Author: itwadmin-security

 ​CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. 

 CVE-2025-6543 Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. 

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.  

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. 

•  CVE-2025-6543 Citrix NetScaler ADC and Gateway Buffer Overflow Vulnerability

 Read More

 ​Today, CISA, in collaboration with the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA), released a Fact Sheet urging organizations to remain vigilant against potential targeted cyber operations by Iranian state-sponsored or affiliated threat actors. 
Over the past several months, there has been increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events. These cyber actors often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures or the use of default or common passwords on internet-connected accounts and devices.
At this time, we have not seen indications of a coordinated campaign of malicious cyber activity in the U.S. that can be attributed to Iran. However, CISA, FBI, DC3, and NSA strongly urge critical infrastructure asset owners and operators to implement the mitigations recommended in the joint Fact Sheet, which include: 

Identifying and disconnecting operational technology and industrial control systems devices from the public internet,
Protecting devices and accounts with strong, unique passwords,
Applying the latest software patches, and
Implementing phishing-resistant multifactor authentication for access to OT networks.

Review the joint Fact Sheet: Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest and act now to understand the Iranian state-backed cyber threat, assess and mitigate cybersecurity weaknesses, and review and update incident response plans to strengthen your network against malicious cyber actors.  

Today, CISA, in collaboration with the Federal Bureau of Investigation (FBI), the Department of Defense Cyber Crime Center (DC3), and the National Security Agency (NSA), released a Fact Sheet urging organizations to remain vigilant against potential targeted cyber operations by Iranian state-sponsored or affiliated threat actors. 

Over the past several months, there has been increasing activity from hacktivists and Iranian government-affiliated actors, which is expected to escalate due to recent events. These cyber actors often exploit targets of opportunity based on the use of unpatched or outdated software with known Common Vulnerabilities and Exposures or the use of default or common passwords on internet-connected accounts and devices.

At this time, we have not seen indications of a coordinated campaign of malicious cyber activity in the U.S. that can be attributed to Iran. However, CISA, FBI, DC3, and NSA strongly urge critical infrastructure asset owners and operators to implement the mitigations recommended in the joint Fact Sheet, which include: 

• Identifying and disconnecting operational technology and industrial control systems devices from the public internet,
• Protecting devices and accounts with strong, unique passwords,
• Applying the latest software patches, and
• Implementing phishing-resistant multifactor authentication for access to OT networks.

Review the joint Fact Sheet: Iranian Cyber Actors May Target Vulnerable US Networks and Entities of Interest and act now to understand the Iranian state-backed cyber threat, assess and mitigate cybersecurity weaknesses, and review and update incident response plans to strengthen your network against malicious cyber actors. 

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 5.3
ATTENTION: Low attack complexity
Vendor: TrendMakers
Equipment: Sight Bulb Pro
Vulnerabilities: Use of a Broken or Risky Cryptographic Algorithm, Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to capture sensitive information and execute arbitrary shell commands on the target device as root if connected to the local network segment.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of the Sight Bulb Pro Firmware are affected:

Sight Bulb Pro Firmware ZJ_CG32-2201: Version 8.57.83 and prior

3.2 VULNERABILITY OVERVIEW
3.2.1 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327
During the initial setup of the device the user connects to an access point broadcast by the Sight Bulb Pro. During the negotiation, AES Encryption keys are passed in cleartext. If captured, an attacker may be able to decrypt communications between the management app and the Sight Bulb Pro which may include sensitive information such as network credentials.
CVE-2025-6521 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-6521. A base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77
Unauthenticated users on an adjacent network with the Sight Bulb Pro can run shell commands as root through a vulnerable proprietary TCP protocol available on Port 16668. This vulnerability allows an attacker to run arbitrary commands on the Sight Bulb Pro by passing a well formed JSON string.
CVE-2025-6522 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L).
A CVSS v4 score has also been calculated for CVE-2025-6522. A base score of 5.2 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:H/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Fahim Balouch reported these vulnerabilities to CISA.
4. MITIGATIONS
TrendMakers did not respond to CISA’s request for coordination. Contact TrendMakers directly for more information.
CISA recommends that device users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

The encryption key is sent in the clear only during the initial device setup when the Sight Bulb Pro acts as an access point. Take appropriate physical security measures to minimize the risk of remote network captures or monitoring.
Utilize network monitoring or signature based detection to monitor for malicious activity.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY

