Category: CISA Alerts

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Advantech
Equipment: iView
Vulnerabilities: Cross-site Scripting, SQL Injection, Path Traversal, Argument Injection.

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, achieve remote code execution, or cause service disruptions.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Advantech products are affected:

iView: Versions prior to 5.7.05 build 7057

3.2 VULNERABILITY OVERVIEW
3.2.1 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79
A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. By exploiting this flaw, an attacker could execute unauthorized scripts in the user’s browser, potentially leading to information disclosure or other malicious activities.
CVE-2025-53397 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2025-53397. A base score of 5.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).
3.2.2 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79
A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. By manipulating specific parameters, an attacker could execute unauthorized scripts in the user’s browser, potentially leading to information disclosure or other malicious activities.
CVE-2025-53519 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2025-53519. A base score of 5.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).
3.2.3 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79
A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. By manipulating certain input parameters, an attacker could execute unauthorized scripts in the user’s browser, potentially leading to information disclosure or other malicious activities.
CVE-2025-41442 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2025-41442. A base score of 5.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).
3.2.4 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CWE-89
A vulnerability exists in Advantech iView that could allow for SQL injection through the CUtils.checkSQLInjection() function. This vulnerability can be exploited by an authenticated attacker with at least user-level privileges, potentially leading to information disclosure or a denial-of-service condition.
CVE-2025-48891 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2025-48891. A base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N).
3.2.5 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) CWE-22
A vulnerability exists in Advantech iView in NetworkServlet.processImportRequest() that could allow for a directory traversal attack. This issue requires an authenticated attacker with at least user-level privileges. A specific parameter is not properly sanitized or normalized, potentially allowing an attacker to determine the existence of arbitrary files on the server.
CVE-2025-46704 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-46704. A base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.6 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CWE-89
A vulnerability exists in Advantech iView that could allow for SQL injection and remote code execution through NetworkServlet.getNextTrapPage(). This issue requires an authenticated attacker with at least user-level privileges. Certain parameters in this function are not properly sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the ‘nt authoritylocal service’ account.
CVE-2025-53475 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-53475. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.7 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CWE-89
A vulnerability exists in Advantech iView that could allow SQL injection and remote code execution through NetworkServlet.archiveTrapRange(). This issue requires an authenticated attacker with at least user-level privileges. Certain input parameters are not properly sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the ‘nt authoritylocal service’ account.
CVE-2025-52577 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-52577. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.8 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CWE-89
A vulnerability exists in Advantech iView that allows for SQL injection and remote code execution through NetworkServlet.archiveTrap(). This issue requires an authenticated attacker with at least user-level privileges. Certain input parameters are not sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the ‘nt authoritylocal service’ account.
CVE-2025-53515 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-53515. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.9 Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’) CWE-88
A vulnerability exists in Advantech iView that allows for argument injection in NetworkServlet.backupDatabase(). This issue requires an authenticated attacker with at least user-level privileges. Certain parameters can be used directly in a command without proper sanitization, allowing arbitrary arguments to be injected. This can result in information disclosure, including sensitive database credentials.
CVE-2025-52459 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-52459. A base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.10 Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’) CWE-88
A vulnerability exists in Advantech iView that allows for argument injection in the NetworkServlet.restoreDatabase(). This issue requires an authenticated attacker with at least user-level privileges. An input parameter can be used directly in a command without proper sanitization, allowing arbitrary arguments to be injected. This can result in information disclosure, including sensitive database credentials.
CVE-2025-53509 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-53509. A base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER
Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.
4. MITIGATIONS
Advantech recommends users update to v5.7.05 build 7057.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

July 10, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Advantech
• Equipment: iView
• Vulnerabilities: Cross-site Scripting, SQL Injection, Path Traversal, Argument Injection.

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, achieve remote code execution, or cause service disruptions.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Advantech products are affected:

• iView: Versions prior to 5.7.05 build 7057

3.2 VULNERABILITY OVERVIEW

3.2.1 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79

A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. By exploiting this flaw, an attacker could execute unauthorized scripts in the user’s browser, potentially leading to information disclosure or other malicious activities.

CVE-2025-53397 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-53397. A base score of 5.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.2 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79

A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. By manipulating specific parameters, an attacker could execute unauthorized scripts in the user’s browser, potentially leading to information disclosure or other malicious activities.

CVE-2025-53519 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-53519. A base score of 5.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.3 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79

A vulnerability exists in Advantech iView versions prior to 5.7.05 build 7057, which could allow a reflected cross-site scripting (XSS) attack. By manipulating certain input parameters, an attacker could execute unauthorized scripts in the user’s browser, potentially leading to information disclosure or other malicious activities.

CVE-2025-41442 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-41442. A base score of 5.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.4 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CWE-89

A vulnerability exists in Advantech iView that could allow for SQL injection through the CUtils.checkSQLInjection() function. This vulnerability can be exploited by an authenticated attacker with at least user-level privileges, potentially leading to information disclosure or a denial-of-service condition.

CVE-2025-48891 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-48891. A base score of 7.2 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N).

3.2.5 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) CWE-22

A vulnerability exists in Advantech iView in NetworkServlet.processImportRequest() that could allow for a directory traversal attack. This issue requires an authenticated attacker with at least user-level privileges. A specific parameter is not properly sanitized or normalized, potentially allowing an attacker to determine the existence of arbitrary files on the server.

