termination of a regular expression check within the endpoint. Because the input is not correctly validated or sanitized, an unauthenticated attacker can inject arbitrary operating system commands through a crafted HTTP request, leading to remote code execution on the server in the context of the web application service account.

CVE-2025-10659 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-10659. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Information Technology, Communications
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Canada

3.4 RESEARCHER

Scott Sheach reported this vulnerability to MegaSys Enterprises.

4. MITIGATIONS

Megasys Enterprises has provided a fix for this vulnerability. Users should access the Megasys support page to get instructions on applying the fix.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • September 30, 2025: Initial Publication

LG Innotek Camera Multiple Models

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.8
  • ATTENTION: Exploitable remotely/Low attack complexity
  • Vendor: LG Innotek
  • Equipment: Camera Models LND7210 and LNV7210R
  • Vulnerability: Authentication Bypass Using an Alternate Path or Channel

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to gain administrative access to the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following models of LG Innotek CCTV Cameras are affected:

  • LG LND7210: All Versions
  • LG LNV7210R: All Versions

3.2 VULNERABILITY OVERVIEW

3.2.1 Authentication Bypass Using an Alternate Path or Channel CWE-288

An authentication bypass vulnerability exists in LG Innotek camera models LND7210 and LNV7210R. The vulnerability allows a malicious actor to gain access to camera information including user account information.

CVE-2025-10538 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-10538. A base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: South Korea

3.4 RESEARCHER

Souvik Kandar reported this vulnerability to CISA.

4. MITIGATIONS

LG Innotek is aware of the vulnerability but has noted this is an end-of-life product that can no longer be patched.

Visit the LG Security Center for further guidance.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • September 30, 2025: Initial Publication

OpenPLC_V3

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 6.1
  • ATTENTION: Low attack complexity
  • Vendor: OpenPLC_V3
  • Equipment: OpenPLC_V3
  • Vulnerability: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause a denial of service, making the PLC runtime process crash.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of OpenPLC_V3 are affected:

  • OpenPLC_V3: Versions prior to pull request #292

3.2 VULNERABILITY OVERVIEW

3.2.1 RELIANCE ON UNDEFINED, UNSPECIFIED, OR IMPLEMENTATION-DEFINED BEHAVIOR CWE-758

OpenPLC_V3 has a vulnerability in the enipThread function that occurs due to the lack of a return value. This leads to a crash when the server loop ends and execution hits an illegal ud2 instruction. This issue can be triggered remotely without authentication by starting the same server multiple times or if the server exits unexpectedly. The vulnerability allows an attacker to cause a Denial of Service (DoS) against the PLC runtime, stopping any PC started remotely without authentication. This results in the PLC process crashing and halting all automation or control logic managed by OpenPLC.

CVE-2025-54811 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-54811. A base score of 6.1 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Transportation Systems, Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Renato Garreton of TryHackMe reported this vulnerability to CISA.

4. MITIGATIONS

Pull request #292 resolves this issue. Users are advised to update OpenPLC_V3 to pull request #292 or later from the main GitHub repository.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

  • September 30, 2025: Initial Publication

Festo SBRD-Q/SBOC-Q/SBOI-Q

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 8.2
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Festo
  • Equipment: SBRD-Q/SBOC-Q/SBOI-Q
  • Vulnerabilities: Incorrect Conversion between Numeric Types, Out-of-bounds Read, Reachable Assertion

2. RISK EVALUATION

Successful exploitation of these vulnerabilities may allow the attacker to read arbitrary data or cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Festo reports that the following products are affected:

  • Festo Firmware installed on Festo Hardware SBOC-Q-R1B: All versions
  • Festo Firmware installed on Festo Hardware SBOC-Q-R1B-S1: All versions
  • Festo Firmware installed on Festo Hardware SBOC-Q-R1C: All versions
  • Festo Firmware installed on Festo Hardware SBOC-Q-R1C-S1: All versions
  • Festo Firmware installed on Festo Hardware SBOC-Q-R2B: All versions
  • Festo Firmware installed on Festo Hardware SBOC-Q-R2B-S1: All versions
  • Festo Firmware installed on Festo Hardware SBOC-Q-R2C: All versions
  • Festo Firmware installed on Festo Hardware SBOC-Q-R3B-WB: All versions
  • Festo Firmware installed on Festo Hardware SBOC-Q-R3B-WB-S1: All versions
  • Festo Firmware installed on Festo Hardware SBOC-Q-R3C-WB: All versions
  • Festo Firmware installed on Festo Hardware SBOC-Q-R3C-WB-S1: All versions
  • Festo Firmware installed on Festo Hardware SBOI-Q-R1B: All versions
  • Festo Firmware installed on Festo Hardware SBOI-Q-R1B-S1: All versions
  • Festo Firmware installed on Festo Hardware SBOI-Q-R1C: All versions
  • Festo Firmware installed on Festo Hardware SBOI-Q-R1C-S1: All versions
  • Festo Firmware installed on Festo Hardware SBOI-Q-R3B-WB: All versions
  • Festo Firmware installed on Festo Hardware SBOI-Q-R3B-WB-S1: All versions
  • Festo Firmware installed on Festo Hardware SBOI-Q-R3C-WB: All versions
  • Festo Firmware installed on Festo Hardware SBOI-Q-R3C-WB-S1: All versions
  • Festo Firmware installed on Festo Hardware SBRD-Q: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 INCORRECT CONVERSION BETWEEN NUMERIC TYPES CWE-681

A specifically-crafted packet sent by an attacker to EIPStackGroup OpENer EtherNet/IP commits and versions prior to February 10, 2021, may cause a denial-of-service condition.

CVE-2021-27478 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

3.2.2 OUT-OF-BOUNDS READ CWE-125

A specifically-crafted packet sent by an attacker to EIPStackGroup OpENer EtherNet/IP commits and versions prior to February 10, 2021, may allow an attacker to read arbitrary data.

CVE-2021-27482 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.3 REACHABLE ASSERTION CWE-617

A specifically-crafted packet sent by an attacker to EIPStackGroup OpENer EtherNet/IP commits and versions prior to February 10, 2021, may result in a denial-of-service condition.

CVE-2021-27500 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.4 REACHABLE ASSERTION CWE-617

A specifically-crafted packet sent by an attacker to EIPStackGroup OpENer EtherNet/IP commits and versions prior to February 10, 2021, may result in a denial-of-service condition.

CVE-2021-27498 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

CERT@VDE coordinated these vulnerabilities with Festo.

4. MITIGATIONS

Festo has identified the following specific mitigations and remediations users can apply to reduce risk:

  • Minimize network exposure for all control system devices and/or systems and ensure that they are not accessible from the Internet.
  • Deactivate EtherNet/IP in device settings if not used.
  • There is no fix planned.

For more information, see the associated Festo security advisory FSA-202101 FSA-202101: Festo: Multiple vulnerabilities in Ethernet/IP Stack of SBRD-Q/SBOC-Q/SBOI-Q – HTML, FSA-202101: Festo: Multiple vulnerabilities in Ethernet/IP Stack of SBRD-Q/SBOC-Q/SBOI-Q – CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as virtual private networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • September 30, 2025: Initial Republication of Festo FSA-202101

Dingtian DT-R002

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Dingtian
  • Equipment: DT-R002
  • Vulnerabilities: Insufficiently Protected Credentials

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to retrieve credentials without authentication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Dingtian DT-R002, a relay board, are affected:

  • DT-R002: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

All versions of Dingtian DT-R002 are vulnerable to an Insufficiently Protected Credentials vulnerability that could allow an attacker to retrieve the current user’s username without authentication.

CVE-2025-10879 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

A CVSS v4 score has also been calculated for CVE-2025-10879. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

All versions of Dingtian DT-R002 are vulnerable to an Insufficiently Protected Credentials vulnerability that could allow an attacker to extract the proprietary “Dingtian Binary” protocol password by sending an unauthenticated GET request

CVE-2025-10880 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N.

A CVSS v4 score has also been calculated for CVE-2025-10880. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER

Nicolas Cano and Reid Wightman of Dragos reported these vulnerabilities to CISA.

4. MITIGATIONS

Dingtian has not responded to requests to work with CISA to mitigate these vulnerabilities. Users of affected versions of Dingtian DT-R002 are invited to contact Dingtian customer support for additional information.

The researchers recommend the following to help reduce risk:

  • Restrict access to HTTP (TCP/80), and the Dingtian Protocol on (UDP/60000) and (UDP/60001).

