Author: itwadmin-security

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.5
ATTENTION: Exploitable from adjacent network/low attack complexity
Vendor: Siemens
Equipment: SCALANCE LPE9403
Vulnerabilities: Incorrect Permission Assignment for Critical Resource, Path Traversal: ‘…/…//’, Use of Uninitialized Variable, NULL Pointer Dereference, Out-of-bounds Read, Stack-based Buffer Overflow, Authentication Bypass Using an Alternate Path or Channel, Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Cleartext Transmission of Sensitive Information

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could affect the confidentiality, integrity, and availability of affected devices.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:

SCALANCE LPE9403 (6GK5998-3GS00-2AC2): All versions (CVE-2025-40572, CVE-2025-40573, CVE-2025-40574, CVE-2025-40575, CVE-2025-40576, CVE-2025-40577, CVE-2025-40578, CVE-2025-40579, CVE-2025-40580)
SCALANCE LPE9403 (6GK5998-3GS00-2AC2): All versions (CVE-2025-40581, CVE-2025-40582, CVE-2025-40583)

3.2 VULNERABILITY OVERVIEW
3.2.1 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732
Affected devices do not properly assign permissions to critical resources. This could allow a non-privileged local attacker to access sensitive information stored on the device.
CVE-2025-40572 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-40572. A base score of 6.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.2 PATH TRAVERSAL: ‘…/…//’ CWE-35
Affected devices are vulnerable to path traversal attacks. This could allow a privileged local attacker to restore backups that are outside the backup folder.
CVE-2025-40573 has been assigned to this vulnerability. A CVSS v3 base score of 4.4 has been assigned; the CVSS vector string is(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-40573. A base score of 6.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.3 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732
Affected devices do not properly assign permissions to critical resources. This could allow a non-privileged local attacker to interact with the backup manager service.
CVE-2025-40574 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-40574. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.4 USE OF UNINITIALIZED VARIABLE CWE-457
Affected devices do not properly validate incoming Profinet packets. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted malicious packet, which leads to a crash of the dcpd process.
CVE-2025-40575 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
A CVSS v4 score has also been calculated for CVE-2025-40574. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).
3.2.5 NULL POINTER DEREFERENCE CWE-476
Affected devices do not properly validate incoming Profinet packets. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted malicious packet, which leads to a crash of the dcpd process.
CVE-2025-40576 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
A CVSS v4 score has also been calculated for CVE-2025-40576. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).
3.2.6 OUT-OF-BOUNDS READ CWE-125
Affected devices do not properly validate incoming Profinet packets. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted malicious packet, which leads to a crash of the dcpd process.
CVE-2025-40577 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
A CVSS v4 score has also been calculated for CVE-2025-40577. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).
3.2.7 OUT-OF-BOUNDS READ CWE-125
Affected devices do not properly handle multiple incoming Profinet packets received in rapid succession. An unauthenticated remote attacker can exploit this flaw by sending multiple packets in a very short time frame, which leads to a crash of the dcpd process.
CVE-2025-40578 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
A CVSS v4 score has also been calculated for CVE-2025-40578. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).
3.2.8 STACK-BASED BUFFER OVERFLOW CWE-121
Affected devices are vulnerable to a stack-based buffer overflow. This could allow a non-privileged local attacker to execute arbitrary code on the device or to cause a denial of service condition.
CVE-2025-40579 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-40579. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.9 STACK-BASED BUFFER OVERFLOW CWE-121
Affected devices are vulnerable to a stack-based buffer overflow. This could allow a non-privileged local attacker to execute arbitrary code on the device or to cause a denial of service condition.
CVE-2025-40580 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-40580. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.10 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288
Affected devices are vulnerable to an authentication bypass. This could allow a non-privileged local attacker to bypass the authentication of the SINEMA Remote Connect Edge Client, and to read and modify the configuration parameters.
CVE-2025-40581 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-40581. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.11 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78
Affected devices do not properly sanitize configuration parameters. This could allow a non-privileged local attacker to execute root commands on the device.
CVE-2025-40582 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-40582. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.12 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
Affected devices do transmit sensitive information in cleartext. This could allow a privileged local attacker to retrieve this sensitive information.
CVE-2025-40583 has been assigned to this vulnerability. A CVSS v3 base score of 4.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-40583. A base score of 6.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Luca Borzacchiello from Nozomi Networks reported these vulnerabilities to Siemens.Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

SCALANCE LPE9403 (6GK5998-3GS00-2AC2): Currently no fix is available
SCALANCE LPE9403 (6GK5998-3GS00-2AC2)(CVE-2025-40572, CVE-2025-40573, CVE-2025-40574, CVE-2025-40579, CVE-2025-40580, CVE-2025-40581, CVE-2025-40582, CVE-2025-40583): Restrict access to authorized and trusted personal only
SCALANCE LPE9403 (6GK5998-3GS00-2AC2)(CVE-2025-40575, CVE-2025-40576, CVE-2025-40577, CVE-2025-40578): Disable the Profinet Discovery and Configuration Protocol (DCP) service
SCALANCE LPE9403 (6GK5998-3GS00-2AC2)(CVE-2025-40582): Only use trusted SINEMA Remote Connect Servers

