View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 4.9
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: FOX61x Products
• Vulnerability: Relative Path Traversal

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to traverse the file system to access files or directories that would otherwise be inaccessible.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports the following products are affected:

• Hitachi Energy FOX61x: R15A and prior
• Hitachi Energy FOX61x: R15B
• Hitachi Energy FOX61x: R16A
• Hitachi Energy FOX61x: R16B Revision E

3.2 VULNERABILITY OVERVIEW

3.2.1 RELATIVE PATH TRAVERSAL CWE-23

Hitachi Energy is aware of a vulnerability that affects the FOX61x. If exploited an attacker could traverse the file system to access files or directories that would otherwise be inaccessible.

CVE-2024-2461 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy PSIRT reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

• FOX61x R16B Revision E (cesm3_r16b04_02, cesne_r16b04_02 and f10ne_r16b04_02) and older: Update to FOX61x R16B Revision G, Version (cesm3_r16b04_07, cesne_r16b04_07, f10ne_r16b04_07) and apply general mitigation factors. (Hitachi Energy recommends that users apply the update at the earliest convenience).
• FOX61x R15B: Recommended to update to FOX61X R16B Revision G, (cesm3_r16b04_07, cesne_r16b04_07, f10ne_r16b04_07) and apply general mitigation factors.
• FOX61x R15A and older including all subversions, FOX61x R16A: EOL versions – no remediation will be available. Recommended to update to FOX61X R16B Revision G, (cesm3_r16b04_07, cesne_r16b04_07, f10ne_r16b04_07) and apply general mitigation factors.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• January 16, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.2
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: Data Center Expert
• Vulnerabilities: Improper Verification of Cryptographic Signature, Missing Authentication for Critical Function

2. RISK EVALUATION

Exploitation of these vulnerabilities could allow an attacker to expose private data or achieve remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

• Schneider Electric Data Center Expert: 8.1.1.3 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347

An improper verification of cryptographic signature vulnerability exists that could compromise the Data Center Expert software when an upgrade bundle is manipulated to include arbitrary bash scripts that are executed as root.

CVE-2024-8531 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.2 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

A missing authentication for critical function vulnerability exists that could cause exposure of private data when an already generated “logcaptures” archive is accessed directly by HTTPS.

CVE-2024-8530 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric CPCERT reported these vulnerabilities to CISA.

Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

Version 8.2 of EcoStruxure™ IT Data Center Expert includes fixes for these vulnerabilities and is available upon request from Schneider Electric’s Customer Care Center.

Additionally, Schneider Electric recommends that users:

• Ensure the principals of least privilege are being followed so that only those with need have account access and that the level of their respective account authorization aligns with their role, including Privileged Accounts as described in the Data Center Expert Security Handbook.
• Verify SHA1 checksums of upgrade bundles prior to executing upgrades as described in the Upgrades section of the Data Center Expert Security Handbook.
• Delete any existing “logcapture” archives present on the system and do not create any new “logcapture” archives. Existing archives can be deleted from the https://server_ip/capturelogs web page after authenticating.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• January 16, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SIPROTEC 5
• Vulnerability: Files or Directories Accessible to External Parties

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated remote attacker to read arbitrary files or the entire filesystem of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens SIPROTEC 5 6MD84 (CP300): Versions prior to 9.80
• Siemens SIPROTEC 5 7SA87 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7SD82 (CP100): Versions 7.80 and after
• Siemens SIPROTEC 5 7SD82 (CP150): Versions prior to 9.80
• Siemens SIPROTEC 5 7SD86 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7SD87 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7SJ81 (CP100): Versions 7.80 and after
• Siemens SIPROTEC 5 7SJ81 (CP150): Versions prior to 9.80
• Siemens SIPROTEC 5 7SJ82 (CP100): Versions 7.80 and after
• Siemens SIPROTEC 5 7SJ82 (CP150): Versions prior to 9.80
• Siemens SIPROTEC 5 7SJ85 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 6MD85 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7SJ86 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7SK82 (CP100): Versions 7.80 and after
• Siemens SIPROTEC 5 7SK82 (CP150): Versions prior to 9.80
• Siemens SIPROTEC 5 7SK85 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7SL82 (CP100): Versions 7.80 and after
• Siemens SIPROTEC 5 7SL82 (CP150): Versions prior to 9.80
• Siemens SIPROTEC 5 7SL86 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7SL87 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7SS85 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7ST85 (CP300): All versions
• Siemens SIPROTEC 5 6MD86 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7ST86 (CP300): Versions prior to 9.80
• Siemens SIPROTEC 5 7SX82 (CP150): Versions prior to 9.80
• Siemens SIPROTEC 5 7SX85 (CP300): Versions prior to 9.80
• Siemens SIPROTEC 5 7SY82 (CP150): Versions prior to 9.80
• Siemens SIPROTEC 5 7UM85 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7UT82 (CP100): Versions 7.80 and after
• Siemens SIPROTEC 5 7UT82 (CP150): Versions prior to V9.80
• Siemens SIPROTEC 5 7UT85 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7UT86 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7UT87 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 6MD89 (CP300): Versions 7.80 and after
• Siemens SIPROTEC 5 7VE85 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7VK87 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7VU85 (CP300): Versions prior to 9.80
• Siemens SIPROTEC 5 Compact 7SX800 (CP050): Versions prior to V9.80
• Siemens SIPROTEC 5 6MU85 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7KE85 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7SA82 (CP100): Versions 7.80 and after
• Siemens SIPROTEC 5 7SA82 (CP150): Versions prior to 9.80
• Siemens SIPROTEC 5 7SA86 (CP300): Versions 7.80 up to but not including 9.80

