Author: itwadmin-security

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.5
ATTENTION: Low attack complexity
Vendor: Schneider Electric
Equipment: EcoStruxure
Vulnerability: Uncontrolled Search Path Element

2. RISK EVALUATION
Successful exploitation of this vulnerability allows for local privilege escalation, which could lead to the execution of a malicious Dynamic-Link Library (DLL).
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Schneider Electric EcoStruxure products and versions, which incorporate Revenera FlexNet Publisher, are affected:

EcoStruxure Control Expert: Versions prior to V16.1
EcoStruxure Process Expert: All versions
EcoStruxure OPC UA Server Expert: All versions
EcoStruxure Control Expert Asset Link: Versions prior to V4.0 SP1
EcoStruxure Machine SCADA Expert Asset Link: All versions
EcoStruxure Architecture Builder: Versions prior to V7.0.18
EcoStruxure Operator Terminal Expert: All versions
Vijeo Designer: Version prior to V6.3SP1 HF1
EcoStruxure Machine Expert including EcoStruxure Machine Expert Safety: All versions
EcoStruxure Machine Expert Twin: All versions
Zelio Soft 2: All versions

3.2 VULNERABILITY OVERVIEW
3.2.1 Uncontrolled Search Path Element CWE-427
A misconfiguration in lmadmin.exe of FlexNet Publisher versions prior to 2024 R1 (11.19.6.0) allows the OpenSSL configuration file to load from a non-existent directory. An unauthorized, locally authenticated user with low privileges can potentially create the directory and load a specially crafted openssl.conf file leading to the execution of a malicious DLL (Dynamic-Link Library) with elevated privileges.
CVE-2024-2658 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-2658. A base score of 8.5 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Food and Agriculture, Government Services and Facilities, Transportation Systems, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER
Xavier DANEST of Trend Micro Zero Day Initiative reported this vulnerability to Revenera PSIRT.
4. MITIGATIONS
Schneider Electric recommends that users of the following products follow these actions:

EcoStruxure Control Expert: Versions prior to V16.1 – Version V16.1 of EcoStruxure Control Expert includes a fix for this vulnerability and is available for download here. Reboot the computer after installation is completed.
EcoStruxure Architecture Builder: Versions prior to V7.0.18 – Version V7.0.18 of EcoStruxure Architecture Builder includes a fix for this vulnerability and is available for download here.
EcoStruxure Control Expert Asset Link: Versions prior to V4.0 SP1 – Version V4.0SP1 of EcoStruxure Control Expert Asset Link includes a fix for this vulnerability and is available for download here.
Vijeo Designer: Version prior to V6.3SP1 HF1 – Version V6.3SP1 HF1 of Vijeo Designer includes a fix for this vulnerability. Please contact your Schneider Electric Customer Support to get Vijeo Designer version V6.3SP1 HF1 software.

Users should follow appropriate patching methodologies when applying these patches to their systems. We strongly recommend the use of back-ups and evaluating the impact of these patches in a Test and Development environment or an offline infrastructure. Contact Schneider Electric’s Customer Care Center if you need assistance removing a patch.
If users choose not to apply the remediation provided above, they should immediately apply the following mitigations in order to reduce the risk of exploit:
Schneider Electric is establishing a remediation plan for all future versions of the following that will include a fix for this vulnerability:

EcoStruxure Process Expert
EcoStruxure OPC UA Server Expert
EcoStruxure Machine SCADA Expert – Asset Link
EcoStruxure Operator Terminal Expert
EcoStruxure Machine Expert including
EcoStruxure Machine Expert Safety
EcoStruxure Machine Expert Twin
Zelio Soft 2

We will update this document when the remediation is available. Until then, users should immediately apply the following mitigations to reduce the risk of exploit:

Limit authenticated user access to the workstation and implement existing User Account Control practices.
Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices guide available for download here.

To ensure you are informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here.
General Security Recommendations
Schneider Electric strongly recommends the following industry cybersecurity best practices:

Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
Place all controllers in locked cabinets and never leave them in the “Program” mode.
Never connect programming software to any network other than the network intended for that device.
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
5. UPDATE HISTORY

February 6, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.5
• ATTENTION: Low attack complexity
• Vendor: Schneider Electric
• Equipment: EcoStruxure
• Vulnerability: Uncontrolled Search Path Element

2. RISK EVALUATION

Successful exploitation of this vulnerability allows for local privilege escalation, which could lead to the execution of a malicious Dynamic-Link Library (DLL).