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-327438 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY

May 15, 2025: Initial Republication of Siemens SSA-327438 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.5
• ATTENTION: Exploitable from adjacent network/low attack complexity
• Vendor: Siemens
• Equipment: SCALANCE LPE9403
• Vulnerabilities: Incorrect Permission Assignment for Critical Resource, Path Traversal: ‘…/…//’, Use of Uninitialized Variable, NULL Pointer Dereference, Out-of-bounds Read, Stack-based Buffer Overflow, Authentication Bypass Using an Alternate Path or Channel, Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Cleartext Transmission of Sensitive Information

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could affect the confidentiality, integrity, and availability of affected devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• SCALANCE LPE9403 (6GK5998-3GS00-2AC2): All versions (CVE-2025-40572, CVE-2025-40573, CVE-2025-40574, CVE-2025-40575, CVE-2025-40576, CVE-2025-40577, CVE-2025-40578, CVE-2025-40579, CVE-2025-40580)
• SCALANCE LPE9403 (6GK5998-3GS00-2AC2): All versions (CVE-2025-40581, CVE-2025-40582, CVE-2025-40583)

3.2 VULNERABILITY OVERVIEW

3.2.1 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

Affected devices do not properly assign permissions to critical resources. This could allow a non-privileged local attacker to access sensitive information stored on the device.

CVE-2025-40572 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-40572. A base score of 6.8 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 PATH TRAVERSAL: ‘…/…//’ CWE-35

Affected devices are vulnerable to path traversal attacks. This could allow a privileged local attacker to restore backups that are outside the backup folder.

CVE-2025-40573 has been assigned to this vulnerability. A CVSS v3 base score of 4.4 has been assigned; the CVSS vector string is
(CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-40573. A base score of 6.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.3 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

Affected devices do not properly assign permissions to critical resources. This could allow a non-privileged local attacker to interact with the backup manager service.

CVE-2025-40574 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-40574. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 USE OF UNINITIALIZED VARIABLE CWE-457

Affected devices do not properly validate incoming Profinet packets. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted malicious packet, which leads to a crash of the dcpd process.

CVE-2025-40575 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2025-40574. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.5 NULL POINTER DEREFERENCE CWE-476

Affected devices do not properly validate incoming Profinet packets. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted malicious packet, which leads to a crash of the dcpd process.

CVE-2025-40576 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2025-40576. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.6 OUT-OF-BOUNDS READ CWE-125

Affected devices do not properly validate incoming Profinet packets. An unauthenticated remote attacker can exploit this flaw by sending a specially crafted malicious packet, which leads to a crash of the dcpd process.

CVE-2025-40577 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2025-40577. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.7 OUT-OF-BOUNDS READ CWE-125

Affected devices do not properly handle multiple incoming Profinet packets received in rapid succession. An unauthenticated remote attacker can exploit this flaw by sending multiple packets in a very short time frame, which leads to a crash of the dcpd process.

CVE-2025-40578 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2025-40578. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.8 STACK-BASED BUFFER OVERFLOW CWE-121

Affected devices are vulnerable to a stack-based buffer overflow. This could allow a non-privileged local attacker to execute arbitrary code on the device or to cause a denial of service condition.

CVE-2025-40579 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-40579. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.9 STACK-BASED BUFFER OVERFLOW CWE-121

Affected devices are vulnerable to a stack-based buffer overflow. This could allow a non-privileged local attacker to execute arbitrary code on the device or to cause a denial of service condition.

CVE-2025-40580 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-40580. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.10 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288

Affected devices are vulnerable to an authentication bypass. This could allow a non-privileged local attacker to bypass the authentication of the SINEMA Remote Connect Edge Client, and to read and modify the configuration parameters.

CVE-2025-40581 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-40581. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.11 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

Affected devices do not properly sanitize configuration parameters. This could allow a non-privileged local attacker to execute root commands on the device.

CVE-2025-40582 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-40582. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.12 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

Affected devices do transmit sensitive information in cleartext. This could allow a privileged local attacker to retrieve this sensitive information.

CVE-2025-40583 has been assigned to this vulnerability. A CVSS v3 base score of 4.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-40583. A base score of 6.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Luca Borzacchiello from Nozomi Networks reported these vulnerabilities to Siemens.
Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• SCALANCE LPE9403 (6GK5998-3GS00-2AC2): Currently no fix is available
• SCALANCE LPE9403 (6GK5998-3GS00-2AC2)(CVE-2025-40572, CVE-2025-40573, CVE-2025-40574, CVE-2025-40579, CVE-2025-40580, CVE-2025-40581, CVE-2025-40582, CVE-2025-40583): Restrict access to authorized and trusted personal only
• SCALANCE LPE9403 (6GK5998-3GS00-2AC2)(CVE-2025-40575, CVE-2025-40576, CVE-2025-40577, CVE-2025-40578): Disable the Profinet Discovery and Configuration Protocol (DCP) service
• SCALANCE LPE9403 (6GK5998-3GS00-2AC2)(CVE-2025-40582): Only use trusted SINEMA Remote Connect Servers

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-327438 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• May 15, 2025: Initial Republication of Siemens SSA-327438

 Read More

 ​CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2025-32756 Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2025-32756 Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

​Microsoft on Tuesday released software updates to fix at least 70 vulnerabilities in Windows and related products, including five zero-day flaws that are already seeing active exploitation. Adding to the sense of urgency with this month’s patch batch from Redmond are fixes for two other weaknesses that now have public proof-of-concept exploits available. 