CVE-2025-46704 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-46704. A base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.6 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CWE-89

A vulnerability exists in Advantech iView that could allow for SQL injection and remote code execution through NetworkServlet.getNextTrapPage(). This issue requires an authenticated attacker with at least user-level privileges. Certain parameters in this function are not properly sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the ‘nt authoritylocal service’ account.

CVE-2025-53475 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-53475. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.7 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CWE-89

A vulnerability exists in Advantech iView that could allow SQL injection and remote code execution through NetworkServlet.archiveTrapRange(). This issue requires an authenticated attacker with at least user-level privileges. Certain input parameters are not properly sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the ‘nt authoritylocal service’ account.

CVE-2025-52577 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-52577. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.8 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CWE-89

A vulnerability exists in Advantech iView that allows for SQL injection and remote code execution through NetworkServlet.archiveTrap(). This issue requires an authenticated attacker with at least user-level privileges. Certain input parameters are not sanitized, allowing an attacker to perform SQL injection and potentially execute code in the context of the ‘nt authoritylocal service’ account.

CVE-2025-53515 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-53515. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.9 Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’) CWE-88

A vulnerability exists in Advantech iView that allows for argument injection in NetworkServlet.backupDatabase(). This issue requires an authenticated attacker with at least user-level privileges. Certain parameters can be used directly in a command without proper sanitization, allowing arbitrary arguments to be injected. This can result in information disclosure, including sensitive database credentials.

CVE-2025-52459 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-52459. A base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.10 Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’) CWE-88

A vulnerability exists in Advantech iView that allows for argument injection in the NetworkServlet.restoreDatabase(). This issue requires an authenticated attacker with at least user-level privileges. An input parameter can be used directly in a command without proper sanitization, allowing arbitrary arguments to be injected. This can result in information disclosure, including sensitive database credentials.

CVE-2025-53509 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-53509. A base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Alex Williams of Converge Technology Solutions reported these vulnerabilities to CISA.

4. MITIGATIONS

Advantech recommends users update to v5.7.05 build 7057.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• July 10, 2025: Initial Publication

 Read More

 ​CISA released one Industrial Control Systems (ICS) advisory on July 8, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-25-189-01 Emerson ValveLink Products

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released one Industrial Control Systems (ICS) advisory on July 8, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-189-01 Emerson ValveLink Products

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: Emerson
Equipment: ValveLink Products
Vulnerabilities: Cleartext Storage of Sensitive Information in Memory, Protection Mechanism Failure, Uncontrolled Search Path Element, Improper Input Validation

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker with access to the system to read sensitive information stored in cleartext, tamper with parameters, and run un-authorized code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following ValveLink products are affected:

ValveLink SOLO: All versions prior to ValveLink 14.0
ValveLink DTM: All versions prior to ValveLink 14.0
ValveLink PRM: All versions prior to ValveLink 14.0
ValveLink SNAP-ON: All versions prior to ValveLink 14.0

3.2 VULNERABILITY OVERVIEW
3.2.1 CLEARTEXT STORAGE OF SENSITIVE INFORMATION IN MEMORY CWE-316
The product stores sensitive information in cleartext in memory. The sensitive memory might be saved to disk, stored in a core dump, or remain uncleared if the product crashes, or if the programmer does not properly clear the memory before freeing it.
CVE-2025-52579 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).
A CVSS v4 score has also been calculated for CVE-2025-52579. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N).
3.2.2 CLEARTEXT STORAGE OF SENSITIVE INFORMATION IN MEMORY CWE-316
The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
CVE-2025-50109 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-50109. A base score of 8.5 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.3 PROTECTION MECHANISM FAILURE CWE-693
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
CVE-2025-46358 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-46358. A base score of 8.5 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.4 UNCONTROLLED SEARCH PATH ELEMENT CWE-427
The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
CVE-2025-48496 has been assigned to this vulnerability. A CVSS v3 base score of 5.1 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2025-48496. A base score of 5.9 has been calculated; the CVSS vector string is (AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.5 IMPROPER INPUT VALIDATION CWE-20
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CVE-2025-53471 has been assigned to this vulnerability. A CVSS v3 base score of 5.1 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-53471. A base score of 5.9 has been calculated; the CVSS vector string is (AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Emerson reported these vulnerabilities to CISA.
4. MITIGATIONS
Emerson recommends users update their Valvelink software to ValveLink 14.0 or later. The upgrade can be downloaded from the Emerson website.
For more information see the associated Emerson security notification.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

July 8, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/Low attack complexity
• Vendor: Emerson
• Equipment: ValveLink Products
• Vulnerabilities: Cleartext Storage of Sensitive Information in Memory, Protection Mechanism Failure, Uncontrolled Search Path Element, Improper Input Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker with access to the system to read sensitive information stored in cleartext, tamper with parameters, and run un-authorized code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following ValveLink products are affected:

• ValveLink SOLO: All versions prior to ValveLink 14.0
• ValveLink DTM: All versions prior to ValveLink 14.0
• ValveLink PRM: All versions prior to ValveLink 14.0
• ValveLink SNAP-ON: All versions prior to ValveLink 14.0

3.2 VULNERABILITY OVERVIEW

3.2.1 CLEARTEXT STORAGE OF SENSITIVE INFORMATION IN MEMORY CWE-316

The product stores sensitive information in cleartext in memory. The sensitive memory might be saved to disk, stored in a core dump, or remain uncleared if the product crashes, or if the programmer does not properly clear the memory before freeing it.

CVE-2025-52579 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2025-52579. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N).

