Skip to main content
(844) 422-7000

Johnson Controls FX80 and FX90

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.4
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Johnson Controls Inc.
  • Equipment: FX80 and FX90
  • Vulnerability: Dependency on Vulnerable Third-Party Component

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to compromise the device’s configuration files.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Johnson Controls products are affected:

  • FX80: FX 14.10.10
  • FX80: FX 14.14.1
  • FX90: FX 14.10.10
  • FX90: FX 14.14.1

3.2 VULNERABILITY OVERVIEW

3.2.1 DEPENDENCY ON VULNERABLE THIRD-PARTY COMPONENT CWE-1395

The affected product is vulnerable to a vulnerable third-party component, which could allow an attacker to compromise device configuration files.

CVE-2025-43867 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.7 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-43867. A base score of 8.4 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:H/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Government Facilities, Transportation Systems, Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Johnson Controls reported this vulnerability to CISA.

4. MITIGATIONS

Johnson Controls recommends users update to the latest version. Successful exploitation of CVE-2025-43867 could trigger CVEs CVE-2025-3936 through CVE-2025-3945.

  • For systems running version 14.10.10, apply the 14.10.11 patch from the software portal.
  • For systems running version 14.14.1, apply the 14.14.2 patch from the software portal.
  • Note: FX 14.10.10 contains Niagara 4.10u10
  • Note: FX 14.14.1 contains Niagara 4.14u1

Login credentials are required to access the software portal.

For more detailed mitigation instructions, visit Johnson Controls Product Security Advisory JCI-PSA-2025-09 v1

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • August 7, 2025: Initial Publication

Burk Technology ARC Solo

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/Low attack complexity
  • Vendor: Burk Technology
  • Equipment: ARC Solo
  • Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in an attacker gaining access to the device, locking out authorized users, or disrupting operations.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of ARC Solo, a monitoring and control device primariliy used in broadcasting, is affected:

  • ARC Solo: Versions prior to v1.0.62

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The device’s password change mechanism can be utilized without proper authentication procedures, allowing an attacker to take over the device. A password change request can be sent directly to the device’s HTTP endpoint without providing valid credentials. The system does not enforce proper authentication or session validation, allowing the password change to proceed without verifying the request’s legitimacy.

CVE-2025-5095 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-5095. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Communications
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Souvik Kandar of MicroSec (microsec.io) reported this vulnerability to CISA.

4. MITIGATIONS

Burk Technology recommends users update their ARC Solo devices to Version v1.0.62 or later. The upgrade can be downloaded from the Burk Technology website.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • August 7, 2025: Initial Publication

Rockwell Automation Arena

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.4
  • ATTENTION: Low attack complexity
  • Vendor: Rockwell Automation
  • Equipment: Arena
  • Vulnerabilities: Out-of-bounds Read, Stack-based Buffer Overflow, Heap-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose information and execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Rockwell Automation products are affected:

  • Arena: Versions 16.20.09 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS READ CWE-125

A local code execution vulnerability exists in Rockwell Automation Arena due to a threat actor’s ability to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVE-2025-7025 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-7025. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 STACK-BASED BUFFER OVERFLOW CWE-121

A local code execution vulnerability exists in Rockwell Automation Arena due to a stack-based memory buffer overflow. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVE-2025-7032 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-7032. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 HEAP-BASED BUFFER OVERFLOW CWE-122

A local code execution vulnerability exists in Rockwell Automation Arena due to a heap-based buffer overflow. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVE-2025-7033 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-7033. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation recommends users updating to arena Version 16.20.10 or later.

For more information about these issues, reference the Rockwell Automation security advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

  • August 7, 2025: Initial Publication

Packet Power EMX and EG

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Packet Power
  • Equipment: EMX, EG
  • Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to gain full access to the device without authentication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Packet Power products are affected:

  • EMX: Versions prior to 4.1.0
  • EG: Versions prior to 4.1.0

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

By default, the Packet Power Monitoring and Control Web Interface do not enforce authentication mechanisms. This vulnerability could allow unauthorized users to access and manipulate monitoring and control functions.

CVE-2025-8284 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-8284. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Anthony Rose and Jacob Krasnov of BC Security reported this vulnerability to CISA.

4. MITIGATIONS

Packet Power recommends the following:

  • Update the affected products to version 4.1.0 or later.
  • Isolate devices whenever possible.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimizing network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • August 7, 2025: Initial Publication

Dreame Technology iOS and Android Mobile Applications

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.5
  • ATTENTION: Low attack complexity
  • Vendor: Dreame Technology
  • Equipment: Dreamehome and MOVAhome mobile applications
  • Vulnerability: Improper Certificate Validation

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in unauthorized information disclosure.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of the Dreame and MOVA mobile apps are affected:

  • Dreamehome iOS app: Versions 2.3.4 and prior
  • Dreamehome Android app: Versions 2.1.8.8 and prior
  • MOVAhome iOS app: Versions 1.2.3 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER CERTIFICATE VALIDATION CWE-295

A TLS vulnerability exists in the phone application used to manage a connected device. The phone application accepts self-signed certificates when establishing TLS communication which may result in man-in-the-middle attacks on untrusted networks. Captured communications may include user credentials and sensitive session tokens.