Microsoft on Tuesday released software updates to fix at least 70 vulnerabilities in Windows and related products, including five zero-day flaws that are already seeing active exploitation. Adding to the sense of urgency with this month’s patch batch from Redmond are fixes for two other weaknesses that now have public proof-of-concept exploits available.

Microsoft and several security firms have disclosed that attackers are exploiting a pair of bugs in the Windows Common Log File System (CLFS) driver that allow attackers to elevate their privileges on a vulnerable device. The Windows CLFS is a critical Windows component responsible for logging services, and is widely used by Windows system services and third-party applications for logging. Tracked as CVE-2025-32701 & CVE-2025-32706, these flaws are present in all supported versions of Windows 10 and 11, as well as their server versions.

Kev Breen, senior director of threat research at Immersive Labs, said privilege escalation bugs assume an attacker already has initial access to a compromised host, typically through a phishing attack or by using stolen credentials. But if that access already exists, Breen said, attackers can gain access to the much more powerful Windows SYSTEM account, which can disable security tooling or even gain domain administration level permissions using credential harvesting tools.

“The patch notes don’t provide technical details on how this is being exploited, and no Indicators of Compromise (IOCs) are shared, meaning the only mitigation security teams have is to apply these patches immediately,” he said. “The average time from public disclosure to exploitation at scale is less than five days, with threat actors, ransomware groups, and affiliates quick to leverage these vulnerabilities.”

Two other zero-days patched by Microsoft today also were elevation of privilege flaws: CVE-2025-32709, which concerns afd.sys, the Windows Ancillary Function Driver that enables Windows applications to connect to the Internet; and CVE-2025-30400, a weakness in the Desktop Window Manager (DWM) library for Windows. As Adam Barnett at Rapid7 notes, tomorrow marks the one-year anniversary of CVE-2024-30051, a previous zero-day elevation of privilege vulnerability in this same DWM component.

The fifth zero-day patched today is CVE-2025-30397, a flaw in the Microsoft Scripting Engine, a key component used by Internet Explorer and Internet Explorer mode in Microsoft Edge.

Chris Goettl at Ivanti points out that the Windows 11 and Server 2025 updates include some new AI features that carry a lot of baggage and weigh in at around 4 gigabytes. Said baggage includes new artificial intelligence (AI) capabilities, including the controversial Recall feature, which constantly takes screenshots of what users are doing on Windows CoPilot-enabled computers.

Microsoft went back to the drawing board on Recall after a fountain of negative feedback from security experts, who warned it would present an attractive target and a potential gold mine for attackers. Microsoft appears to have made some efforts to prevent Recall from scooping up sensitive financial information, but privacy and security concerns still linger. Former Microsoftie Kevin Beaumont has a good teardown on Microsoft’s updates to Recall.

In any case, windowslatest.com reports that Windows 11 version 24H2 shows up ready for downloads, even if you don’t want it.

“It will now show up for ‘download and install’ automatically if you go to Settings > Windows Update and click Check for updates, but only when your device does not have a compatibility hold,” the publication reported. “Even if you don’t check for updates, Windows 11 24H2 will automatically download at some point.”

Apple users likely have their own patching to do. On May 12 Apple released security updates to fix at least 30 vulnerabilities in iOS and iPadOS (the updated version is 18.5). TechCrunch writes that iOS 18.5 also expands emergency satellite capabilities to iPhone 13 owners for the first time (previously it was only available on iPhone 14 or later).

Apple also released updates for macOS Sequoia, macOS Sonoma, macOS Ventura, WatchOS, tvOS and visionOS. Apple said there is no indication of active exploitation for any of the vulnerabilities fixed this month.

As always, please back up your device and/or important data before attempting any updates. And please feel free to sound off in the comments if you run into any problems applying any of these fixes.