3.2 VULNERABILITY OVERVIEW

3.2.1 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552

Affected devices do not properly limit the path accessible via their webserver. This could allow an authenticated remote attacker to read arbitrary files from the filesystem of affected devices.

CVE-2024-53649 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-53649. A base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• SIPROTEC 5 6MD89 (CP300), SIPROTEC 5 7SA82 (CP100), SIPROTEC 5 7SD82 (CP100), SIPROTEC 5 7SJ81 (CP100), SIPROTEC 5 7SJ82 (CP100), SIPROTEC 5 7SK82 (CP100), SIPROTEC 5 7SL82 (CP100), SIPROTEC 5 7ST85 (CP300), SIPROTEC 5 7UT82 (CP100): Currently no fix is available
• SIPROTEC 5 Compact 7SX800 (CP050): Update to V9.80 or later version
• SIPROTEC 5 6MD84 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7SA82 (CP150), SIPROTEC 5 7SD82 (CP150), SIPROTEC 5 7SL82 (CP150), SIPROTEC 5 7SA86 (CP300), SIPROTEC 5 7SA87 (CP300), SIPROTEC 5 7SD86 (CP300), SIPROTEC 5 7SD87 (CP300), SIPROTEC 5 7SJ86 (CP300), SIPROTEC 5 7SL86 (CP300), SIPROTEC 5 7SL87 (CP300) and SIPROTEC 5 7VK87 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7SJ81 (CP150), SIPROTEC 5 7SJ82 (CP150), and SIPROTEC 5 7SJ85 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7SK82 (CP150) and SIPROTEC 5 7SK85 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7ST86 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7SX82 (CP150) and SIPROTEC 5 7SX85 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7SY82 (CP150): Update to V9.80 or later version
• SIPROTEC 5 7UT82 (CP150), SIPROTEC 5 7UT85 (CP300), SIPROTEC 5 7UT86 (CP300), and SIPROTEC 5 7UT87 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7VU85 (CP300): Update to V9.80 or later version
• SIPROTEC 5 6MD85 (CP300) and SIPROTEC 5 6MD86 (CP300): Update to V9.80 or later version
• : Update to V9.80 or later version
• SIPROTEC 5 6MU85 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7KE85 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7SS85 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7UM85 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7VE85 (CP300): Update to V9.80 or later version

Siemens recommends operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid’s reliability can thus be minimized by virtue of the grid design. Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment.

Recommended security guidelines can be found here.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-194557 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• January 16, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.5
• ATTENTION: Low attack complexity
• Vendor: Fuji Electric
• Equipment: Alpha5 SMART
• Vulnerability: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Fuji Electric Alpha5 SMART, a servo drive system, are affected:

• Alpha5 SMART: Versions 4.5 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code.

CVE-2024-34579 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-34579. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

An anonymous researcher working with Trend Micro’s Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Fuji Electric has indicated that the vulnerabilities will not be fixed in Alpha5 SMART. Fuji Electric recommends users upgrade their systems to Alpha7.

For assistance, reach out directly to Fuji Electric’s support team.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• January 16, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 5.2
• ATTENTION: Exploitable locally
• Vendor: Siemens
• Equipment: Siveillance Video Camera Drivers
• Vulnerability: Insertion of Sensitive Information into Log File

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a local attacker to read camera credentials stored in the Recording Server under specific conditions.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siveillance Video Device Pack: Versions prior to V13.5

3.2 VULNERABILITY OVERVIEW

3.2.1 INSERTION OF SENSITIVE INFORMATION INTO LOG FILE CWE-532

Disclosure of sensitive information in HikVision camera driver’s log file in XProtect Device Pack allows an attacker to read camera credentials stored in the Recording Server under specific conditions.

CVE-2024-12569 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12569. A base score of 5.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Ensure that only trusted people get local access to the driver log files on the Recording Server.
• Update to V13.5 or later version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-404759 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• January 16, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.4
• ATTENTION: Exploitable remotely
• Vendor: Siemens
• Equipment: Mendix LDAP
• Vulnerability: LDAP Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to bypass username verification.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens Mendix LDAP: All versions prior to 1.1.2

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN LDAP QUERY (‘LDAP INJECTION’) CWE-90

Affected versions of the module are vulnerable to LDAP injection. This could allow an unauthenticated remote attacker to bypass username verification.

