Category: CISA Alerts

Hitachi Energy Relion 670, 650 Series and SAM600-IO Product

Posted on by itwadmin-security

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Hitachi Energy
Equipment: Relion 670, Relion 650, SAM600-IO
Vulnerabilities: Integer Overflow or Wraparound

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to cause memory corruption on the products.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Hitachi Energy reports that the following products are affected:

Relion 670/650/SAM600-IO series: Version 2.2.5 revisions up to 2.2.5.1
Relion 670/650 series: Version 2.2.4 revisions up to 2.2.4.2
Relion 670 series: Version 2.2.3 revisions up to 2.2.3.4
Relion 670 series: Version 2.2.2 revisions up to 2.2.2.4
Relion 670/650/SAM600-IO series: Version 2.2.1 revisions up to 2.2.1.7
Relion 670/650 series version 2.2.0: All revisions
Relion 670/650 series version 2.1: All revisions
Relion 670 series version 2.0: All revisions
Relion 670 series version 1.2: All revisions
Relion 670 series version 1.1: All revisions
Relion 650 series version 1.3: All revisions
Relion 650 series version 1.2: All revisions
Relion 650 series version 1.1: All revisions
Relion 650 series version 1.0: All revisions

3.2 VULNERABILITY OVERVIEW
3.2.1 INTEGER OVERFLOW OR WRAPAROUND CWE-190
In Wind River VxWorks, memory allocator has a possible overflow in calculating the memory block’s size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.
CVE-2020-28895 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
3.2.2 INTEGER OVERFLOW OR WRAPAROUND CWE-190
An issue was discovered in Wind River VxWorks 7. The memory al-locator has a possible integer overflow in calculating a memory block’s size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.
CVE-2020-35198 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER
Hitachi Energy reported these vulnerabilities to CISA.
4. MITIGATIONS
Hitachi Energy has identified the following specific workarounds and mitigations users may apply to reduce risk:

Relion 670 series version 2.2.5 revisions up to 2.2.5.1, Relion 650 series version 2.2.5 revisions up to 2.2.5.1, SAM-IO series version 2.2.5 revisions up to 2.2.5.1: Update to 2.2.5.2 version or latest
Relion 670 series version 2.2.4 revisions up to 2.2.4.2, Relion 650 series version 2.2.4 revisions up to 2.2.4.2: Update to 2.2.4.3 version or latest
Relion 670 series version 2.2.3 revisions up to 2.2.3.4: Update to 2.2.3.5 version or latest
Relion 670 series version 2.2.2 revisions up to 2.2.2.4: Update to 2.2.2.5 version or latest
Relion 670 series version 2.2.1 revisions up to 2.2.1.7, Relion 650 series version 2.2.1 revisions up to 2.2.1.7, SAM-IO series version 2.2.1 revisions up to 2.2.1.7: Update to 2.2.1.8 version or latest
Relion 670 series version 1.1 to 2.2.0 all revisions, Relion 650 series version 1.0 to 2.2.0 all revisions: Refer to the Mitigation Factors/Workaround Section for the current mitigation strategy.

For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000070 Cybersecurity Advisory – BadAlloc – Memory Allocation Vulnerabilities in Hitachi Energy Relion 670, 650 series and SAM600-IO Product.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

June 5, 2025: Initial Republication of Hitachi Energy 8DBD000070 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 9.8
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Hitachi Energy
  • Equipment: Relion 670, Relion 650, SAM600-IO
  • Vulnerabilities: Integer Overflow or Wraparound

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause memory corruption on the products.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports that the following products are affected:

  • Relion 670/650/SAM600-IO series: Version 2.2.5 revisions up to 2.2.5.1
  • Relion 670/650 series: Version 2.2.4 revisions up to 2.2.4.2
  • Relion 670 series: Version 2.2.3 revisions up to 2.2.3.4
  • Relion 670 series: Version 2.2.2 revisions up to 2.2.2.4
  • Relion 670/650/SAM600-IO series: Version 2.2.1 revisions up to 2.2.1.7
  • Relion 670/650 series version 2.2.0: All revisions
  • Relion 670/650 series version 2.1: All revisions
  • Relion 670 series version 2.0: All revisions
  • Relion 670 series version 1.2: All revisions
  • Relion 670 series version 1.1: All revisions
  • Relion 650 series version 1.3: All revisions
  • Relion 650 series version 1.2: All revisions
  • Relion 650 series version 1.1: All revisions
  • Relion 650 series version 1.0: All revisions

3.2 VULNERABILITY OVERVIEW

3.2.1 INTEGER OVERFLOW OR WRAPAROUND CWE-190

In Wind River VxWorks, memory allocator has a possible overflow in calculating the memory block’s size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.