3.2.2 CLEARTEXT STORAGE OF SENSITIVE INFORMATION IN MEMORY CWE-316

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

CVE-2025-50109 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-50109. A base score of 8.5 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.3 PROTECTION MECHANISM FAILURE CWE-693

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

CVE-2025-46358 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-46358. A base score of 8.5 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.4 UNCONTROLLED SEARCH PATH ELEMENT CWE-427

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

CVE-2025-48496 has been assigned to this vulnerability. A CVSS v3 base score of 5.1 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-48496. A base score of 5.9 has been calculated; the CVSS vector string is (AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.5 IMPROPER INPUT VALIDATION CWE-20

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CVE-2025-53471 has been assigned to this vulnerability. A CVSS v3 base score of 5.1 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-53471. A base score of 5.9 has been calculated; the CVSS vector string is (AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Emerson reported these vulnerabilities to CISA.

4. MITIGATIONS

Emerson recommends users update their Valvelink software to ValveLink 14.0 or later. The upgrade can be downloaded from the Emerson website.

For more information see the associated Emerson security notification.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• July 8, 2025: Initial Publication

 Read More

 ​CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2014-3931 Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability
CVE-2016-10033 PHPMailer Command Injection Vulnerability
CVE-2019-5418 Rails Ruby on Rails Path Traversal Vulnerability
CVE-2019-9621 Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2014-3931 Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability
• CVE-2016-10033 PHPMailer Command Injection Vulnerability
• CVE-2019-5418 Rails Ruby on Rails Path Traversal Vulnerability
• CVE-2019-9621 Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

 ​CISA released four Industrial Control Systems (ICS) advisories on July 3, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-25-184-01 Hitachi Energy Relion 670/650 and SAM600-IO Series
ICSA-25-184-02 Hitachi Energy MicroSCADA X SYS600
ICSA-25-184-03 Mitsubishi Electric MELSOFT Update Manager
ICSA-25-184-04 Mitsubishi Electric MELSEC iQ-F Series

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released four Industrial Control Systems (ICS) advisories on July 3, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-184-01 Hitachi Energy Relion 670/650 and SAM600-IO Series
• ICSA-25-184-02 Hitachi Energy MicroSCADA X SYS600
• ICSA-25-184-03 Mitsubishi Electric MELSOFT Update Manager
• ICSA-25-184-04 Mitsubishi Electric MELSEC iQ-F Series

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v3 8.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric
Equipment: MELSOFT Update Manager
Vulnerabilities: Integer Underflow (Wrap or Wraparound), Protection Mechanism Failure

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, disclose information, alter information, or cause a denial-of-service (DoS) condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Mitsubishi Electric MELSOFT Update Manager are affected:

MELSOFT Update Manager SW1DND-UDM-M: Versions 1.000A to 1.012N

3.2 VULNERABILITY OVERVIEW
3.2.1 INTEGER UNDERFLOW (WRAP OR WRAPAROUND) CWE-191
Mitsubishi Electric MELSOFT Update Manager is vulnerable to an Integer Underflow vulnerability in 7-zip, included in MELSOFT Update Manager, that could allow a remote attacker to execute arbitrary code by decompressing a specially crafted compressed file. As a result, the attacker may disclose, tamper with information, or cause a denial-of-service (DoS) condition on the product.
CVE-2024-11477 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.2.2 PROTECTION MECHANISM FAILURE CWE-693
Mitsubishi Electric MELSOFT Update Manager is vulnerable to an Protection Mechanism Failure vulnerability in 7-zip, included in MELSOFT Update Manager, that could allow an attacker to execute arbitrary code by decompressing a specially crafted compressed file. As a result, the attacker may disclose, tamper with information, or cause a denial-of-service (DoS) condition on the product.
CVE-2025-0411 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER
Mitsubishi Electric reported these vulnerabilities to CISA.
4. MITIGATIONS
Mitsubishi Electric recommends users take the following actions to minimize the risk of exploiting these vulnerabilities.
For users in Japan:

Download version 1.013P or later from the download site below and follow the update procedure below (Note). Additionally, please verify the authenticity of the following download site in advance.
Download Site (in Japanese)

Update Procedure:

Extract the downloaded file (in zip format).
Run “setup.exe” in the extracted folder to install.
Note: If you are using MELSOFT Update Manager version 1.012N and prior, please do not connect to the internet until the above update is complete. There is a risk that these vulnerabilities could be exploited.

For users outside Japan:

For information about how to install the fixed version, please contact your local Mitsubishi Electric representative.

For users who cannot immediately update the product, Mitsubishi Electric recommends the following mitigation measures to minimize the risk of exploiting these vulnerabilities.

Use the PC with the affected product within the LAN and block remote logins from untrusted networks, hosts, and users.
When connecting the PC with the affected product to the internet, use a firewall, virtual private network (VPN), etc. to prevent unauthorized access and allow only trusted users to remote login.
Restrict physical access to the PC with the affected product and the network to which the PC is connected to, to prevent unauthorized physical access .
Do not click on web links in emails from untrusted sources. Also, do not open attachments in untrusted emails.
Install antivirus software on the PC with the affected product.