 

​Read More

 ​CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2025-30400 Microsoft Windows DWM Core Library Use-After-Free Vulnerability
CVE-2025-32701 Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability
CVE-2025-32706 Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability
CVE-2025-30397 Microsoft Windows Scripting Engine Type Confusion Vulnerability
CVE-2025-32709 Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2025-30400 Microsoft Windows DWM Core Library Use-After-Free Vulnerability
• CVE-2025-32701 Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability
• CVE-2025-32706 Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability
• CVE-2025-30397 Microsoft Windows Scripting Engine Type Confusion Vulnerability
• CVE-2025-32709 Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.5
ATTENTION: Low attack complexity
Vendor: ABB
Equipment: Automation Builder
Vulnerabilities: Incorrect Permission Assignment for Critical Resource

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to overrule the Automation Builder’s user management.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Automation Builder are affected:

Automation Builder: All versions

3.2 VULNERABILITY OVERVIEW
3.2.1 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732
The affected products store all user management information in the project file. Despite the password data being fully encrypted, an attacker could try to modify parts of the Automation Builder project file by specially crafting contents so the user management will be overruled.
CVE-2025-3394 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-3394. A base score of 8.5 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732
Automation Builder projects, including AC500 V2 or SM560-S devices, contain the application files for these devices. An attacker could try to modify parts of these files so the project can be changed by overruling the Automation Builder user management.
CVE-2025-3395 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-3395. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER
Jiho Shin from Sungkyunkwan University reported these vulnerabilities to CISA.
4. MITIGATIONS
ABB recommends users apply the following workarounds:
For CVE-2025-3394:

In the project settings, set “Security” to “Integrity” check.

For CVE-2025-3395:

In the project settings, set “Security” to “Encryption.”

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY

May 13, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.5
• ATTENTION: Low attack complexity
• Vendor: ABB
• Equipment: Automation Builder
• Vulnerabilities: Incorrect Permission Assignment for Critical Resource

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to overrule the Automation Builder’s user management.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Automation Builder are affected:

• Automation Builder: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

The affected products store all user management information in the project file. Despite the password data being fully encrypted, an attacker could try to modify parts of the Automation Builder project file by specially crafting contents so the user management will be overruled.

CVE-2025-3394 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-3394. A base score of 8.5 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 INCORRECT PERMISSION ASSIGNMENT FOR CRITICAL RESOURCE CWE-732

Automation Builder projects, including AC500 V2 or SM560-S devices, contain the application files for these devices. An attacker could try to modify parts of these files so the project can be changed by overruling the Automation Builder user management.

CVE-2025-3395 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-3395. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Jiho Shin from Sungkyunkwan University reported these vulnerabilities to CISA.

4. MITIGATIONS

ABB recommends users apply the following workarounds:

For CVE-2025-3394:

• In the project settings, set “Security” to “Integrity” check.

For CVE-2025-3395:

• In the project settings, set “Security” to “Encryption.”

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• May 13, 2025: Initial Publication

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.4
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: MACH GWS products
Vulnerabilities: Improper Neutralization of Special Elements in Data Query Logic, Improper Limitation of a Pathname to a Restricted Directory, Authentication Bypass by Capture-replay, Missing Authentication for Critical Function

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to inject code, read or modify files, hijack user sessions, or access exposed ports without authentication.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Hitachi Energy products are affected:

MACH GWS: Version 2.1.0.0 (CVE-2024-4872, CVE-2024-3980)
MACH GWS: Versions 2.2.0.0 to 2.4.0.0 (CVE-2024-4872, CVE-2024-3980)
MACH GWS: Versions 3.0.0.0 to 3.3.0.0 (CVE-2024-4872, CVE-2024-3980, CVE-2024-3982)
MACH GWS: Versions 3.1.0.0 to 3.3.0.0 (CVE-2024-7940)

3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN DATA QUERY LOGIC CWE-943
A vulnerability exists in the query validation of the MACH GWS product. If exploited this could allow an authenticated attacker to inject code towards persistent data. Note that to successfully exploit this vulnerability an attacker must have a valid credential.
CVE-2024-4872 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-4872. A base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22
The MACH GWS product allows an authenticated user input to control or influence paths or file names that are used in filesystem operations. If exploited the vulnerability allows the attacker to access or modify system files or other files that are critical to the application.
CVE-2024-3980 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-3980. A base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.3 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294
An attacker with local access to machine where MACH GWS is installed, could enable the session logging supporting the product and try to exploit a session hijacking of an already established session.
Note: By default, the session logging level is not enabled and only users with administrator rights can enable it.
CVE-2024-3982 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-3982. A base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.4 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
The MACH GWS product exposes a service that is intended for local only to all network interfaces without any authentication.
CVE-2024-7940 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-7940. A base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.3 PRODUCT IMPACT
Additional product-specific impact for MACH GWS 2 affected product vulnerable to the CVE:

CVE-2024-4872
(Hitachi Energy MACH GWS 2): A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
(Hitachi Energy MACH GWS 2) A CVSS v4.0 base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
CVE-2024-3980
(Hitachi Energy MACH GWS 2): A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
(Hitachi Energy MACH GWS 2) A CVSS v4.0 base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.4 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.5 RESEARCHER
Hitachi Energy reported these vulnerabilities to CISA.
4. MITIGATIONS
Hitachi Energy recommends that users update to the new versions listed below:

MACH GWS Versions 3.0.0.0 to 3.3.0.0: Upgrade to version 3.4.0.0.
MACH GWS Version 2.1.0.0: Apply the patch HF1 to HF6 sequentially.
MACH GWS Versions 2.2.0.0 to 2.4.0.0: Apply the patch HF3 to HF6 sequentially.