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Schneider Electric EcoStruxure products and versions, which incorporate Revenera FlexNet Publisher, are affected:

• EcoStruxure Control Expert: Versions prior to V16.1
• EcoStruxure Process Expert: All versions
• EcoStruxure OPC UA Server Expert: All versions
• EcoStruxure Control Expert Asset Link: Versions prior to V4.0 SP1
• EcoStruxure Machine SCADA Expert Asset Link: All versions
• EcoStruxure Architecture Builder: Versions prior to V7.0.18
• EcoStruxure Operator Terminal Expert: All versions
• Vijeo Designer: Version prior to V6.3SP1 HF1
• EcoStruxure Machine Expert including EcoStruxure Machine Expert Safety: All versions
• EcoStruxure Machine Expert Twin: All versions
• Zelio Soft 2: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 Uncontrolled Search Path Element CWE-427

A misconfiguration in lmadmin.exe of FlexNet Publisher versions prior to 2024 R1 (11.19.6.0) allows the OpenSSL configuration file to load from a non-existent directory. An unauthorized, locally authenticated user with low privileges can potentially create the directory and load a specially crafted openssl.conf file leading to the execution of a malicious DLL (Dynamic-Link Library) with elevated privileges.

CVE-2024-2658 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-2658. A base score of 8.5 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy, Food and Agriculture, Government Services and Facilities, Transportation Systems, Water and Wastewater Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Xavier DANEST of Trend Micro Zero Day Initiative reported this vulnerability to Revenera PSIRT.

4. MITIGATIONS

Schneider Electric recommends that users of the following products follow these actions:

• EcoStruxure Control Expert: Versions prior to V16.1 – Version V16.1 of EcoStruxure Control Expert includes a fix for this vulnerability and is available for download here. Reboot the computer after installation is completed.
• EcoStruxure Architecture Builder: Versions prior to V7.0.18 – Version V7.0.18 of EcoStruxure Architecture Builder includes a fix for this vulnerability and is available for download here.
• EcoStruxure Control Expert Asset Link: Versions prior to V4.0 SP1 – Version V4.0SP1 of EcoStruxure Control Expert Asset Link includes a fix for this vulnerability and is available for download here.
• Vijeo Designer: Version prior to V6.3SP1 HF1 – Version V6.3SP1 HF1 of Vijeo Designer includes a fix for this vulnerability. Please contact your Schneider Electric Customer Support to get Vijeo Designer version V6.3SP1 HF1 software.

Users should follow appropriate patching methodologies when applying these patches to their systems. We strongly recommend the use of back-ups and evaluating the impact of these patches in a Test and Development environment or an offline infrastructure. Contact Schneider Electric’s Customer Care Center if you need assistance removing a patch.

If users choose not to apply the remediation provided above, they should immediately apply the following mitigations in order to reduce the risk of exploit:

Schneider Electric is establishing a remediation plan for all future versions of the following that will include a fix for this vulnerability:

• EcoStruxure Process Expert
• EcoStruxure OPC UA Server Expert
• EcoStruxure Machine SCADA Expert – Asset Link
• EcoStruxure Operator Terminal Expert
• EcoStruxure Machine Expert including
• EcoStruxure Machine Expert Safety
• EcoStruxure Machine Expert Twin
• Zelio Soft 2

We will update this document when the remediation is available. Until then, users should immediately apply the following mitigations to reduce the risk of exploit:

• Limit authenticated user access to the workstation and implement existing User Account Control practices.
• Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices guide available for download here.

To ensure you are informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here.

General Security Recommendations

Schneider Electric strongly recommends the following industry cybersecurity best practices:

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the “Program” mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.
  CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• February 6, 2025: Initial Publication

 Read More

 ​CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-53104 Linux Kernel Out-of-Bounds Write Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-53104 Linux Kernel Out-of-Bounds Write Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

​The FBI joined authorities across Europe last week in seizing domain names for Cracked and Nulled, English-language cybercrime forums with millions of users that trafficked in stolen data, hacking tools and malware. An investigation into the history of these communities shows their apparent co-founders quite openly operate an Internet service provider and a pair of e-commerce platforms catering to buyers and sellers on both forums. 