June 26, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 5.3
• ATTENTION: Low attack complexity
• Vendor: TrendMakers
• Equipment: Sight Bulb Pro
• Vulnerabilities: Use of a Broken or Risky Cryptographic Algorithm, Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to capture sensitive information and execute arbitrary shell commands on the target device as root if connected to the local network segment.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of the Sight Bulb Pro Firmware are affected:

• Sight Bulb Pro Firmware ZJ_CG32-2201: Version 8.57.83 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327

During the initial setup of the device the user connects to an access point broadcast by the Sight Bulb Pro. During the negotiation, AES Encryption keys are passed in cleartext. If captured, an attacker may be able to decrypt communications between the management app and the Sight Bulb Pro which may include sensitive information such as network credentials.

CVE-2025-6521 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-6521. A base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77

Unauthenticated users on an adjacent network with the Sight Bulb Pro can run shell commands as root through a vulnerable proprietary TCP protocol available on Port 16668. This vulnerability allows an attacker to run arbitrary commands on the Sight Bulb Pro by passing a well formed JSON string.

CVE-2025-6522 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:H/UI:R/S:U/C:L/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2025-6522. A base score of 5.2 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:H/UI:P/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Fahim Balouch reported these vulnerabilities to CISA.

4. MITIGATIONS

TrendMakers did not respond to CISA’s request for coordination. Contact TrendMakers directly for more information.

CISA recommends that device users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• The encryption key is sent in the clear only during the initial device setup when the Sight Bulb Pro acts as an access point. Take appropriate physical security measures to minimize the risk of remote network captures or monitoring.
• Utilize network monitoring or signature based detection to monitor for malicious activity.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• June 26, 2025: Initial Publication

 Read More

 ​CISA released two Industrial Control Systems (ICS) advisories on June 26, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-25-177-01 Mitsubishi Electric Air Conditioning Systems
ICSA-25-177-02 TrendMakers Sight Bulb Pro

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released two Industrial Control Systems (ICS) advisories on June 26, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-177-01 Mitsubishi Electric Air Conditioning Systems
• ICSA-25-177-02 TrendMakers Sight Bulb Pro

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric
Equipment: Air conditioning systems
Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to control the air conditioning system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Mitsubishi Electric reports the following air conditioning systems are affected:

G-50: Ver.3.37 and prior
G-50-W: Ver.3.37 and prior
G-50A: Ver.3.37 and prior
GB-50: Ver.3.37 and prior
GB-50A: Ver.3.37 and prior
GB-24A: Ver.9.12 and prior
G-150AD: Ver.3.21 and prior
AG-150A-A: Ver.3.21 and prior
AG-150A-J: Ver.3.21 and prior
GB-50AD: Ver.3.21 and prior
GB-50ADA-A: Ver.3.21 and prior
GB-50ADA-J: Ver.3.21 and prior
EB-50GU-A: Ver.7.11 and prior
EB-50GU-J: Ver.7.11 and prior
AE-200J: Ver.8.01 and prior
AE-200A: Ver.8.01 and prior
AE-200E: Ver.8.01 and prior
AE-50J: Ver.8.01 and prior
AE-50A: Ver.8.01 and prior
AE-50E: Ver.8.01 and prior
EW-50J: Ver.8.01 and prior
EW-50A: Ver.8.01 and prior
EW-50E: Ver.8.01 and prior
TE-200A: Ver.8.01 and prior
TE-50A: Ver.8.01 and prior
TW-50A: Ver.8.01 and prior
CMS-RMD-J: Ver.1.40 and prior

3.2 VULNERABILITY OVERVIEW
3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
An authentication bypass vulnerability exists in Mitsubishi Electric air conditioning systems. An attacker may bypass authentication to control the air conditioning systems illegally or disclose information from them by exploiting this vulnerability. In addition, the attacker may tamper with the firmware of the affected products using the disclosed information.
CVE-2025-3699 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-3699. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER
Mihály Csonka reported this vulnerability to Mitsubishi Electric.
4. MITIGATIONS
Mitsubishi Electric is currently preparing improved versions of the following products to mitigate this vulnerability: AE-200J, AE-200A, AE-200E, AE-50J, AE-50A, AE-50E, EW-50J, EW-50A, EW-50E, TE-200A, TE-50A, and TW-50A.
To minimize the exploitation risk of this vulnerability, make sure air conditioning systems are configured correctly as recommended by Mitsubishi Electric. Mitsubishi Electric recommends taking the following mitigation measures:

Restrict the access to air conditioning systems from untrusted networks and hosts.
Restrict physical access to air conditioning systems, computers which can access them, and the network which is connected to them.
Use antivirus software and update the OS and the web browser to the latest version on computers that connect to air conditioning systems.