For more information, see Mitsubishi Electric 2025-006.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities have a high attack complexity.
5. UPDATE HISTORY

July 3, 2025: Initial Republication of Mitsubishi Electric 2025-006 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 8.1
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Mitsubishi Electric
• Equipment: MELSOFT Update Manager
• Vulnerabilities: Integer Underflow (Wrap or Wraparound), Protection Mechanism Failure

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, disclose information, alter information, or cause a denial-of-service (DoS) condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mitsubishi Electric MELSOFT Update Manager are affected:

• MELSOFT Update Manager SW1DND-UDM-M: Versions 1.000A to 1.012N

3.2 VULNERABILITY OVERVIEW

3.2.1 INTEGER UNDERFLOW (WRAP OR WRAPAROUND) CWE-191

Mitsubishi Electric MELSOFT Update Manager is vulnerable to an Integer Underflow vulnerability in 7-zip, included in MELSOFT Update Manager, that could allow a remote attacker to execute arbitrary code by decompressing a specially crafted compressed file. As a result, the attacker may disclose, tamper with information, or cause a denial-of-service (DoS) condition on the product.

CVE-2024-11477 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.2.2 PROTECTION MECHANISM FAILURE CWE-693

Mitsubishi Electric MELSOFT Update Manager is vulnerable to an Protection Mechanism Failure vulnerability in 7-zip, included in MELSOFT Update Manager, that could allow an attacker to execute arbitrary code by decompressing a specially crafted compressed file. As a result, the attacker may disclose, tamper with information, or cause a denial-of-service (DoS) condition on the product.

CVE-2025-0411 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported these vulnerabilities to CISA.

4. MITIGATIONS

Mitsubishi Electric recommends users take the following actions to minimize the risk of exploiting these vulnerabilities.

For users in Japan:

• Download version 1.013P or later from the download site below and follow the update procedure below (Note). Additionally, please verify the authenticity of the following download site in advance.
• Download Site (in Japanese)

Update Procedure:

• Extract the downloaded file (in zip format).
• Run “setup.exe” in the extracted folder to install.
• Note: If you are using MELSOFT Update Manager version 1.012N and prior, please do not connect to the internet until the above update is complete. There is a risk that these vulnerabilities could be exploited.

For users outside Japan:

• For information about how to install the fixed version, please contact your local Mitsubishi Electric representative.

For users who cannot immediately update the product, Mitsubishi Electric recommends the following mitigation measures to minimize the risk of exploiting these vulnerabilities.

• Use the PC with the affected product within the LAN and block remote logins from untrusted networks, hosts, and users.
• When connecting the PC with the affected product to the internet, use a firewall, virtual private network (VPN), etc. to prevent unauthorized access and allow only trusted users to remote login.
• Restrict physical access to the PC with the affected product and the network to which the PC is connected to, to prevent unauthorized physical access .
• Do not click on web links in emails from untrusted sources. Also, do not open attachments in untrusted emails.
• Install antivirus software on the PC with the affected product.

For more information, see Mitsubishi Electric 2025-006.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities have a high attack complexity.

5. UPDATE HISTORY

• July 3, 2025: Initial Republication of Mitsubishi Electric 2025-006

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 6.9
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: Mitsubishi Electric Corporation
Equipment: MELSEC iQ-F Series
Vulnerability: Overly Restrictive Account Lockout Mechanism

2. RISK EVALUATION
Successful exploitation of this vulnerability could result in a denial-of-service condition for legitimate users for a certain period by repeatedly attempting to log in with incorrect passwords. When the product repeatedly receives unauthorized logins from an attacker, legitimate users will be unable to be authenticated until a certain period has passed after the lockout or until the product is reset.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following version of MELSEC iQ-F Series is affected:

FX5U-32MT/ES: All versions
FX5U-32MT/DS: All versions
FX5U-32MT/ESS: All versions
FX5U-32MT/DSS: All versions
FX5U-32MR/ES: All versions
FX5U-32MR/DS: All versions
FX5U-64MT/ES: All versions
FX5U-64MT/DS: All versions
FX5U-64MT/ESS: All versions
FX5U-64MT/DSS: All versions
FX5U-64MR/ES: All versions
FX5U-64MR/DS: All versions
FX5U-80MT/ES: All versions
FX5U-80MT/DS: All versions
FX5U-80MT/ESS: All versions
FX5U-80MT/DSS: All versions
FX5U-80MR/ES: All versions
FX5U-80MR/DS: All versions
FX5UC-32MT/D: All versions
FX5UC-32MT/DSS: All versions
FX5UC-64MT/D: All versions
FX5UC-64MT/DSS: All versions
FX5UC-96MT/D: All versions
FX5UC-96MT/DSS: All versions
FX5UC-32MT/DS-TS: All versions
FX5UC-32MT/DSS-TS: All versions
FX5UC-32MR/DS-TS: All versions
FX5UJ-24MT/ES: All versions
FX5UJ-24MT/DS: All versions
FX5UJ-24MT/ESS: All versions
FX5UJ-24MT/DSS: All versions
FX5UJ-24MR/ES: All versions
FX5UJ-24MR/DS: All versions
FX5UJ-40MT/ES: All versions
FX5UJ-40MT/DS: All versions
FX5UJ-40MT/ESS: All versions
FX5UJ-40MT/DSS: All versions
FX5UJ-40MR/ES: All versions
FX5UJ-40MR/DS: All versions
FX5UJ-60MT/ES: All versions
FX5UJ-60MT/DS: All versions
FX5UJ-60MT/ESS: All versions
FX5UJ-60MT/DSS: All versions
FX5UJ-60MR/ES: All versions
FX5UJ-60MR/DS: All versions
FX5UJ-24MT/ES-A: All versions
FX5UJ-24MR/ES-A: All versions
FX5UJ-40MT/ES-A: All versions
FX5UJ-40MR/ES-A: All versions
FX5UJ-60MT/ES-A: All versions
FX5UJ-60MR/ES-A: All versions
FX5S-30MT/ES: All versions
FX5S-30MT/DS: All versions
FX5S-30MT/ESS: All versions
FX5S-30MT/DSS: All versions
FX5S-30MR/ES: All versions
FX5S-30MR/DS: All versions
FX5S-40MT/ES: All versions
FX5S-40MT/DS: All versions
FX5S-40MT/ESS: All versions
FX5S-40MT/DSS: All versions
FX5S-40MR/ES: All versions
FX5S-40MR/DS: All versions
FX5S-60MT/ES: All versions
FX5S-60MT/DS: All versions
FX5S-60MT/ESS: All versions
FX5S-60MT/DSS: All versions
FX5S-60MR/ES: All versions
FX5S-60MR/DS: All versions
FX5S-80MT/ES: All versions
FX5S-80MT/ESS: All versions
FX5S-80MR/ES: All versions
FX5-CCLGN-MS: All versions