For more information, visit the Hitachi Energy security advisory.
Hitachi Energy recommended security practices and firewall configurations can help protect a process control network from attacks originating outside the network. Such practices include ensuring that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by a firewall system with a minimal number of exposed ports, evaluated on a case-by-case basis. Process control systems should not be used for Internet surfing, instant messaging, or receiving emails. Portable computers and removable storage media should be carefully scanned for viruses before being connected to a control system. Proper password policies and processes should be followed.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

May 13, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000211 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.4
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: MACH GWS products
• Vulnerabilities: Improper Neutralization of Special Elements in Data Query Logic, Improper Limitation of a Pathname to a Restricted Directory, Authentication Bypass by Capture-replay, Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to inject code, read or modify files, hijack user sessions, or access exposed ports without authentication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Hitachi Energy products are affected:

• MACH GWS: Version 2.1.0.0 (CVE-2024-4872, CVE-2024-3980)
• MACH GWS: Versions 2.2.0.0 to 2.4.0.0 (CVE-2024-4872, CVE-2024-3980)
• MACH GWS: Versions 3.0.0.0 to 3.3.0.0 (CVE-2024-4872, CVE-2024-3980, CVE-2024-3982)
• MACH GWS: Versions 3.1.0.0 to 3.3.0.0 (CVE-2024-7940)

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN DATA QUERY LOGIC CWE-943

A vulnerability exists in the query validation of the MACH GWS product. If exploited this could allow an authenticated attacker to inject code towards persistent data. Note that to successfully exploit this vulnerability an attacker must have a valid credential.

CVE-2024-4872 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-4872. A base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

The MACH GWS product allows an authenticated user input to control or influence paths or file names that are used in filesystem operations. If exploited the vulnerability allows the attacker to access or modify system files or other files that are critical to the application.

CVE-2024-3980 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-3980. A base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.3 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294

An attacker with local access to machine where MACH GWS is installed, could enable the session logging supporting the product and try to exploit a session hijacking of an already established session.

Note: By default, the session logging level is not enabled and only users with administrator rights can enable it.

CVE-2024-3982 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-3982. A base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.4 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The MACH GWS product exposes a service that is intended for local only to all network interfaces without any authentication.

CVE-2024-7940 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-7940. A base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 PRODUCT IMPACT

Additional product-specific impact for MACH GWS 2 affected product vulnerable to the CVE:

• CVE-2024-4872
• (Hitachi Energy MACH GWS 2): A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
• (Hitachi Energy MACH GWS 2) A CVSS v4.0 base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
• CVE-2024-3980
• (Hitachi Energy MACH GWS 2): A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).
• (Hitachi Energy MACH GWS 2) A CVSS v4.0 base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.4 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.5 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy recommends that users update to the new versions listed below:

• MACH GWS Versions 3.0.0.0 to 3.3.0.0: Upgrade to version 3.4.0.0.
• MACH GWS Version 2.1.0.0: Apply the patch HF1 to HF6 sequentially.
• MACH GWS Versions 2.2.0.0 to 2.4.0.0: Apply the patch HF3 to HF6 sequentially.

For more information, visit the Hitachi Energy security advisory.

Hitachi Energy recommended security practices and firewall configurations can help protect a process control network from attacks originating outside the network. Such practices include ensuring that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by a firewall system with a minimal number of exposed ports, evaluated on a case-by-case basis. Process control systems should not be used for Internet surfing, instant messaging, or receiving emails. Portable computers and removable storage media should be carefully scanned for viruses before being connected to a control system. Proper password policies and processes should be followed.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• May 13, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000211

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 7.1
ATTENTION: Low attack complexity
Vendor: Hitachi Energy
Equipment: Relion 670/650/SAM600-IO Series
Vulnerability: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

2. RISK EVALUATION
Successful exploitation of this vulnerability can allow an attacker to reboot the device and cause a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports the following products are affected:

Relion 670/650/SAM600-IO series: Versions 2.2.2.0 up to but not including 2.2.2.6
Relion 670/650/SAM600-IO series: Versions 2.2.3.0 up to but not including 2.2.3.7
Relion 670/650/SAM600-IO series: Versions 2.2.4.0 up to but not including 2.2.4.4
Relion 670/650/SAM600-IO series: Versions 2.2.5.6 up to but not including 2.2.5.6
Relion 670/650/SAM600-IO series: 2.2.0.x
Relion 670/650/SAM600-IO series: 2.2.1.x

3.2 VULNERABILITY OVERVIEW
3.2.1 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120
A vulnerability exists in the input validation of the GOOSE messages where out of range values received and processed by the IED cause a reboot of the device. In order for an attacker to exploit the vulnerability, GOOSE receiving blocks need to be configured.
CVE-2023-4518 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-4518. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER
Hitachi Energy PSIRT reported this vulnerability to CISA.
4. MITIGATIONS
Hitachi Energy identified the following specific workarounds and mitigations users can apply to reduce risk:

Relion 670 series Version 2.2.2.x up to but not including 2.2.2.6: Update to Version 2.2.2.6
Relion 670 series Version 2.2.3.x up to but not including 2.2.3.7: Update to Version 2.2.3.7
Relion 670/650 series Version 2.2.4.x up to but not including 2.2.4.4: Update to Version 2.2.4.4
Relion 670/650/SAM600-IO series Version 2.2.5.6 up to but not including 2.2.5.6: Update to Version 2.2.5.6
Relion 670 series Version 2.2.0 all revisions and Relion 670/650/SAM600-IO series Version 2.2.1 all revisions: Apply general mitigations.