See Mitsubishi Electric’s security bulletin for more information.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

June 26, 2025: Initial Republication of Mitsubishi Electric 2025-004. 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Mitsubishi Electric
• Equipment: Air conditioning systems
• Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to control the air conditioning system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports the following air conditioning systems are affected:

• G-50: Ver.3.37 and prior
• G-50-W: Ver.3.37 and prior
• G-50A: Ver.3.37 and prior
• GB-50: Ver.3.37 and prior
• GB-50A: Ver.3.37 and prior
• GB-24A: Ver.9.12 and prior
• G-150AD: Ver.3.21 and prior
• AG-150A-A: Ver.3.21 and prior
• AG-150A-J: Ver.3.21 and prior
• GB-50AD: Ver.3.21 and prior
• GB-50ADA-A: Ver.3.21 and prior
• GB-50ADA-J: Ver.3.21 and prior
• EB-50GU-A: Ver.7.11 and prior
• EB-50GU-J: Ver.7.11 and prior
• AE-200J: Ver.8.01 and prior
• AE-200A: Ver.8.01 and prior
• AE-200E: Ver.8.01 and prior
• AE-50J: Ver.8.01 and prior
• AE-50A: Ver.8.01 and prior
• AE-50E: Ver.8.01 and prior
• EW-50J: Ver.8.01 and prior
• EW-50A: Ver.8.01 and prior
• EW-50E: Ver.8.01 and prior
• TE-200A: Ver.8.01 and prior
• TE-50A: Ver.8.01 and prior
• TW-50A: Ver.8.01 and prior
• CMS-RMD-J: Ver.1.40 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

An authentication bypass vulnerability exists in Mitsubishi Electric air conditioning systems. An attacker may bypass authentication to control the air conditioning systems illegally or disclose information from them by exploiting this vulnerability. In addition, the attacker may tamper with the firmware of the affected products using the disclosed information.

CVE-2025-3699 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-3699. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mihály Csonka reported this vulnerability to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric is currently preparing improved versions of the following products to mitigate this vulnerability: AE-200J, AE-200A, AE-200E, AE-50J, AE-50A, AE-50E, EW-50J, EW-50A, EW-50E, TE-200A, TE-50A, and TW-50A.

To minimize the exploitation risk of this vulnerability, make sure air conditioning systems are configured correctly as recommended by Mitsubishi Electric. Mitsubishi Electric recommends taking the following mitigation measures:

• Restrict the access to air conditioning systems from untrusted networks and hosts.
• Restrict physical access to air conditioning systems, computers which can access them, and the network which is connected to them.
• Use antivirus software and update the OS and the web browser to the latest version on computers that connect to air conditioning systems.

See Mitsubishi Electric’s security bulletin for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• June 26, 2025: Initial Republication of Mitsubishi Electric 2025-004.

 Read More

 ​CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2024-54085 AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability
CVE-2024-0769 D-Link DIR-859 Router Path Traversal Vulnerability
CVE-2019-6693 Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2024-54085 AMI MegaRAC SPx Authentication Bypass by Spoofing Vulnerability
• CVE-2024-0769 D-Link DIR-859 Router Path Traversal Vulnerability
• CVE-2019-6693 Fortinet FortiOS Use of Hard-Coded Credentials Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

 ​Today, CISA, in partnership with the National Security Agency (NSA), released a joint guide on reducing memory-related vulnerabilities in modern software development. 
Memory safety vulnerabilities pose serious risks to national security and critical infrastructure. Adopting memory safe languages (MSLs) offers the most comprehensive mitigation against this class of vulnerabilities and provides built-in safeguards that enhance security by design. 
CISA’s Secure by Design program advocates for integrating proactive security measures throughout the software development lifecycle, with MSLs as a central component. Consistent support for MSLs underscores their benefits for national security and resilience by reducing exploitable flaws before products reach users. 
This joint guide outlines key challenges to adopting MSLs, offers practical approaches for overcoming them, and highlights important considerations for organizations seeking to transition toward more secure software development practices. Organizations in academia, U.S. government, and private industry are encouraged to review this guidance and support adoption of MSLs.  
In addition to the product published today, CISA and the NSA previously released the joint guide, The Case for Memory Safe Roadmaps. To learn more about memory safety, visit Secure by Design on CISA.gov. 
Please share your thoughts with us via our anonymous product survey; we welcome your feedback. 