3.2 VULNERABILITY OVERVIEW
3.2.1 OVERLY RESTRICTIVE ACCOUNT LOCKOUT MECHANISM CWE-645
A denial-of-service (DoS) vulnerability exists in the MELSEC iQ-F series due to an overly restrictive account lockout mechanism. A remote attacker could lockout a legitimate user for a certain period of time by repeatedly attempting to login with an incorrect password.
CVE-2025-5241 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
A CVSS v4 score has also been calculated for CVE-2025-5241. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER
Thai Do, Minh Pham, Quan Le, and Loc Nguyen of OPSWAT Unit 515 reported this vulnerability to Mitsubishi Electric.
4. MITIGATIONS
Mitsubishi Electric Corporation has stated there are no plans to release a fixed version. Implement the following mitigation measures to minimize the risk of exploiting this vulnerability:

Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
Use within a LAN and block access from untrusted networks and hosts through firewalls.
Restrict physical access to the affected products and the LAN that is connected to them.
Use IP filter function to block access from untrusted hosts.

NOTE: For details on the IP filter function, please refer to the following manual for each product.
“13.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Communication)
“4.5 Security” in the MELSEC iQ-F FX5 CC-Link IE TSN Master/Local Module User’s Manual

Mitsubishi Electric Corporation recommends downloading the manual from the following Mitsubishi Electric Website.
See Mitsubishi Electric’s security bulletin for more information.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
When remote access is required, use more secure methods, such as VPNs, recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

July 3, 2025: Initial Republication of Mitsubishi Electric 2025-005 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 6.9
• ATTENTION: Exploitable remotely/Low attack complexity
• Vendor: Mitsubishi Electric Corporation
• Equipment: MELSEC iQ-F Series
• Vulnerability: Overly Restrictive Account Lockout Mechanism

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in a denial-of-service condition for legitimate users for a certain period by repeatedly attempting to log in with incorrect passwords. When the product repeatedly receives unauthorized logins from an attacker, legitimate users will be unable to be authenticated until a certain period has passed after the lockout or until the product is reset.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of MELSEC iQ-F Series is affected:

• FX5U-32MT/ES: All versions
• FX5U-32MT/DS: All versions
• FX5U-32MT/ESS: All versions
• FX5U-32MT/DSS: All versions
• FX5U-32MR/ES: All versions
• FX5U-32MR/DS: All versions
• FX5U-64MT/ES: All versions
• FX5U-64MT/DS: All versions
• FX5U-64MT/ESS: All versions
• FX5U-64MT/DSS: All versions
• FX5U-64MR/ES: All versions
• FX5U-64MR/DS: All versions
• FX5U-80MT/ES: All versions
• FX5U-80MT/DS: All versions
• FX5U-80MT/ESS: All versions
• FX5U-80MT/DSS: All versions
• FX5U-80MR/ES: All versions
• FX5U-80MR/DS: All versions
• FX5UC-32MT/D: All versions
• FX5UC-32MT/DSS: All versions
• FX5UC-64MT/D: All versions
• FX5UC-64MT/DSS: All versions
• FX5UC-96MT/D: All versions
• FX5UC-96MT/DSS: All versions
• FX5UC-32MT/DS-TS: All versions
• FX5UC-32MT/DSS-TS: All versions
• FX5UC-32MR/DS-TS: All versions
• FX5UJ-24MT/ES: All versions
• FX5UJ-24MT/DS: All versions
• FX5UJ-24MT/ESS: All versions
• FX5UJ-24MT/DSS: All versions
• FX5UJ-24MR/ES: All versions
• FX5UJ-24MR/DS: All versions
• FX5UJ-40MT/ES: All versions
• FX5UJ-40MT/DS: All versions
• FX5UJ-40MT/ESS: All versions
• FX5UJ-40MT/DSS: All versions
• FX5UJ-40MR/ES: All versions
• FX5UJ-40MR/DS: All versions
• FX5UJ-60MT/ES: All versions
• FX5UJ-60MT/DS: All versions
• FX5UJ-60MT/ESS: All versions
• FX5UJ-60MT/DSS: All versions
• FX5UJ-60MR/ES: All versions
• FX5UJ-60MR/DS: All versions
• FX5UJ-24MT/ES-A: All versions
• FX5UJ-24MR/ES-A: All versions
• FX5UJ-40MT/ES-A: All versions
• FX5UJ-40MR/ES-A: All versions
• FX5UJ-60MT/ES-A: All versions
• FX5UJ-60MR/ES-A: All versions
• FX5S-30MT/ES: All versions
• FX5S-30MT/DS: All versions
• FX5S-30MT/ESS: All versions
• FX5S-30MT/DSS: All versions
• FX5S-30MR/ES: All versions
• FX5S-30MR/DS: All versions
• FX5S-40MT/ES: All versions
• FX5S-40MT/DS: All versions
• FX5S-40MT/ESS: All versions
• FX5S-40MT/DSS: All versions
• FX5S-40MR/ES: All versions
• FX5S-40MR/DS: All versions
• FX5S-60MT/ES: All versions
• FX5S-60MT/DS: All versions
• FX5S-60MT/ESS: All versions
• FX5S-60MT/DSS: All versions
• FX5S-60MR/ES: All versions
• FX5S-60MR/DS: All versions
• FX5S-80MT/ES: All versions
• FX5S-80MT/ESS: All versions
• FX5S-80MR/ES: All versions
• FX5-CCLGN-MS: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 OVERLY RESTRICTIVE ACCOUNT LOCKOUT MECHANISM CWE-645