CVE-2024-56841 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Mendix LDAP: Update to V1.1.2 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-314390 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• January 16, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 4.9
• ATTENTION: Low attack complexity
• Vendor: Hitachi Energy
• Equipment: FOX61x, FOXCST, FOXMAN-UN
• Vulnerability: Improper Validation of Certificate with Host Mismatch

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow attackers to intercept or falsify data exchanges between the client and the server.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports that the following products are affected:

• FOX61x: Versions prior to R16B
• FOXCST: Versions prior to 16.2.1
• FOXMAN-UN: R15A and prior
• FOXMAN-UN: R15B PC4 and prior
• FOXMAN-UN: R16A
• FOXMAN-UN: R16B PC2 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER VALIDATION OF CERTIFICATE WITH HOST MISMATCH CWE-297

Hitachi Energy is aware of a vulnerability that affects the FOXCST client application, which if exploited would allow attackers to intercept or falsify data exchanges between the client and the server.

CVE-2024-2462 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy PSIRT reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

• FOXMAN-UN R16B PC2 and earlier: Update to FOXMAN-UN R16B PC3 or later and apply general mitigation factors.
• FOXMAN-UN R15B or prior: Update to FOXMAN-UN R15B PC5 and apply general mitigation factors. (Update planned)
• FOXMAN-UN R16A, FOXMAN-UN R15A, FOXMAN-UN older than R15A: EOL versions – no remediation will be available. Recommended to update to FOXMAN-UN R16B PC4 or R15B PC5 (update planned) and apply general mitigation factors.
• FOX61x less than R16B: Update to FOX61x R16B
• FOXCST less than 16.2.1: Update to FOXCST_16.2.1

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• January 16, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 2.1
• ATTENTION: Exploitable remotely
• Vendor: Siemens
• Equipment: Industrial Edge Management
• Vulnerability: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to extract sensitive information by tricking users into accessing a malicious link.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens Industrial Edge Management OS (IEM-OS): All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

Affected components are vulnerable to reflected cross-site scripting (XSS) attacks. This could allow an attacker to extract sensitive information by tricking users into accessing a malicious link.

CVE-2024-45385 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-45385. A base score of 2.1 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Industrial Edge Management OS (IEM-OS): Currently no fix is planned. Migrate to Industrial Edge Management Virtual (IEM-V)

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-416411 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• January 16, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 6.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: PowerChute Serial Shutdown
• Vulnerability: Improper Authentication

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause a denial of access to the web interface when someone on the local network repeatedly requests the /accessdenied URL.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports the following versions of PowerChute Serial Shutdown are affected:

• PowerChute Serial Shutdown: Versions 1.2.0.301 and prior

3.2 Vulnerability Overview

3.2.1 IMPROPER AUTHENTICATION CWE-287

An improper authentication vulnerability exists that could cause a denial of access to the web interface when someone on the local network repeatedly requests the /accessdenied URL.

CVE-2024-10511 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-10511. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric recommends the following mitigations for the affected product:

• PowerChute Serial Shutdown: Versions v1.2.0.301 and prior: Update to PowerChute Serial Shutdown: Version 1.3

For users to be informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here:
https://www.se.com/ww/en/work/support/cybersecurity/notification-contact.jsp

Schneider Electric strongly recommend the following industry cybersecurity best practices:

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the “Program” mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2024-345-01 in PDF and CSAF.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• January 10, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.4
• ATTENTION: Low attack complexity
• Vendor: Delta Electronics
• Equipment: DRASimuCAD
• Vulnerabilities: Out-of-bounds Write, Type Confusion

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could crash the device or potentially allow remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of DRASimuCAD, a robotic simulation platform, are affected:

• DRASimuCAD : Version 1.02

3.2 Vulnerability Overview

3.2.1 Access of Resource Using Incompatible Type (‘Type Confusion’) CWE-843

Delta Electronics DRASimuCAD expects a specific data type when it opens files, but the program will accept data of the wrong type from specially crafted files.

CVE-2024-12834 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12834. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Out-of-bounds Write CWE-787

When a specially crafted file is opened with Delta Electronics DRASimuCAD, the program can be forced to write data outside of the intended buffer.

CVE-2024-12835 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12835. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.1 Access of Resource Using Incompatible Type (‘Type Confusion’) CWE-843

Delta Electronics DRASimuCAD expects a specific data type when it opens files, but the program will accept data of the wrong type from specially crafted files.

CVE-2024-12836 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12836. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

rgod working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta Electronics will release a new version of DRASimuCAD in January 2025 to address these issues and recommends users install this update on all affected systems.

For more information, please see the Delta product cybersecurity advisory for these issues.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• January 10, 2025: Initial Publication