Today, CISA, in partnership with the National Security Agency (NSA), released a joint guide on reducing memory-related vulnerabilities in modern software development. 

Memory safety vulnerabilities pose serious risks to national security and critical infrastructure. Adopting memory safe languages (MSLs) offers the most comprehensive mitigation against this class of vulnerabilities and provides built-in safeguards that enhance security by design. 

CISA’s Secure by Design program advocates for integrating proactive security measures throughout the software development lifecycle, with MSLs as a central component. Consistent support for MSLs underscores their benefits for national security and resilience by reducing exploitable flaws before products reach users. 

This joint guide outlines key challenges to adopting MSLs, offers practical approaches for overcoming them, and highlights important considerations for organizations seeking to transition toward more secure software development practices. Organizations in academia, U.S. government, and private industry are encouraged to review this guidance and support adoption of MSLs.  

In addition to the product published today, CISA and the NSA previously released the joint guide, The Case for Memory Safe Roadmaps. To learn more about memory safety, visit Secure by Design on CISA.gov. 

Please share your thoughts with us via our anonymous product survey; we welcome your feedback.

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: MICROSENS
Equipment: NMP Web+
Vulnerabilities: Use of Hard-coded, Security-relevant Constants, Insufficient Session Expiration, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain system access, overwrite files or execute arbitrary code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of NMP Web+ are affected:

NMP Web+: Version 3.2.5 and prior

3.2 VULNERABILITY OVERVIEW
3.2.1 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS CWE-547
The affected products could allow an unauthenticated attacker to generate forged JSON Web Tokens (JWT) to bypass authentication.
CVE-2025-49151 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-49151. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.2 INSUFFICIENT SESSION EXPIRATION CWE-613
The affected products contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system.
CVE-2025-49152 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-49152. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.3 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22
The affected products could allow an unauthenticated attacker to overwrite files and execute arbitrary code.
CVE-2025-49153 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-49153. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Tomer Goldschmidt and Noam Moshe of Claroty Team82 reported these vulnerabilities to CISA.
The German Federal Office for Information Security (BSI) CERT-Bund assisted coordination with MICROSENS.
4. MITIGATIONS
MICROSENS recommends users to update to NMP Web+ Version 3.3.0 for Windows and Linux.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

June 24, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/Low attack complexity
• Vendor: MICROSENS
• Equipment: NMP Web+
• Vulnerabilities: Use of Hard-coded, Security-relevant Constants, Insufficient Session Expiration, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to gain system access, overwrite files or execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of NMP Web+ are affected:

• NMP Web+: Version 3.2.5 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS CWE-547

The affected products could allow an unauthenticated attacker to generate forged JSON Web Tokens (JWT) to bypass authentication.

CVE-2025-49151 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-49151. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.2 INSUFFICIENT SESSION EXPIRATION CWE-613

The affected products contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system.

CVE-2025-49152 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-49152. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.3 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

The affected products could allow an unauthenticated attacker to overwrite files and execute arbitrary code.

CVE-2025-49153 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-49153. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Tomer Goldschmidt and Noam Moshe of Claroty Team82 reported these vulnerabilities to CISA.

The German Federal Office for Information Security (BSI) CERT-Bund assisted coordination with MICROSENS.

4. MITIGATIONS

MICROSENS recommends users to update to NMP Web+ Version 3.3.0 for Windows and Linux.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• June 24, 2025: Initial Publication

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: ControlID
Equipment: iDSecure On-premises
Vulnerabilities: Improper Authentication, Server-Side Request Forgery (SSRF), SQL Injection

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, retrieve information, leak arbitrary data, or perform SQL injections.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of ControlID iDSecure On-premises, a vehicle control software, are affected:

iDSecure On-premises: Versions 4.7.48.0 and prior

3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER AUTHENTICATION CWE-287
ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to an Improper Authentication vulnerability which could allow an attacker to bypass authentication and gain permissions in the product.
CVE-2025-49851 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-49851. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.2 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918
ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to a Server-Side Request Forgery vulnerability which could allow an unauthenticated attacker to retrieve information from other servers.
CVE-2025-49852 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-49852. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.3 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89
ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to SQL injections which could allow an attacker to leak arbitrary information and insert arbitrary SQL syntax into SQL queries.
CVE-2025-49853 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-49853. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Brazil