CVE-2025-8393 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-8393. A base score of 8.5 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Communications
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER

Dennis Giese reported this vulnerability to CISA.

4. MITIGATIONS

Dreame Technology did not respond to CISA’s request for coordination. Contact Dreame Technology directly for more information. Note that MOVA is a subsidiary of Dreame Technology.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

  • August 07, 2025: Initial Publication

EG4 Electronics EG4 Inverters

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.2
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: EG4 Electronics
  • Equipment: EG4 Inverters
  • Vulnerabilities: Cleartext Transmission of Sensitive Information, Download of Code Without Integrity Check, Observable Discrepancy, Improper Restriction of Excessive Authentication Attempts

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to intercept and manipulate critical data, install malicious firmware, hijack device access, and gain unauthorized control over the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following EG4 Electronics inverters are affected:

  • EG4 12kPV: All versions
  • EG4 18kPV: All versions
  • EG4 Flex 21: All versions
  • EG4 Flex 18: All versions
  • EG4 6000XP: All versions
  • EG4 12000XP: All versions
  • EG4 GridBoss: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The MOD3 command traffic between the monitoring application and the inverter is transmitted in plaintext without encryption or obfuscation. This vulnerability may allow an attacker with access to a local network to intercept, manipulate, replay, or forge critical data, including read/write operations for voltage, current, and power configuration, operational status, alarms, telemetry, system reset, or inverter control commands, potentially disrupting power generation or reconfiguring inverter settings.

CVE-2025-52586 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.9 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2025-52586. A base score of 7.5 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N).

3.2.2 DOWNLOAD OF CODE WITHOUT INTEGRITY CHECK CWE-494

The affected product allows firmware updates to be downloaded from EG4’s website, transferred via USB dongles, or installed through EG4’s Monitoring Center (remote, cloud-connected interface) or via a serial connection, and can install these files without integrity checks. The TTComp archive format used for the firmware is unencrypted and can be unpacked and altered without detection.

CVE-2025-53520 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-53520. A base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 OBSERVABLE DISCREPANCY CWE-203

The public-facing product registration endpoint server responds differently depending on whether the S/N is valid and unregistered, valid but already registered, or does not exist in the database. Combined with the fact that serial numbers are sequentially assigned, this allows an attacker to gain information on the product registration status of different S/Ns.

CVE-2025-47872 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-47872. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.4 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307

The affected product does not limit the number of attempts for inputting the correct PIN for a registered product, which may allow an attacker to gain unauthorized access using brute-force methods if they possess a valid device serial number. The API provides clear feedback when the correct PIN is entered. This vulnerability was patched in a server-side update on April 6, 2025.

CVE-2025-46414 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-46414. A base score of 9.2 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Anthony Rose of BC Security reported these vulnerabilities to CISA.

4. MITIGATIONS

EG4 has acknowledged the vulnerabilities and is actively working on a fix, including new hardware expected to release by October 15, 2025. Until then, EG4 will actively monitor all installed systems and work with affected users on a case-by-case basis if anomalies are observed.

Note that CVE-2025-46414 was fixed on April 6, 2025. No user action was or is necessary.

For more information, contact EG4.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • August 7, 2025: Initial Publication

Yealink IP Phones and RPS (Redirect and Provisioning Service)

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 5.3
  • ATTENTION: Exploitable remotely/Low attack complexity
  • Vendor: Yealink
  • Equipment: IP Phones
  • Vulnerability: Improper Restriction of Excessive Authentication Attempts, Allocation of Resources Without Limits or Throttling, Incorrect Authorization, Improper Certificate Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in an information disclosure.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Yealink IP products are affected:

  • SIP-T19P_E2: Versions prior to 53.84.0.121
  • SIP-T21P_E2: Versions prior to 52.84.0.121
  • SIP-T23G: Versions prior to 44.84.0.121
  • SIP-T40G: Versions prior to 76.84.0.121
  • SIP-T40P: Versions prior to 54.84.0.121
  • SIP-T27G: Versions prior to 69.84.0.121
  • SIP-T41S: Versions prior to 66.84.0.121
  • SIP-T42S: Versions prior to 66.84.0.121
  • SIP-T46S: Versions prior to 66.84.0.121
  • SIP- T48S: Versions prior to 66.84.0.121
  • SIP-CP920: Versions prior to 78.84.0.121
  • SIP-T53: Versions prior to X.84.0.121
  • SIP-T53W: Versions prior to X.84.0.121
  • SIP-T54W: Versions prior to X.84.0.121
  • SIP-T57W: Versions prior to X.84.0.121
  • SIP-T56A: Versions prior to 58.84.0.37
  • SIP-T58: Versions prior to 58.84.0.37
  • W52P: Versions prior to 25.81.0.67
  • W60B: Versions prior to 77.83.0.83
  • CP960: Versions prior to 73.84.0.37
  • SIP-T27P: Version 45.83.0.160 and prior
  • SIP-T29G: Version 46.83.0.160 and prior
  • SIP-T41P: Version 36.83.0.160 and prior
  • SIP-T42G: Version 29.83.0.160 and prior
  • SIP-T46G: Version 28.83.0.160 and prior
  • SIP-T48G: Version 35.83.0.160 and prior
  • SIP-T20P: All versions
  • SIP-T22P: All versions
  • SIP-T26P: All versions
  • SIP-T27P: All versions
  • T52S: All versions
  • T54S: All versions
  • RPS (Redirect and Provisioning Service): All builds prior to 05-26-2025

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307

The affected products lack serial number verification attempt limits, enabling brute-force enumeration (last five digits).

CVE-2025-52916 has been assigned to this vulnerability. A CVSS v3 base score of 2.2 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-52916. A base score of 2.1 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

The affected products lack rate limiting, potentially enabling information disclosure via excessive requests.

CVE-2025-52917 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-52917. A base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 INCORRECT AUTHORIZATION CWE-863

The affected products fail to enforce access restrictions on OpenAPIs for frozen enterprise accounts, allowing unauthorized access to deactivated interfaces.

CVE-2025-52918 has been assigned to this vulnerability. A CVSS v3 base score of 5.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-52918. A base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N).

3.2.4 IMPROPER CERTIFICATE VALIDATION CWE-295

The certificate upload function in the affected products does not properly validate certificate content, potentially allowing invalid certificates to be uploaded.

CVE-2025-52919 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-52919. A base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Communications
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER

Jeroen Hermans of CloudAware reported these vulnerabilities to CISA.

4. MITIGATIONS

Users of Yealink are encouraged to navigate to Yealink’s support portal and update to the following versions:

  • SIP-T19P_E2: Version 53.84.0.160 or higher
  • SIP-T21P_E2: Version 52.84.0.160 or higher
  • SIP-T23G: Version 44.84.0.160 or higher
  • SIP-T40G: Version 76.84.0.160 or higher
  • SIP-T40P: Version 54.84.0.160 or higher
  • SIP-T27G: Version 69.86.0.160 or higher
  • SIP-T41S: Version 66.86.0.83 or higher
  • SIP-T42S: Version 66.86.0.83 or higher
  • SIP-T46S: Version 66.86.0.83 or higher
  • SIP- T48S: Version 66.86.0.83 or higher
  • SIP-CP920: Version 78.86.0.15 or higher
  • SIP-T53: Version 96.86.0.75 or higher
  • SIP-T53W: Version 96.86.0.75 or higher
  • SIP-T54W: Version 96.86.0.75 or higher
  • SIP-T57W: Version 96.86.0.75 or higher
  • SIP-T56A: Version 58.86.0.160 or higher
  • SIP-T58: Version 58.86.0.160 or higher
  • W52P: Version 25.81.0.160 or higher
  • W60B: Version 77.85.0.160 or higher
  • CP960: Version 73.86.0.160 or higher
  • SIP-T27P: Version 45.83.0.161 or higher
  • SIP-T29G: Version 46.83.0.160 and prior
  • SIP-T41P: Version 36.83.0.160 and prior
  • SIP-T42G: Version 29.83.0.160 and prior
  • SIP-T46G: Version 28.83.0.160 and prior
  • SIP-T48G: Version 35.83.0.160 and prior
  • RPS (Redirect and Provisioning Service): Yealink has deployed a fix to all cloud service instances

The following products are no longer receiving RPS support:

For more information, see the associated Yealink security advisory: Yealink RPS Issue Statement.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • August 07, 2025: Initial Publication

Mitsubishi Electric Iconics Digital Solutions Multiple Products

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 4.1
  • ATTENTION: Low attack complexity
  • Vendor: Mitsubishi Electric Iconics Digital Solutions, Mitsubishi Electric
  • Equipment: ICONICS Product Suite and Mitsubishi Electric MC Works64
  • Vulnerability: Windows Shortcut Following (.LNK)

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in information tampering.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ICONICS Product Suite and Mitsubishi Electric MC Works64 are affected:

  • GENESIS64: All versions
  • GENESIS: Version 11.00
  • Mitsubishi Electric MC Works64: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 Windows Shortcut Following (.LNK) CWE-64

An information tampering vulnerability due to Windows Shortcut Following exists in multiple processes in GENESIS64, MC Works64, and GENESIS. An attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability. By creating a symbolic link, an attacker can cause the processes to make unauthorized writes to arbitrary files on the file system in any location that is accessible to the user under which the elevated processes are running, resulting in a denial-of-service (DoS) condition on the PC if the modified file is necessary for the operation of the PC.