The FBI joined authorities across Europe last week in seizing domain names for Cracked and Nulled, English-language cybercrime forums with millions of users that trafficked in stolen data, hacking tools and malware. An investigation into the history of these communities shows their apparent co-founders quite openly operate an Internet service provider and a pair of e-commerce platforms catering to buyers and sellers on both forums.

On Jan. 30, the U.S. Department of Justice said it seized eight domain names that were used to operate Cracked, a cybercrime forum that sprang up in 2018 and attracted more than four million users. The DOJ said the law enforcement action, dubbed Operation Talent, also seized domains tied to Sellix, Cracked’s payment processor.

In addition, the government seized the domain names for two popular anonymity services that were heavily advertised on Cracked and Nulled and allowed customers to rent virtual servers: StarkRDP[.]io, ; and rdp[.]sh.

Those archived webpages show both RDP services were owned by an entity called 1337 Services Gmbh. According to corporate records compiled by Northdata.com, 1337 Services GmbH is also known as AS210558 and is incorporated in Hamburg, Germany.

The Cracked forum administrator went by the nicknames “FlorainN” and “StarkRDP” on multiple cybercrime forums. Meanwhile, a LinkedIn profile for a Florian M. from Germany refers to this person as the co-founder of Sellix and founder of 1337 Services GmbH.

Northdata’s business profile for 1337 Services GmbH shows the Hamburg, Germany-based company is controlled by two individuals: 32-year-old Florian Marzahl and Finn Alexander Grimpe, 28.

Neither Marzahl nor Grimpe responded to requests for comment. But Grimpe’s first name is interesting because it corresponds to the nickname chosen by the founder of Nulled, who goes by the moniker “Finn” and “Finndev.” NorthData reveals that Grimpe was the founder of a German entity called DreamDrive GmbH, which rented out high-end sports cars and motorcycles.

According to the cyber intelligence firm Intel 471, a user named Finndev registered on multiple cybercrime forums, including Raidforums [seized by the FBI in 2022], Void[.]to, and vDOS, a DDoS-for-hire service that was shut down in 2016 after its founders were arrested.

The email address used for those accounts was f.grimpe@gmail.com. DomainTools.com reports f.grimpe@gmail.com was used to register at least nine domain names, including nulled[.]lol, nulled[.]it. Neither of these domains were among those seized in Operation Talent.

Intel471 finds the user FlorainN registered across multiple cybercrime forums using the email address olivia.messla@outlook.de. The breach tracking service Constella Intelligence says this email address used the same password (and slight variations of it) across many accounts online — including at hacker forums — and that the same password was used in connection with dozens of other email addresses, such as florianmarzahl@hotmail.de, and fmarzahl137@gmail.com.

The Justice Department said the Nulled marketplace had more than five million members, and has been selling stolen login credentials, stolen identification documents and hacking services, as well as tools for carrying out cybercrime and fraud, since 2016.

Perhaps fittingly, both Cracked and Nulled have been hacked over the years, exposing countless private messages between forum users. A review of those messages archived by Intel 471 showed that dozens of early forum members referred privately to Finndev as the owner of shoppy[.]gg, an e-commerce platform that caters to the same clientele as Sellix.

Shoppy was not targeted as part of Operation Talent, and its website remains online. Northdata reports that Shoppy’s business name — Shoppy Ecommerce Ltd. — is registered at an address in Gan-Ner, Israel, but there is no ownership information about this entity. Shoppy did not respond to requests for comment.

Constella found that a user named Shoppy registered on Cracked in 2019 using the email address finn@shoppy[.]gg. Constella says that email address is tied to a Twitter/X account for Shoppy Ecommerce in Israel.

The DOJ said one of the alleged administrators of Nulled, a 29-year-old Argentinian national named Lucas Sohn, was arrested in Spain. The government has not announced any other arrests or charges associated with Operation Talent.