CVE-2020-28895 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

3.2.2 INTEGER OVERFLOW OR WRAPAROUND CWE-190

An issue was discovered in Wind River VxWorks 7. The memory al-locator has a possible integer overflow in calculating a memory block’s size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.

CVE-2020-35198 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users may apply to reduce risk:

  • Relion 670 series version 2.2.5 revisions up to 2.2.5.1, Relion 650 series version 2.2.5 revisions up to 2.2.5.1, SAM-IO series version 2.2.5 revisions up to 2.2.5.1: Update to 2.2.5.2 version or latest
  • Relion 670 series version 2.2.4 revisions up to 2.2.4.2, Relion 650 series version 2.2.4 revisions up to 2.2.4.2: Update to 2.2.4.3 version or latest
  • Relion 670 series version 2.2.3 revisions up to 2.2.3.4: Update to 2.2.3.5 version or latest
  • Relion 670 series version 2.2.2 revisions up to 2.2.2.4: Update to 2.2.2.5 version or latest
  • Relion 670 series version 2.2.1 revisions up to 2.2.1.7, Relion 650 series version 2.2.1 revisions up to 2.2.1.7, SAM-IO series version 2.2.1 revisions up to 2.2.1.7: Update to 2.2.1.8 version or latest
  • Relion 670 series version 1.1 to 2.2.0 all revisions, Relion 650 series version 1.0 to 2.2.0 all revisions: Refer to the Mitigation Factors/Workaround Section for the current mitigation strategy.

For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000070 Cybersecurity Advisory – BadAlloc – Memory Allocation Vulnerabilities in Hitachi Energy Relion 670, 650 series and SAM600-IO Product.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • June 5, 2025: Initial Republication of Hitachi Energy 8DBD000070

 Read More

CyberData 011209 SIP Emergency Intercom

Posted on by itwadmin-security

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: CyberData
Equipment: 011209 SIP Emergency Intercom
Vulnerabilities: Authentication Bypass Using an Alternate Path or Channel, Missing Authentication for Critical Function, SQL Injection, Insufficiently Protected Credentials, Path Traversal: ‘…/…//’

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, cause a denial-of-service condition, or achieve code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following CyberData products are affected:

011209 SIP Emergency Intercom: Versions prior to 22.0.1

3.2 VULNERABILITY OVERVIEW
3.2.1 Authentication Bypass Using an Alternate Path or Channel CWE-288
011209 Intercom could allow an unauthenticated user access to the Web Interface through an alternate path.
CVE-2025-30184 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-30184. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 Missing Authentication for Critical Function CWE-306
011209 Intercom exposes features that could allow an unauthenticated to gain access and cause a denial-of-service condition or system disruption.
CVE-2025-26468 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2025-26468. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.3 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CWE-89
011209 Intercom could allow an unauthenticated user to gather sensitive information through blind SQL injections.
CVE-2025-30507 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-30507. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.4 Insufficiently Protected Credentials CWE-522
011209 Intercom does not properly store or protect web server admin credentials.
CVE-2025-30183 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-30183. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.5 Path Traversal: ‘…/…//’ CWE-35
011209 Intercom could allow an authenticated attacker to upload arbitrary files to multiple locations within the system.
CVE-2025-30515 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-30515. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Communications, Emergency Services, Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Vera Mens of Claroty Team82 reported these vulnerabilities to CISA.
4. MITIGATIONS
CyberData recommends users update to v22.0.1
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

June 5, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: CyberData
  • Equipment: 011209 SIP Emergency Intercom
  • Vulnerabilities: Authentication Bypass Using an Alternate Path or Channel, Missing Authentication for Critical Function, SQL Injection, Insufficiently Protected Credentials, Path Traversal: ‘…/…//’

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose sensitive information, cause a denial-of-service condition, or achieve code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following CyberData products are affected:

  • 011209 SIP Emergency Intercom: Versions prior to 22.0.1

3.2 VULNERABILITY OVERVIEW

3.2.1 Authentication Bypass Using an Alternate Path or Channel CWE-288

011209 Intercom could allow an unauthenticated user access to the Web Interface through an alternate path.

CVE-2025-30184 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30184. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Missing Authentication for Critical Function CWE-306

011209 Intercom exposes features that could allow an unauthenticated to gain access and cause a denial-of-service condition or system disruption.