A denial-of-service (DoS) vulnerability exists in the MELSEC iQ-F series due to an overly restrictive account lockout mechanism. A remote attacker could lockout a legitimate user for a certain period of time by repeatedly attempting to login with an incorrect password.

CVE-2025-5241 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2025-5241. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Thai Do, Minh Pham, Quan Le, and Loc Nguyen of OPSWAT Unit 515 reported this vulnerability to Mitsubishi Electric.

4. MITIGATIONS

Mitsubishi Electric Corporation has stated there are no plans to release a fixed version. Implement the following mitigation measures to minimize the risk of exploiting this vulnerability:

• Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
• Use within a LAN and block access from untrusted networks and hosts through firewalls.
• Restrict physical access to the affected products and the LAN that is connected to them.
• Use IP filter function to block access from untrusted hosts.
  • NOTE: For details on the IP filter function, please refer to the following manual for each product.
  • “13.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Communication)
  • “4.5 Security” in the MELSEC iQ-F FX5 CC-Link IE TSN Master/Local Module User’s Manual

Mitsubishi Electric Corporation recommends downloading the manual from the following Mitsubishi Electric Website.

See Mitsubishi Electric’s security bulletin for more information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• When remote access is required, use more secure methods, such as VPNs, recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• July 3, 2025: Initial Republication of Mitsubishi Electric 2025-005

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 7.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: Relion 670/650 and SAM600-IO series
Vulnerability: Improper Check for Unusual or Exceptional Conditions

2. RISK EVALUATION
An authenticated user with file access privilege via FTP access can cause the Relion 670/650 and SAM600-IO series device to reboot due to improper disk space management.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports that the following products are affected:

Hitachi Energy Relion 650: version 1.0.0 up to and not including 2.0.0
Hitachi Energy Relion 650: version 2.1.0 up to 2.2.0
Hitachi Energy Relion 650: version 2.2.0 up to 2.2.0.13
Hitachi Energy Relion 650: version 2.2.1.0 up to and including 2.2.1.8
Hitachi Energy Relion 650: version 2.2.4.0 up to and including 2.2.4.5
Hitachi Energy Relion 650: version 2.2.5.0 up to and including 2.2.5.7
Hitachi Energy Relion 650: version 2.2.6.0 up to and including 2.2.6.3
Hitachi Energy Relion 670: version 1.0.0 up to 2.0.0
Hitachi Energy Relion 670: version 2.0.0 up to 2.1.0
Hitachi Energy Relion 670: version 2.1.0 up to 2.2.0
Hitachi Energy Relion 670: version 2.2.0 up to and including 2.2.0.13
Hitachi Energy Relion 670: version 2.2.1.0 up to and including 2.2.1.8
Hitachi Energy Relion 670: version 2.2.2.0 up to and including 2.2.2.6
Hitachi Energy Relion 670: version 2.2.3.0 up to and including 2.2.3.7
Hitachi Energy Relion 670: version 2.2.4.0 up to and including 2.2.4.5
Hitachi Energy Relion 670: version 2.2.5.0 up to and including 2.2.5.7
Hitachi Energy Relion 670: version 2.2.6.0 up to and including 2.2.6.3
Hitachi Energy SAM600-IO: version 2.2.1.0 up to and including 2.2.1.6
Hitachi Energy SAM600-IO: version 2.2.5.0 up to and including 2.2.5.7

3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER CHECK FOR UNUSUAL OR EXCEPTIONAL CONDITIONS CWE-754
An authenticated user with file access privilege via FTP access can cause the Relion 670/650 and SAM600-IO series device to reboot due to improper disk space management.
CVE-2025-1718 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2025-1718. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER
Hitachi Energy PSIRT reported this vulnerability to CISA.
4. MITIGATIONS
Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

Relion 670 series version 2.2.6 revisions up to 2.2.6.3, Relion 650 series version 2.2.6 revisions up to 2.2.6.3: Update to version 2.2.6.4 (when available) or latest
Relion 670 series version 2.2.5 revisions up to 2.2.5.7, Relion 650 series version 2.2.5 revisions up to 2.2.5.7, SAM600-IO series version 2.2.5 revisions up to 2.2.5.7: Update to version 2.2.5.8 or latest
Relion 670 series version 2.2.6 revisions up to 2.2.6.3, Relion 650 series version 2.2.6 revisions up to 2.2.6.3, Relion 670 series version 2.2.5 revisions up to 2.2.5.7, Relion 650 series version 2.2.5 revisions up to 2.2.5.7, SAM600-IO series version 2.2.5 revisions up to 2.2.5.7: Upgrade to version 2.2.7
All affected products: Apply general mitigation factors