Indeed, both StarkRDP and FloraiN have posted to their accounts on Telegram that there were no charges levied against the proprietors of 1337 Services GmbH. FlorainN told former customers they were in the process of moving to a new name and domain for StarkRDP, where existing accounts and balances would be transferred.

“StarkRDP has always been operating by the law and is not involved in any of these alleged crimes and the legal process will confirm this,” the StarkRDP Telegram account wrote on January 30. “All of your servers are safe and they have not been collected in this operation. The only things that were seized is the website server and our domain. Unfortunately, no one can tell who took it and with whom we can talk about it. Therefore, we will restart operation soon, under a different name, to close the chapter [of] ‘StarkRDP.’”

 

​Read More

 ​CISA—in partnership with international and U.S. organizations—released guidance to help organizations protect their network edge devices and appliances, such as firewalls, routers, virtual private networks (VPN) gateways, Internet of Things (IoT) devices, internet-facing servers, and internet-facing operational technology (OT) systems. The published guidance is as follows:

“Security Considerations for Edge Devices,” led by the Canadian Centre for Cyber Security (CCCS), a part of the Communications Security Establishment Canada.
“Digital Forensics Monitoring Specifications for Products of Network Devices and Applications,” led by the United Kingdom’s National Cyber Security Centre (NCSC-UK).
“Mitigation Strategies for Edge Devices: Executive Guidance” and “Mitigation Strategies for Edge Devices: Practitioner Guidance,” two separate guides led by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC).

Foreign adversaries routinely exploit software vulnerabilities in network edge devices to infiltrate critical infrastructure networks and systems. The damage can be expensive, time-consuming, and reputationally catastrophic for public and private sector organizations. These guidance documents detail various considerations and strategies for a more secure and resilient network both before and after a compromise.
CISA and partner agencies urge device manufacturers and critical infrastructure owners and operators to review and implement the recommended actions and mitigations in the publications. Device manufacturers, please visit CISA’s Secure by Design page for more information on how to align development processes with the goal of reducing the prevalence of vulnerabilities in devices. Critical infrastructure owners and operators, please see Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products for guidance on procuring secure products. 

CISA—in partnership with international and U.S. organizations—released guidance to help organizations protect their network edge devices and appliances, such as firewalls, routers, virtual private networks (VPN) gateways, Internet of Things (IoT) devices, internet-facing servers, and internet-facing operational technology (OT) systems. The published guidance is as follows:

• “Security Considerations for Edge Devices,” led by the Canadian Centre for Cyber Security (CCCS), a part of the Communications Security Establishment Canada.
• “Digital Forensics Monitoring Specifications for Products of Network Devices and Applications,” led by the United Kingdom’s National Cyber Security Centre (NCSC-UK).
• “Mitigation Strategies for Edge Devices: Executive Guidance” and “Mitigation Strategies for Edge Devices: Practitioner Guidance,” two separate guides led by the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC).

Foreign adversaries routinely exploit software vulnerabilities in network edge devices to infiltrate critical infrastructure networks and systems. The damage can be expensive, time-consuming, and reputationally catastrophic for public and private sector organizations. These guidance documents detail various considerations and strategies for a more secure and resilient network both before and after a compromise.

CISA and partner agencies urge device manufacturers and critical infrastructure owners and operators to review and implement the recommended actions and mitigations in the publications. Device manufacturers, please visit CISA’s Secure by Design page for more information on how to align development processes with the goal of reducing the prevalence of vulnerabilities in devices. Critical infrastructure owners and operators, please see Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products for guidance on procuring secure products.

 Read More

 ​CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2024-45195 Apache OFBiz Forced Browsing Vulnerability
CVE-2024-29059 Microsoft .NET Framework Information Disclosure Vulnerability
CVE-2018-9276 Paessler PRTG Network Monitor OS Command Injection Vulnerability
CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-45195 Apache OFBiz Forced Browsing Vulnerability
• CVE-2024-29059 Microsoft .NET Framework Information Disclosure Vulnerability
• CVE-2018-9276 Paessler PRTG Network Monitor OS Command Injection Vulnerability
• CVE-2018-19410 Paessler PRTG Network Monitor Local File Inclusion Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC
Vulnerability: Incorrect Calculation of Buffer Size