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • September 25, 2025: Initial Publication

Schneider Electric SESU

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 7.3
  • ATTENTION: Low Attack Complexity
  • Vendor: Schneider Electric
  • Equipment: SESU
  • Vulnerability: Improper Link Resolution Before File Access (‘Link Following’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated attacker to write arbitrary data to protected locations, potentially leading to escalation of privilege, arbitrary file corruption, exposure of application and system information or persistent denial of service when a low-privileged attacker tampers with the installation folder.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

  • Schneider Electric SESU: <3.0.12
  • Schneider Electric SESU installed on Schneider Electric BESS ANSI: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric Easergy MiCOM P30: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric Easergy MiCOM P40: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric Easergy Studio: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric EcoStruxure Automation Expert: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric Harmony XB5S Soft: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric eXLhoist Configuration Software: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric EcoStruxure Automation Device Maintenance: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric EcoStruxure Machine Expert: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric EcoStruxure Machine Expert Basic: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric EcoStruxure Automation Expert Motion: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric EcoStruxure Operator Terminal Expert: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric EcoStruxure Control Expert: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric EcoStruxure Process Expert: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric EcoStruxure Process Expert for AVEVA System Platform: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric EcoStruxure Architecture Builder: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric EcoStruxure Machine Expert HVAC: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric EcoStruxure Power Operations (EPO): SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric EcoStruxure Power Commission Desktop (EPC): SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric EcoStruxure Microgrid Operations Medium: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric EcoStruxure Microgrid Flex: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric PowerLogic P5: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric PowerLogic P7: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric ZelioSoft 2: SESU versions prior to 3.0.12
  • Schneider Electric SESU installed on Schneider Electric SoMove: SESU versions prior to 3.0.12

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER LINK RESOLUTION BEFORE FILE ACCESS (‘LINK FOLLOWING’) CWE-59

A link following vulnerability exists that could cause arbitrary data to be written to protected locations, potentially leading to escalation of privilege, arbitrary file corruption, exposure of application and system information or persistent denial of service when a low-privileged attacker tampers with the installation folder.

CVE-2025-5296 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Chemical, Commercial Facilities, Critical Manufacturing, Energy, Healthcare and Public Health, Information Technology, Transportation Systems, Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Sheikh Rishad reported this vulnerability to Schneider Electric.

Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Version 3.0.12 of SESU includes a fix for this vulnerability and is available for download here. Follow the installation instructions. If a predecessor version of SESU is already installed, then the update to V3.0.12 will be done automatically as a critical update in the background depending on the “automatic” update configuration.
  • If users choose not to apply the remediation detailed above, they should immediately apply the following mitigations to reduce the risk of exploit: SESU Installation Directory (chosen by the user at installation time) should not be accessible from the network and only by trusted persons.

For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-224-03 Schneider Electric Software Update – SEVD-2025-224-03 PDF Version, Schneider Electric Software Update – SEVD-2025-224-03 CSAF Version.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

  • September 23, 2025: Initial Republication of Schneider Electric CPCERT SEVD-2025-224-03

Viessmann Vitogate 300

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.7
  • ATTENTION: Low attack complexity
  • Vendor: Viessmann
  • Equipment: Vitogate 300
  • Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Client-Side Enforcement of Server-Side Security

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to modify an intended OS command when it is sent to a downstream component, or allow an attacker to cause unexpected interactions between the client and server.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Viessmann Vitogate 300 are affected:

  • Vitogate 300: Versions prior to 3.1.0.1

3.2 VULNERABILITY OVERVIEW

3.2.1 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) CWE-78

Vitogate 300 constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CVE-2025-9494 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-9494. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Client-Side Enforcement of Server-Side Security CWE-602

When the server relies on client-side protection mechanisms, an attacker can modify the client-side behavior to bypass the protection mechanisms, resulting in potentially unexpected interactions between the client and server. The consequences will vary, depending on what the mechanisms are trying to protect.

CVE-2025-9495 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-9495. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

adhkr of LuwakLab working with Trend Micro Zero Day Initiative and Souvik Kandar of MicroSec (microsec.io) reported these vulnerabilities to CISA.

4. MITIGATIONS

These vulnerabilities have been resolved in Vitogate 300 software version 3.1.0.1. Users are strongly encouraged to upgrade by downloading software version 3.1.0.1 or newer from the Vitogate 300 website.

For more information refer to Carrier’s product security advisory CARR-PSA-2025-02.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

  • September 23, 2025: Initial Publication