CVE-2025-7376 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-7376. A base score of 4.1 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:P/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Iconics Digital Solutions recommends users upgrade to GENESIS Version 11.01, which contains a fix for this vulnerability. For the highest level of security, it is recommended that users upgrade their system to the latest version and keep it up-to-date with the latest releases. Consult Mitsubishi Electric Iconics Digital Solutions Support for upgrade assistance.

Users who remain on affected versions should be aware of this information tampering vulnerability and take any necessary precautions to keep the system safe from potential attackers such as:

  • Configure the PCs with the affected product installed so that only an administrator can log in.
  • PCs with the affected product installed should be configured to block remote logins from untrusted networks and hosts, and from non-administrator users.
  • Block unauthorized access by using a firewall or virtual private network (VPN), etc., and allow remote login only to administrators when connecting the PCs with the affected product installed to the Internet.
  • Restrict physical access to the PC with the affected product installed and the network to which the PC is connected to prevent unauthorized physical access.
  • Do not click on web links in emails from untrusted sources. Also, do not open attachments in untrusted emails.

Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommends updating the ICONICS Suite with the latest security patches as they become available. ICONICS Suite security patches may be found here (login required).

For more information, see Mitsubishi Electric’s security advisory.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

  • August 5, 2025: Initial Publication

Tigo Energy Cloud Connect Advanced

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Tigo Energy
  • Equipment: Cloud Connect Advanced
  • Vulnerabilities: Use of Hard-coded Credentials, Command Injection, Predictable Seed in Pseudo-Random Number Generator (PRNG).

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow attackers to gain unauthorized administrative access using hard-coded credentials, escalate privileges to take full control of the device, modify system settings, disrupt solar energy production, interfere with safety mechanisms, execute arbitrary commands via command injection, cause service disruptions, expose sensitive data, and recreate valid session IDs to access sensitive device functions on connected solar inverter systems due to insecure session ID generation.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Cloud Connect Advanced are affected:

  • Cloud Connect Advanced: Versions 4.0.1 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 Use of Hard-coded Credentials CWE-798

Tigo Energy’s Cloud Connect Advanced (CCA) device contains hard-coded credentials that allow unauthorized users to gain administrative access. This vulnerability enables attackers to escalate privileges and take full control of the device, potentially modifying system settings, disrupting solar energy production, and interfering with safety mechanisms.

CVE-2025-7768 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-7768. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Improper Neutralization of Special Elements used in a Command (‘Command Injection’) CWE-77

Tigo Energy’s CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allowing remote code execution due to improper handling of user input. When used with default credentials, this enables attackers to execute arbitrary commands on the device that could cause potential unauthorized access, service disruption, and data exposure.

CVE-2025-7769 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-7769. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Predictable Seed in Pseudo-Random Number Generator (PRNG) CWE-337

Tigo Energy’s CCA device is vulnerable to insecure session ID generation in their remote API. The session IDs are generated using a predictable method based on the current timestamp, allowing attackers to recreate valid session IDs. When combined with the ability to circumvent session ID requirements for certain commands, this enables unauthorized access to sensitive device functions on connected solar optimization systems.

CVE-2025-7770 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-7770. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Anthony Rose and Jacob Krasnov of BC Security and Peter Kariuki of Ovanova reported these vulnerabilities to CISA.

4. MITIGATIONS

Tigo Energy is aware of these vulnerabilities and is actively working on a fix to address them.

Visit Tigo Energy’s Help Center for more specific security recommendations.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
  • CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • August 5, 2025: Initial Publication

Güralp Systems Güralp FMUS series

Written by Admin @CloudCentric on . Posted in CISA-Published Industrial Control System Vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/Low attack complexity
  • Vendor: Güralp Systems
  • Equipment: Güralp FMUS Series Seismic Monitoring Devices
  • Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to modify hardware configurations, manipulate data, or factory reset the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Güralp FMUS series are affected:

  • Güralp FMUS Series Seismic Monitoring Devices: All versions

3.2 Vulnerability Overview

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The affected products expose an unauthenticated Telnet-based command line interface that could allow an attacker to modify hardware configurations, manipulate data, or factory reset the device.

CVE-2025-8286 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-8286. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United Kingdom

3.4 RESEARCHER

Souvik Kandar of MicroSec (microsec.io) reported this vulnerability to CISA.

4. MITIGATIONS

Güralp did not respond to CISA’s attempts at coordination. Users of Güralp are encouraged to contact Güralp and keep their systems up to date.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • July 31, 2025: Initial Publication