2. RISK EVALUATION
Successful exploitation of this vulnerability could cause a denial-of-service of the product when an unauthenticated user sends a crafted HTTPS packet to the webserver.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC are affected:

Modicon M580 CPU (part numbers BMEP* and BMEH*, excluding M580 CPU Safety): Versions prior to SV4.30
Modicon M580 CPU Safety (part numbers BMEP58-S and BMEH58-S): Versions prior to SV4.21
BMENOR2200H: All versions
EVLink Pro AC: Versions prior to v1.3.10

3.2 VULNERABILITY OVERVIEW
3.2.1 INCORRECT CALCULATION OF BUFFER SIZE CWE-131
The affected product is vulnerable to an incorrect calculation of buffer size vulnerability which could cause a denial-of-service of the product when an unauthenticated user is sending a crafted HTTPS packet to the webserver.
CVE-2024-11425 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-11425. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER
Schneider Electric reported this vulnerability to CISA.
4. MITIGATIONS
Schneider Electric has identified the following remediations users can apply to reduce risk:

Modicon M580 CPU (partnumbers BMEP* and BMEH*,excluding M580 CPU Safety): Version SV4.30 of Modicon M580 firmware includes a fix for this vulnerability and is available for download.
Modicon M580 CPU Safety part numbers BMEP58-S and MEH58-S): Version SV4.21 of Modicon M580 firmware includes a fix for this vulnerability and is available for download.
EVLink Pro AC: Version V1.3.10 of EVLink Pro AC firmware includes a fix for this vulnerability and is available here.

Users should use appropriate patching methodologies when applying these patches to their systems. Schneider Electric strongly recommends making use of back-ups and evaluating the impact of these patches in a testing and development environment or on an offline infrastructure. Contact Schneider Electric’s Customer Care Center if assistance is needed for removing a patch.
If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit:

Modicon M580 CPU (partnumbers BMEP* and BMEH*,excluding M580 CPU Safety): Set up network segmentation and implement a firewall to block all unauthorized access to Port 443/TCP. Configure the access control list following the recommendations of the user manuals: “Modicon M580, Hardware, Reference Manual”
Modicon M580 CPU Safety part numbers BMEP58-S and MEH58-S): Set up network segmentation and implement a firewall to block all unauthorized access to Port 443/TCP. Configure the access control list following the recommendations of the user manuals: “Modicon M580, Hardware, Reference Manual”
BMENOR2200H: Schneider Electric is establishing a remediation plan for BMENOR2200H that will include a fix for CVE-2024-11425. They will update SEVD-2025-014-01 when the remediation is available. Until then, users should immediately set up network segmentation and implement a firewall to block all unauthorized access to Port 443/TCP.
EVLink Pro AC: Follow the EVlink Pro AC cybersecurity guide

Schneider Electric strongly recommends the following industry cybersecurity best practices.

Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
Place all controllers in locked cabinets and never leave them in the “Program” mode.
Never connect programming software to any network other than the network intended for that device.
Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.
For more information, see Schneider Electric security notification “SEVD-2025-014-01 Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC”
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

February 4, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC
• Vulnerability: Incorrect Calculation of Buffer Size

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause a denial-of-service of the product when an unauthenticated user sends a crafted HTTPS packet to the webserver.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC are affected:

• Modicon M580 CPU (part numbers BMEP* and BMEH*, excluding M580 CPU Safety): Versions prior to SV4.30
• Modicon M580 CPU Safety (part numbers BMEP58-S and BMEH58-S): Versions prior to SV4.21
• BMENOR2200H: All versions
• EVLink Pro AC: Versions prior to v1.3.10

3.2 VULNERABILITY OVERVIEW

3.2.1 INCORRECT CALCULATION OF BUFFER SIZE CWE-131

The affected product is vulnerable to an incorrect calculation of buffer size vulnerability which could cause a denial-of-service of the product when an unauthenticated user is sending a crafted HTTPS packet to the webserver.