For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000170 Cybersecurity Advisory – Improper Input Validation Vulnerability in Hitachi Energy’s Relion® 670/650/SAM600-IO series Product.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

May 13, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000170 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Low attack complexity
• Vendor: Hitachi Energy
• Equipment: Relion 670/650/SAM600-IO Series
• Vulnerability: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

2. RISK EVALUATION

Successful exploitation of this vulnerability can allow an attacker to reboot the device and cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports the following products are affected:

• Relion 670/650/SAM600-IO series: Versions 2.2.2.0 up to but not including 2.2.2.6
• Relion 670/650/SAM600-IO series: Versions 2.2.3.0 up to but not including 2.2.3.7
• Relion 670/650/SAM600-IO series: Versions 2.2.4.0 up to but not including 2.2.4.4
• Relion 670/650/SAM600-IO series: Versions 2.2.5.6 up to but not including 2.2.5.6
• Relion 670/650/SAM600-IO series: 2.2.0.x
• Relion 670/650/SAM600-IO series: 2.2.1.x

3.2 VULNERABILITY OVERVIEW

3.2.1 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

A vulnerability exists in the input validation of the GOOSE messages where out of range values received and processed by the IED cause a reboot of the device. In order for an attacker to exploit the vulnerability, GOOSE receiving blocks need to be configured.

CVE-2023-4518 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-4518. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy PSIRT reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy identified the following specific workarounds and mitigations users can apply to reduce risk:

• Relion 670 series Version 2.2.2.x up to but not including 2.2.2.6: Update to Version 2.2.2.6
• Relion 670 series Version 2.2.3.x up to but not including 2.2.3.7: Update to Version 2.2.3.7
• Relion 670/650 series Version 2.2.4.x up to but not including 2.2.4.4: Update to Version 2.2.4.4
• Relion 670/650/SAM600-IO series Version 2.2.5.6 up to but not including 2.2.5.6: Update to Version 2.2.5.6
• Relion 670 series Version 2.2.0 all revisions and Relion 670/650/SAM600-IO series Version 2.2.1 all revisions: Apply general mitigations.

For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000170 Cybersecurity Advisory – Improper Input Validation Vulnerability in Hitachi Energy’s Relion® 670/650/SAM600-IO series Product.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• May 13, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000170

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: Service Suite
Vulnerabilities: Use of Less Trusted Source, Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’), Integer Overflow or Wraparound, Out-of-bounds Write, Allocation of Resources Without Limits or Throttling, Exposure of Sensitive Information to an Unauthorized Actor, Memory Allocation with Excessive Size Value, Out-of-bounds Read, Uncontrolled Resource Consumption, Improper Resource Shutdown or Release, Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’)

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to compromise the confidentiality, integrity, or availability of affected devices.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports the following products are affected:

Service Suite: Versions 9.8.1.3 and prior

3.2 VULNERABILITY OVERVIEW
3.2.1 Use of Less Trusted Source CWE-348
Apache HTTP Server 2.4.53 and earlier, which is part of the Service Suite product, may not send the X-Forwarded-* headers to the origin server due to the client-side Connection header hop-by-hop mechanism. This vulnerability can be exploited to bypass IP-based authentication on the origin server or application.
CVE-2022-31813 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2022-31813. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’) CWE-444
Some mod_proxy configurations on Service Suite product’s Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP request smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.
CVE-2023-25690 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-25690. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.3 Integer Overflow or Wraparound CWE-190
Apache HTTP Server 2.4.53 and earlier, which is part of the Service Suite product, may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into making such a call, third-party modules or Lua scripts that use ap_strcmp_match() may hypothetically be affected.
CVE-2022-28615 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2022-28615. A base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.4 Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’) CWE-444
An inconsistent interpretation of HTTP requests (‘HTTP request smuggling’) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server versions 2.4.54 and prior, which are part of the Service Suite product.
CVE-2022-36760 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2022-36760. A base score of 9.2 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.5 Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’) CWE-444
An HTTP response smuggling vulnerability exists in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server versions 2.4.30 through 2.4.55, which are part of the Service Suite product. Special characters in the origin response header can truncate or split the response forwarded to the client.
CVE-2023-27522 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2023-27522. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.6 Out-of-bounds Write CWE-787
A carefully crafted If: request header can cause a memory read or write of a single zero byte in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server versions 2.4.54 and earlier, which are part of the Service Suite product.
CVE-2006-20001 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2006-20001. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.7 Allocation of Resources Without Limits or Throttling CWE-770
In Apache HTTP Server 2.4.53 and earlier, which are part of the Service Suite product, a malicious request to a Lua script that calls r:parsebody(0) may cause a denial of service due to the lack of a default limit on possible input size.
CVE-2022-29404 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2022-29404. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.8 Exposure of Sensitive Information to an Unauthorized Actor CWE-200
Apache HTTP Server 2.4.53 and earlier, which is part of the Service Suite product, may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.
CVE-2022-30556 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2022-30556. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.9 Memory Allocation with Excessive Size Value CWE-789
If Apache HTTP Server 2.4.53, which is part of the Service Suite product, is configured to perform transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.
CVE-2022-30522 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2022-30522. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.10 Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’) CWE-444
An inconsistent interpretation of HTTP requests (‘HTTP request smuggling’) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product.
CVE-2022-26377 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2022-26377. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.11 Out-of-bounds Read CWE-125
An inconsistent interpretation of HTTP requests (‘HTTP request smuggling’) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product.
CVE-2023-31122 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-31122. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.12 Uncontrolled Resource Consumption CWE-400
An attacker opening an HTTP/2 connection with an initial window size of 0 can block the handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well-known “slow loris” attack pattern. This issue affects Apache HTTP Server versions 2.4.55 through 2.4.57, which are part of the Service Suite product.
CVE-2023-43622 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-43622. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.13 Improper Resource Shutdown or Release CWE-404
When an HTTP/2 stream is reset (RST frame) by a client, there is a time window where the request’s memory resources are not immediately reclaimed. Instead, deallocation is deferred until the connection closes. A client can send new requests and resets, keeping the connection busy and open, causing the memory footprint to keep growing. Upon connection close, all resources are reclaimed, but the process might run out of memory before that. This issue affects Apache HTTP Server versions 2.4.17 through 2.4.57, which are part of the Service Suite product.
CVE-2023-45802 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2023-45802. A base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.14 Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’) CWE-113
In Apache HTTP Server versions prior to 2.4.55, which are part of the Service Suite product, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.
CVE-2022-37436 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2022-37436. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).
3.2.15 Exposure of Sensitive Information to an Unauthorized Actor CWE-200
The ap_rwrite() function in Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product, may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_lua’s r:puts() function.
CVE-2022-28614 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2022-28614. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.16 Out-of-bounds Read CWE-125
Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product on Windows, may read beyond bounds when configured to process requests with the mod_isapi module.
CVE-2022-28330 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2022-28330. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER
Hitachi Energy reported these vulnerabilities to CISA.
4. MITIGATIONS
Hitachi Energy recommends affected users update to 9.8.1.4
For more information see the associated Hitachi Energy cybersecurity advisory 8DBD000209.
Hitachi Energy recommends security practices and firewall configurations to help protect process control networks from external attacks. These practices include ensuring that process control systems are physically protected from unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by a firewall system with a minimal number of exposed ports. Each case should be evaluated individually. Process control systems should not be used for Internet surfing, instant messaging, or receiving emails. Portable computers and removable storage media should be carefully scanned for viruses before being connected to a control system. Proper password policies and processes should also be followed.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

May 13, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000209 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: Service Suite
• Vulnerabilities: Use of Less Trusted Source, Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’), Integer Overflow or Wraparound, Out-of-bounds Write, Allocation of Resources Without Limits or Throttling, Exposure of Sensitive Information to an Unauthorized Actor, Memory Allocation with Excessive Size Value, Out-of-bounds Read, Uncontrolled Resource Consumption, Improper Resource Shutdown or Release, Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to compromise the confidentiality, integrity, or availability of affected devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports the following products are affected:

• Service Suite: Versions 9.8.1.3 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 Use of Less Trusted Source CWE-348

Apache HTTP Server 2.4.53 and earlier, which is part of the Service Suite product, may not send the X-Forwarded-* headers to the origin server due to the client-side Connection header hop-by-hop mechanism. This vulnerability can be exploited to bypass IP-based authentication on the origin server or application.

CVE-2022-31813 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2022-31813. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’) CWE-444

Some mod_proxy configurations on Service Suite product’s Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP request smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.

CVE-2023-25690 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-25690. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Integer Overflow or Wraparound CWE-190

Apache HTTP Server 2.4.53 and earlier, which is part of the Service Suite product, may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into making such a call, third-party modules or Lua scripts that use ap_strcmp_match() may hypothetically be affected.

CVE-2022-28615 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2022-28615. A base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.4 Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’) CWE-444

An inconsistent interpretation of HTTP requests (‘HTTP request smuggling’) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server versions 2.4.54 and prior, which are part of the Service Suite product.

CVE-2022-36760 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2022-36760. A base score of 9.2 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’) CWE-444

An HTTP response smuggling vulnerability exists in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server versions 2.4.30 through 2.4.55, which are part of the Service Suite product. Special characters in the origin response header can truncate or split the response forwarded to the client.

CVE-2023-27522 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2023-27522. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.6 Out-of-bounds Write CWE-787

A carefully crafted If: request header can cause a memory read or write of a single zero byte in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server versions 2.4.54 and earlier, which are part of the Service Suite product.