3.4 RESEARCHER
Noam Moshe of Claroty Team82 reported these vulnerabilities to CISA.
4. MITIGATIONS
ControlID has released the following versions for users to update:

iDSecure On-premises: Version 4.7.50.0

For more information, contact ControlID.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

June 24, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: ControlID
• Equipment: iDSecure On-premises
• Vulnerabilities: Improper Authentication, Server-Side Request Forgery (SSRF), SQL Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, retrieve information, leak arbitrary data, or perform SQL injections.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ControlID iDSecure On-premises, a vehicle control software, are affected:

• iDSecure On-premises: Versions 4.7.48.0 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER AUTHENTICATION CWE-287

ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to an Improper Authentication vulnerability which could allow an attacker to bypass authentication and gain permissions in the product.

CVE-2025-49851 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-49851. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918

ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to a Server-Side Request Forgery vulnerability which could allow an unauthenticated attacker to retrieve information from other servers.

CVE-2025-49852 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-49852. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND (‘SQL INJECTION’) CWE-89

ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to SQL injections which could allow an attacker to leak arbitrary information and insert arbitrary SQL syntax into SQL queries.

CVE-2025-49853 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-49853. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Brazil

3.4 RESEARCHER

Noam Moshe of Claroty Team82 reported these vulnerabilities to CISA.

4. MITIGATIONS

ControlID has released the following versions for users to update:

• iDSecure On-premises: Version 4.7.50.0

For more information, contact ControlID.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• June 24, 2025: Initial Publication

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Parsons
Equipment: AccuWeather and Custom RSS widget
Vulnerability: Cross-site Scripting

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to insert a malicious link that users might access through the RSS feed.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following version of AccuWeather and Custom RSS widget are affected:

Parsons Utility Enterprise Data Management: Version 5.18
Parsons Utility Enterprise Data Management: Version 5.03
Parsons Utility Enterprise Data Management: Versions 4.02 through 4.26
Parsons Utility Enterprise Data Management: Version 3.30
AclaraONE Utility Portal: versions prior to 1.22

3.2 VULNERABILITY OVERVIEW
3.2.1 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79
A cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one.
CVE-2025-5015 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-5015. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Joshua Dillon reported this vulnerability to CISA.
4. MITIGATIONS

Parsons Utility Enterprise Data Management Users – This vulnerability has been patched in all instances managed by Parsons as of January 7, 2025. No end-user action is required.
AclaraONE Hosted Users – This vulnerability has been patched in all instances managed by Aclara as of February 7, 2025. No end-user action is required.
AclaraONE On Premise Users – End-user action is required. A patch and mitigation information for AclaraONE is available through the Aclara Connect Customer Portal. If you prefer assistance, Aclara Support would be happy to help. Users may request an appointment to apply the patch update by opening a ticket on the Aclara Connect Customer Portal, or by contacting us by phone or email. Requests will be processed in the order received.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

June 24, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Parsons
• Equipment: AccuWeather and Custom RSS widget
• Vulnerability: Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to insert a malicious link that users might access through the RSS feed.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of AccuWeather and Custom RSS widget are affected:

• Parsons Utility Enterprise Data Management: Version 5.18
• Parsons Utility Enterprise Data Management: Version 5.03
• Parsons Utility Enterprise Data Management: Versions 4.02 through 4.26
• Parsons Utility Enterprise Data Management: Version 3.30
• AclaraONE Utility Portal: versions prior to 1.22

3.2 VULNERABILITY OVERVIEW

3.2.1 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79

A cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widget that allows an unauthenticated user to replace the RSS feed URL with a malicious one.

CVE-2025-5015 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-5015. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Communications
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Joshua Dillon reported this vulnerability to CISA.

4. MITIGATIONS

• Parsons Utility Enterprise Data Management Users – This vulnerability has been patched in all instances managed by Parsons as of January 7, 2025. No end-user action is required.
• AclaraONE Hosted Users – This vulnerability has been patched in all instances managed by Aclara as of February 7, 2025. No end-user action is required.
• AclaraONE On Premise Users – End-user action is required. A patch and mitigation information for AclaraONE is available through the Aclara Connect Customer Portal. If you prefer assistance, Aclara Support would be happy to help. Users may request an appointment to apply the patch update by opening a ticket on the Aclara Connect Customer Portal, or by contacting us by phone or email. Requests will be processed in the order received.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• June 24, 2025: Initial Publication

 Read More