CVE-2024-11425 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-11425. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric has identified the following remediations users can apply to reduce risk:

• Modicon M580 CPU (partnumbers BMEP* and BMEH*,excluding M580 CPU Safety): Version SV4.30 of Modicon M580 firmware includes a fix for this vulnerability and is available for download.
• Modicon M580 CPU Safety part numbers BMEP58-S and MEH58-S): Version SV4.21 of Modicon M580 firmware includes a fix for this vulnerability and is available for download.
• EVLink Pro AC: Version V1.3.10 of EVLink Pro AC firmware includes a fix for this vulnerability and is available here.

Users should use appropriate patching methodologies when applying these patches to their systems. Schneider Electric strongly recommends making use of back-ups and evaluating the impact of these patches in a testing and development environment or on an offline infrastructure. Contact Schneider Electric’s Customer Care Center if assistance is needed for removing a patch.

If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit:

• Modicon M580 CPU (partnumbers BMEP* and BMEH*,excluding M580 CPU Safety): Set up network segmentation and implement a firewall to block all unauthorized access to Port 443/TCP. Configure the access control list following the recommendations of the user manuals: “Modicon M580, Hardware, Reference Manual”
• Modicon M580 CPU Safety part numbers BMEP58-S and MEH58-S): Set up network segmentation and implement a firewall to block all unauthorized access to Port 443/TCP. Configure the access control list following the recommendations of the user manuals: “Modicon M580, Hardware, Reference Manual”
• BMENOR2200H: Schneider Electric is establishing a remediation plan for BMENOR2200H that will include a fix for CVE-2024-11425. They will update SEVD-2025-014-01 when the remediation is available. Until then, users should immediately set up network segmentation and implement a firewall to block all unauthorized access to Port 443/TCP.
• EVLink Pro AC: Follow the EVlink Pro AC cybersecurity guide

Schneider Electric strongly recommends the following industry cybersecurity best practices.

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the “Program” mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.

For more information, see Schneider Electric security notification “SEVD-2025-014-01 Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC”

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 4, 2025: Initial Publication

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 6.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Western Telematic Inc
Equipment: NPS Series, DSM Series, CPM Series
Vulnerability: External Control of File Name or Path

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an authenticated attacker to gain privileged access to files on the device’s filesystem.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Western Telematic Inc products are affected:

Network Power Switch (NPS Series): Firmware Version 6.62 and prior
Console Server (DSM Series): Firmware Version 6.62 and prior
Console Server + PDU Combo Unit (CPM Series): Firmware Version 6.62 and prior

3.2 VULNERABILITY OVERVIEW
3.2.1 External Control of File Name or Path CWE-73
Multiple Western Telematic (WTI) products contain a web interface that is vulnerable to a Local File Inclusion Attack (LFI), where any authenticated user has privileged access to files on the device’s filesystem.
CVE-2025-0630 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-0630. A base score of 6.0 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
notnotnotveg (notnotnotveg@gmail.com) reported this vulnerability to CISA.
4. MITIGATIONS
Western Telematic Inc reports this issue was discovered and patched in 2020. Western Telematic Inc recommends users follow best practices and update to the latest version.

For DSM/CPM units: Update to 8.06
For NPS units: Update 4.02
Ensure the default passwords are changed prior to deployment

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

February 4, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 6.0
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Western Telematic Inc
• Equipment: NPS Series, DSM Series, CPM Series
• Vulnerability: External Control of File Name or Path

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated attacker to gain privileged access to files on the device’s filesystem.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Western Telematic Inc products are affected:

• Network Power Switch (NPS Series): Firmware Version 6.62 and prior
• Console Server (DSM Series): Firmware Version 6.62 and prior
• Console Server + PDU Combo Unit (CPM Series): Firmware Version 6.62 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 External Control of File Name or Path CWE-73

Multiple Western Telematic (WTI) products contain a web interface that is vulnerable to a Local File Inclusion Attack (LFI), where any authenticated user has privileged access to files on the device’s filesystem.

CVE-2025-0630 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-0630. A base score of 6.0 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Communications
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

notnotnotveg (notnotnotveg@gmail.com) reported this vulnerability to CISA.

4. MITIGATIONS

Western Telematic Inc reports this issue was discovered and patched in 2020. Western Telematic Inc recommends users follow best practices and update to the latest version.