For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000174 Cybersecurity Advisory – Reboot Vulnerability in Hitachi Energy Relion 670/650 and SAM600-IO series products.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

July 03, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000174 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: Relion 670/650 and SAM600-IO series
• Vulnerability: Improper Check for Unusual or Exceptional Conditions

2. RISK EVALUATION

An authenticated user with file access privilege via FTP access can cause the Relion 670/650 and SAM600-IO series device to reboot due to improper disk space management.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports that the following products are affected:

• Hitachi Energy Relion 650: version 1.0.0 up to and not including 2.0.0
• Hitachi Energy Relion 650: version 2.1.0 up to 2.2.0
• Hitachi Energy Relion 650: version 2.2.0 up to 2.2.0.13
• Hitachi Energy Relion 650: version 2.2.1.0 up to and including 2.2.1.8
• Hitachi Energy Relion 650: version 2.2.4.0 up to and including 2.2.4.5
• Hitachi Energy Relion 650: version 2.2.5.0 up to and including 2.2.5.7
• Hitachi Energy Relion 650: version 2.2.6.0 up to and including 2.2.6.3
• Hitachi Energy Relion 670: version 1.0.0 up to 2.0.0
• Hitachi Energy Relion 670: version 2.0.0 up to 2.1.0
• Hitachi Energy Relion 670: version 2.1.0 up to 2.2.0
• Hitachi Energy Relion 670: version 2.2.0 up to and including 2.2.0.13
• Hitachi Energy Relion 670: version 2.2.1.0 up to and including 2.2.1.8
• Hitachi Energy Relion 670: version 2.2.2.0 up to and including 2.2.2.6
• Hitachi Energy Relion 670: version 2.2.3.0 up to and including 2.2.3.7
• Hitachi Energy Relion 670: version 2.2.4.0 up to and including 2.2.4.5
• Hitachi Energy Relion 670: version 2.2.5.0 up to and including 2.2.5.7
• Hitachi Energy Relion 670: version 2.2.6.0 up to and including 2.2.6.3
• Hitachi Energy SAM600-IO: version 2.2.1.0 up to and including 2.2.1.6
• Hitachi Energy SAM600-IO: version 2.2.5.0 up to and including 2.2.5.7

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER CHECK FOR UNUSUAL OR EXCEPTIONAL CONDITIONS CWE-754

An authenticated user with file access privilege via FTP access can cause the Relion 670/650 and SAM600-IO series device to reboot due to improper disk space management.

CVE-2025-1718 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-1718. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy PSIRT reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Relion 670 series version 2.2.6 revisions up to 2.2.6.3, Relion 650 series version 2.2.6 revisions up to 2.2.6.3: Update to version 2.2.6.4 (when available) or latest
• Relion 670 series version 2.2.5 revisions up to 2.2.5.7, Relion 650 series version 2.2.5 revisions up to 2.2.5.7, SAM600-IO series version 2.2.5 revisions up to 2.2.5.7: Update to version 2.2.5.8 or latest
• Relion 670 series version 2.2.6 revisions up to 2.2.6.3, Relion 650 series version 2.2.6 revisions up to 2.2.6.3, Relion 670 series version 2.2.5 revisions up to 2.2.5.7, Relion 650 series version 2.2.5 revisions up to 2.2.5.7, SAM600-IO series version 2.2.5 revisions up to 2.2.5.7: Upgrade to version 2.2.7
• All affected products: Apply general mitigation factors

For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000174 Cybersecurity Advisory – Reboot Vulnerability in Hitachi Energy Relion 670/650 and SAM600-IO series products.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• July 03, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000174

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 7.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: MicroSCADA X SYS600
Vulnerabilities: Incorrect Default Permissions, External Control of File Name or Path, Improper Validation of Integrity Check Value, Exposure of Sensitive Information Through Data Queries, Improper Certificate Validation

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to tamper with the system file, overwrite files, create a denial-of-service condition, or leak file content.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports that the following products are affected:

Hitachi Energy MicroSCADA Pro/X SYS600: version 10.0 up to 10.6 (CVE-2025-39201, CVE-2025-39202, CVE-2025-39204, CVE-2025-39205)
Hitachi Energy MicroSCADA Pro/X SYS600: version 10.5 up to 10.6 (CVE-2025-39203)
Hitachi Energy MicroSCADA Pro/X SYS600: version 10.3 up to 10.6 (CVE-2025-39205)