CVE-2006-20001 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2006-20001. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.7 Allocation of Resources Without Limits or Throttling CWE-770

In Apache HTTP Server 2.4.53 and earlier, which are part of the Service Suite product, a malicious request to a Lua script that calls r:parsebody(0) may cause a denial of service due to the lack of a default limit on possible input size.

CVE-2022-29404 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2022-29404. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.8 Exposure of Sensitive Information to an Unauthorized Actor CWE-200

Apache HTTP Server 2.4.53 and earlier, which is part of the Service Suite product, may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.

CVE-2022-30556 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2022-30556. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.9 Memory Allocation with Excessive Size Value CWE-789

If Apache HTTP Server 2.4.53, which is part of the Service Suite product, is configured to perform transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.

CVE-2022-30522 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2022-30522. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.10 Inconsistent Interpretation of HTTP Requests (‘HTTP Request/Response Smuggling’) CWE-444

An inconsistent interpretation of HTTP requests (‘HTTP request smuggling’) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product.

CVE-2022-26377 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2022-26377. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.11 Out-of-bounds Read CWE-125

An inconsistent interpretation of HTTP requests (‘HTTP request smuggling’) vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product.

CVE-2023-31122 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-31122. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.12 Uncontrolled Resource Consumption CWE-400

An attacker opening an HTTP/2 connection with an initial window size of 0 can block the handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well-known “slow loris” attack pattern. This issue affects Apache HTTP Server versions 2.4.55 through 2.4.57, which are part of the Service Suite product.

CVE-2023-43622 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-43622. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.13 Improper Resource Shutdown or Release CWE-404

When an HTTP/2 stream is reset (RST frame) by a client, there is a time window where the request’s memory resources are not immediately reclaimed. Instead, deallocation is deferred until the connection closes. A client can send new requests and resets, keeping the connection busy and open, causing the memory footprint to keep growing. Upon connection close, all resources are reclaimed, but the process might run out of memory before that. This issue affects Apache HTTP Server versions 2.4.17 through 2.4.57, which are part of the Service Suite product.

CVE-2023-45802 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-45802. A base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.14 Improper Neutralization of CRLF Sequences in HTTP Headers (‘HTTP Request/Response Splitting’) CWE-113

In Apache HTTP Server versions prior to 2.4.55, which are part of the Service Suite product, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.

CVE-2022-37436 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2022-37436. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.15 Exposure of Sensitive Information to an Unauthorized Actor CWE-200

The ap_rwrite() function in Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product, may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_lua’s r:puts() function.

CVE-2022-28614 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2022-28614. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.16 Out-of-bounds Read CWE-125

Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product on Windows, may read beyond bounds when configured to process requests with the mod_isapi module.

CVE-2022-28330 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2022-28330. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy recommends affected users update to 9.8.1.4

For more information see the associated Hitachi Energy cybersecurity advisory 8DBD000209.

Hitachi Energy recommends security practices and firewall configurations to help protect process control networks from external attacks. These practices include ensuring that process control systems are physically protected from unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by a firewall system with a minimal number of exposed ports. Each case should be evaluated individually. Process control systems should not be used for Internet surfing, instant messaging, or receiving emails. Portable computers and removable storage media should be carefully scanned for viruses before being connected to a control system. Proper password policies and processes should also be followed.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• May 13, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000209

 Read More

 ​Starting May 12, CISA is changing how we announce cybersecurity updates and the release of new guidance. These announcements will only be shared through CISA social media platforms, email, and RSS feeds and will no longer be listed on our Cybersecurity Alerts & Advisories webpage.  

The focus of our Cybersecurity Alerts & Advisories webpage will now be on urgent information tied to emerging threats or major cyber activity. CISA wants this critical information to get the attention it deserves and ensure it is easier to find. We’ll continue to communicate releases and updates to our stakeholders. To stay informed, subscribe to receive our email notifications on CISA.gov. You can also follow us on X @CISACyber for timely cybersecurity updates. 
Note: If you’ve previously used RSS feeds to track Known Exploited Vulnerabilities Catalog updates, please subscribe to the KEV subscription topic through GovDelivery to continue receiving notifications.   

We greatly appreciate stakeholder feedback which played a part in this change and thank you for staying connected with CISA.  

 Read More

 ​CISA released five Industrial Control Systems (ICS) advisories on May 8, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-25-128-01 Horner Automation Cscape
ICSA-25-128-02 Hitachi Energy RTU500 series
ICSA-25-128-03 Mitsubishi Electric CC-Link IE TSN 
ICSA-25-093-01 Hitachi Energy RTU500 Series (Update A) 
ICSMA-25-128-01 Pixmeo OsiriX MD

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released five Industrial Control Systems (ICS) advisories on May 8, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-128-01 Horner Automation Cscape
• ICSA-25-128-02 Hitachi Energy RTU500 series
• ICSA-25-128-03 Mitsubishi Electric CC-Link IE TSN
   
• ICSA-25-093-01 Hitachi Energy RTU500 Series (Update A)
   
• ICSMA-25-128-01 Pixmeo OsiriX MD

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More