• For DSM/CPM units: Update to 8.06
• For NPS units: Update 4.02
• Ensure the default passwords are changed prior to deployment

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 4, 2025: Initial Publication

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: Elber
Equipment: Communications Equipment
Vulnerabilities: Authentication Bypass Using an Alternate Path or Channel, Hidden Functionality

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker unauthorized administrative access to the affected device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Elber Communications Equipment are affected:

Signum DVB-S/S2 IRD: Versions 1.999 and prior
Cleber/3 Broadcast Multi-Purpose Platform: Version 1.0
Reble610 M/ODU XPIC IP-ASI-SDH: Version 0.01
ESE DVB-S/S2 Satellite Receiver: Versions 1.5.179 and prior
Wayber Analog/Digital Audio STL: Version 4

3.2 VULNERABILITY OVERVIEW
3.2.1 Authentication Bypass Using an Alternate Path or Channel CWE-288
Multiple Elber products are affected by an authentication bypass vulnerability which allows unauthorized access to the password management functionality. Attackers can exploit this issue by manipulating the endpoint to overwrite any user’s password within the system. This grants them unauthorized administrative access to protected areas of the application, compromising the device’s system security.
CVE-2025-0674 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-0674. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 Hidden Functionality CWE-912
Multiple Elber products suffer from an unauthenticated device configuration and client-side hidden functionality disclosure.
CVE-2025-0675 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-0675. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER
Gjoko Krstic of Zero Science Lab reported these vulnerabilities to CISA.
4. MITIGATIONS
Elber does not plan to mitigate these vulnerabilities because this equipment is either end of life or almost end of life. Users of affected versions of Elber Signum DVB-S/S2 IRD, Cleber/3 Broadcast Multi-Purpose Platform, Reble610 M/ODU XPIC IP-ASI-SDH, ESE DVB-S/S2 Satellite Receiver, and Wayber Analog/Digital Audio STL are invited to contact Elber customer support for additional information.
CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

February 4, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
• Vendor: Elber
• Equipment: Communications Equipment
• Vulnerabilities: Authentication Bypass Using an Alternate Path or Channel, Hidden Functionality

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker unauthorized administrative access to the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Elber Communications Equipment are affected:

• Signum DVB-S/S2 IRD: Versions 1.999 and prior
• Cleber/3 Broadcast Multi-Purpose Platform: Version 1.0
• Reble610 M/ODU XPIC IP-ASI-SDH: Version 0.01
• ESE DVB-S/S2 Satellite Receiver: Versions 1.5.179 and prior
• Wayber Analog/Digital Audio STL: Version 4

3.2 VULNERABILITY OVERVIEW

3.2.1 Authentication Bypass Using an Alternate Path or Channel CWE-288

Multiple Elber products are affected by an authentication bypass vulnerability which allows unauthorized access to the password management functionality. Attackers can exploit this issue by manipulating the endpoint to overwrite any user’s password within the system. This grants them unauthorized administrative access to protected areas of the application, compromising the device’s system security.

CVE-2025-0674 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-0674. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Hidden Functionality CWE-912

Multiple Elber products suffer from an unauthenticated device configuration and client-side hidden functionality disclosure.

CVE-2025-0675 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-0675. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Communications
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER

Gjoko Krstic of Zero Science Lab reported these vulnerabilities to CISA.

4. MITIGATIONS

Elber does not plan to mitigate these vulnerabilities because this equipment is either end of life or almost end of life. Users of affected versions of Elber Signum DVB-S/S2 IRD, Cleber/3 Broadcast Multi-Purpose Platform, Reble610 M/ODU XPIC IP-ASI-SDH, ESE DVB-S/S2 Satellite Receiver, and Wayber Analog/Digital Audio STL are invited to contact Elber customer support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• February 4, 2025: Initial Publication

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 7.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Rockwell Automation
Equipment: 1756-L8zS3, 1756-L3zS3
Vulnerability: Improper Handling of Exceptional Conditions

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a remote, non-privileged user to send malicious requests resulting in a major nonrecoverable fault causing a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Rockwell Automation products are affected:

1756-L8zS3: Versions prior to V33.017, V34.014, V35.013, V36.011
1756-L3zS3: Versions prior to V33.017, V34.014, V35.013, V36.011

3.2 VULNERABILITY OVERVIEW
3.2.1 Improper Handling of Exceptional Conditions CWE-755
A denial-of-service vulnerability exists in the affected products. The vulnerability could allow a remote, non-privileged user to send malicious requests resulting in a major nonrecoverable fault causing a denial-of-service.
CVE-2025-24478 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2025-24478. A base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Rockwell Automation reported this vulnerability to CISA.
4. MITIGATIONS
Rockwell Automation recommends users of the affected software to apply the risk mitigations, if possible.