3.2 VULNERABILITY OVERVIEW
3.2.1 INCORRECT DEFAULT PERMISSIONS CWE-276
A vulnerability exists in the mailslot functionality of the MicroSCADA X SYS600 product. If exploited this could allow a local attacker to tamper the mailslot configuration file, making denial of mailslot a related service.
CVE-2025-39201 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).
A CVSS v4 score has also been calculated for CVE-2025-39201. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:L).
3.2.2 EXTERNAL CONTROL OF FILE NAME OR PATH CWE-73
A vulnerability exists in Monitor Pro and Supervision log of MicroSCADA X SYS600 product. Local, authenticated low privilege user can see and overwrite files causing information leak and data corruption.
CVE-2025-39202 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-39202. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:H/SA:H).
3.2.3 IMPROPER VALIDATION OF INTEGRITY CHECK VALUE CWE-354
Crafted message content from IED or remote system can cause denial-of-service resulting in disconnection loop.
CVE-2025-39203 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2025-39203. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H).
3.2.4 EXPOSURE OF SENSITIVE INFORMATION THROUGH DATA QUERIES CWE-202
Filtering query in MicroSCADA X SYS600 can be malformed, so returning data can leak any file content.
CVE-2025-39204 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-39204. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H).
3.2.5 IMPROPER CERTIFICATE VALIDATION CWE-295
A vulnerability exists in MicroSCADA X SYS600 certificate validation system. TLS protocol was allowing remote Man-in-the-Middle attack due to giving too many permissions.
CVE-2025-39205 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-39205. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER
Hitachi Energy PSIRT reported these vulnerabilities to CISA.
4. MITIGATIONS
Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

(CVE-2025-39201, CVE-2025-39202, CVE-2025-39204) Hitachi Energy MicroSCADA X SYS600 versions from 10.0 to 10.6: Update to version 10.7
(CVE-2025-39203) Hitachi Energy MicroSCADA X SYS600 versions from 10.5 to 10.6: Update to version 10.7
(CVE-2025-39205) Hitachi Energy MicroSCADA X SYS600 versions from 10.3 to 10.6: Update to version 10.7

The following product versions have been fixed:

MicroSCADA X SYS600 10.7 is a fixed version for CVE-2025-39201
MicroSCADA X SYS600 10.7 is a fixed version for CVE-2025-39202
MicroSCADA X SYS600 10.7 is a fixed version for CVE-2025-39203
MicroSCADA X SYS600 10.7 is a fixed version for CVE-2025-39204
MicroSCADA X SYS600 10.7 is a fixed version for CVE-2025-39205

For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000218 Cybersecurity Advisory – Multiple vulnerabilities in Hitachi Energy MicroSCADA Pro/X SYS600 product.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

July 03, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000218. 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: MicroSCADA X SYS600
• Vulnerabilities: Incorrect Default Permissions, External Control of File Name or Path, Improper Validation of Integrity Check Value, Exposure of Sensitive Information Through Data Queries, Improper Certificate Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to tamper with the system file, overwrite files, create a denial-of-service condition, or leak file content.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports that the following products are affected:

• Hitachi Energy MicroSCADA Pro/X SYS600: version 10.0 up to 10.6 (CVE-2025-39201, CVE-2025-39202, CVE-2025-39204, CVE-2025-39205)
• Hitachi Energy MicroSCADA Pro/X SYS600: version 10.5 up to 10.6 (CVE-2025-39203)
• Hitachi Energy MicroSCADA Pro/X SYS600: version 10.3 up to 10.6 (CVE-2025-39205)

3.2 VULNERABILITY OVERVIEW

3.2.1 INCORRECT DEFAULT PERMISSIONS CWE-276

A vulnerability exists in the mailslot functionality of the MicroSCADA X SYS600 product. If exploited this could allow a local attacker to tamper the mailslot configuration file, making denial of mailslot a related service.

CVE-2025-39201 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2025-39201. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:L).

3.2.2 EXTERNAL CONTROL OF FILE NAME OR PATH CWE-73

A vulnerability exists in Monitor Pro and Supervision log of MicroSCADA X SYS600 product. Local, authenticated low privilege user can see and overwrite files causing information leak and data corruption.

CVE-2025-39202 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-39202. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:H/SA:H).

3.2.3 IMPROPER VALIDATION OF INTEGRITY CHECK VALUE CWE-354

Crafted message content from IED or remote system can cause denial-of-service resulting in disconnection loop.

CVE-2025-39203 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-39203. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H).

3.2.4 EXPOSURE OF SENSITIVE INFORMATION THROUGH DATA QUERIES CWE-202

Filtering query in MicroSCADA X SYS600 can be malformed, so returning data can leak any file content.

CVE-2025-39204 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-39204. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H).

3.2.5 IMPROPER CERTIFICATE VALIDATION CWE-295

A vulnerability exists in MicroSCADA X SYS600 certificate validation system. TLS protocol was allowing remote Man-in-the-Middle attack due to giving too many permissions.

CVE-2025-39205 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-39205. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy PSIRT reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

• (CVE-2025-39201, CVE-2025-39202, CVE-2025-39204) Hitachi Energy MicroSCADA X SYS600 versions from 10.0 to 10.6: Update to version 10.7
• (CVE-2025-39203) Hitachi Energy MicroSCADA X SYS600 versions from 10.5 to 10.6: Update to version 10.7
• (CVE-2025-39205) Hitachi Energy MicroSCADA X SYS600 versions from 10.3 to 10.6: Update to version 10.7

The following product versions have been fixed:

• MicroSCADA X SYS600 10.7 is a fixed version for CVE-2025-39201
• MicroSCADA X SYS600 10.7 is a fixed version for CVE-2025-39202
• MicroSCADA X SYS600 10.7 is a fixed version for CVE-2025-39203
• MicroSCADA X SYS600 10.7 is a fixed version for CVE-2025-39204
• MicroSCADA X SYS600 10.7 is a fixed version for CVE-2025-39205

For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000218 Cybersecurity Advisory – Multiple vulnerabilities in Hitachi Energy MicroSCADA Pro/X SYS600 product.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• July 03, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000218.

 Read More

 ​CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. 

CVE-2025-6554 Google Chromium V8 Type Confusion Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. 

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.  

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. 

 Read More