Update to V33.017, V34.014, V35.013, V36.011, or the latest version.
Restrict Access to the task object via CIP Security and Hard Run.
For information on how to mitigate security risks on industrial automation control systems, Rockwell Automation encourages users to implement our suggested security best practices to minimize the risk of the vulnerability.

Stakeholder-Specific Vulnerability Categorization can be used to generate more environment-specific prioritization.
For more information about this issue, please see the advisory on the Rockwell Automation security page.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

February 4, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Rockwell Automation
• Equipment: 1756-L8zS3, 1756-L3zS3
• Vulnerability: Improper Handling of Exceptional Conditions

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a remote, non-privileged user to send malicious requests resulting in a major nonrecoverable fault causing a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Rockwell Automation products are affected:

• 1756-L8zS3: Versions prior to V33.017, V34.014, V35.013, V36.011
• 1756-L3zS3: Versions prior to V33.017, V34.014, V35.013, V36.011

3.2 VULNERABILITY OVERVIEW

3.2.1 Improper Handling of Exceptional Conditions CWE-755

A denial-of-service vulnerability exists in the affected products. The vulnerability could allow a remote, non-privileged user to send malicious requests resulting in a major nonrecoverable fault causing a denial-of-service.

CVE-2025-24478 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-24478. A base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Rockwell Automation reported this vulnerability to CISA.

4. MITIGATIONS

Rockwell Automation recommends users of the affected software to apply the risk mitigations, if possible.

• Update to V33.017, V34.014, V35.013, V36.011, or the latest version.
• Restrict Access to the task object via CIP Security and Hard Run.
• For information on how to mitigate security risks on industrial automation control systems, Rockwell Automation encourages users to implement our suggested security best practices to minimize the risk of the vulnerability.

Stakeholder-Specific Vulnerability Categorization can be used to generate more environment-specific prioritization.

For more information about this issue, please see the advisory on the Rockwell Automation security page.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• February 4, 2025: Initial Publication

 Read More

 ​CISA released nine Industrial Control Systems (ICS) advisories on February 4, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-25-035-01 Western Telematic Inc NPS Series, DSM Series, CPM Series
ICSA-25-035-02 Rockwell Automation 1756-L8zS3 and 1756-L3 and 1756-L3
ICSA-25-035-03 Elber Communications Equipment
ICSA-25-035-04 Schneider Electric Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC
ICSA-25-035-05 Schneider Electric Web Designer for Modicon
ICSA-25-035-06 Schneider Electric Modicon M340 and BMXNOE0100/0110, BMXNOR0200H
ICSA-25-035-07 Schneider Electric Pro-face GP-Pro EX and Remote HMI
ICSA-25-035-08 AutomationDirect C-more EA9 HMI
ICSA-23-299-03 Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, Lithium (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released nine Industrial Control Systems (ICS) advisories on February 4, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-035-01 Western Telematic Inc NPS Series, DSM Series, CPM Series
• ICSA-25-035-02 Rockwell Automation 1756-L8zS3 and 1756-L3 and 1756-L3
• ICSA-25-035-03 Elber Communications Equipment
• ICSA-25-035-04 Schneider Electric Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC
• ICSA-25-035-05 Schneider Electric Web Designer for Modicon
• ICSA-25-035-06 Schneider Electric Modicon M340 and BMXNOE0100/0110, BMXNOR0200H
• ICSA-25-035-07 Schneider Electric Pro-face GP-Pro EX and Remote HMI
• ICSA-25-035-08 AutomationDirect C-more EA9 HMI
• ICSA-23-299-03 Ashlar-Vellum Cobalt, Graphite, Xenon, Argon, Lithium (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More