CVE-2025-26468 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-26468. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.3 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) CWE-89

011209 Intercom could allow an unauthenticated user to gather sensitive information through blind SQL injections.

CVE-2025-30507 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-30507. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.4 Insufficiently Protected Credentials CWE-522

011209 Intercom does not properly store or protect web server admin credentials.

CVE-2025-30183 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-30183. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.5 Path Traversal: ‘…/…//’ CWE-35

011209 Intercom could allow an authenticated attacker to upload arbitrary files to multiple locations within the system.

CVE-2025-30515 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30515. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Communications, Emergency Services, Commercial Facilities
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Vera Mens of Claroty Team82 reported these vulnerabilities to CISA.

4. MITIGATIONS

CyberData recommends users update to v22.0.1

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • June 5, 2025: Initial Publication

 Read More

Updated Guidance on Play Ransomware

Posted on by itwadmin-security

 ​CISA, the Federal Bureau of Investigation (FBI), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have issued an updated advisory on Play ransomware, also known as Playcrypt. This advisory highlights new tactics, techniques, and procedures used by the Play ransomware group and provides updated indicators of compromise (IOCs) to enhance threat detection.
Since June 2022, Playcrypt has targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025.
Recommended mitigations include:

Implementing multifactor authentication;
Maintaining offline data backups;
Developing and testing a recovery plan; and
Keeping all operating systems, software, and firmware updated.

Stay vigilant and take proactive measures to protect your organization.  

CISA, the Federal Bureau of Investigation (FBI), and the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) have issued an updated advisory on Play ransomware, also known as Playcrypt. This advisory highlights new tactics, techniques, and procedures used by the Play ransomware group and provides updated indicators of compromise (IOCs) to enhance threat detection.

Since June 2022, Playcrypt has targeted diverse businesses and critical infrastructure across North America, South America, and Europe, becoming one of the most active ransomware groups in 2024. The FBI has identified approximately 900 entities allegedly exploited by these ransomware actors as of May 2025.

Recommended mitigations include:

  • Implementing multifactor authentication;
  • Maintaining offline data backups;
  • Developing and testing a recovery plan; and
  • Keeping all operating systems, software, and firmware updated.

Stay vigilant and take proactive measures to protect your organization. 

 Read More

CISA Adds Three Known Exploited Vulnerabilities to Catalog

Posted on by itwadmin-security

 ​CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2025-21479 Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
CVE-2025-21480 Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
CVE-2025-27038 Qualcomm Multiple Chipsets Use-After-Free Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  • CVE-2025-21479 Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
  • CVE-2025-21480 Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
  • CVE-2025-27038 Qualcomm Multiple Chipsets Use-After-Free Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

Mitsubishi Electric MELSEC iQ-F Series

Posted on by itwadmin-security

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v3 9.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Mitsubishi Electric
Equipment: MELSEC iQ-F Series
Vulnerability: Improper Validation of Specified Index, Position, or Offset in Input

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to read confidential information, cause a denial-of-service condition, or stop operations by sending specially crafted packets.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Mitsubishi Electric MELSEC iQ-F Series are affected. Products with [Note *1] are sold in limited regions:

FX5U-xMy/z x=32, 64, 80, y=T, R, z=ES,DS, ESS, DSS: All versions
FX5UC-xMy/z x=32, 64, 96, y=T, z=D, DSS: All versions
FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: All versions
FX5UJ-xMy/z x=24, 40, 60, y=T, R, z=ES,DS,ESS,DSS: All versions
FX5UJ-xMy/ES-A[Note *1] x=24, 40, 60, y=T, R: All versions
FX5S-xMy/z x=30, 40, 60, 80[Note *1], y=T, R, z= ES,DS,ESS,DSS: All versions

3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER VALIDATION OF SPECIFIED INDEX, POSITION, OR OFFSET IN INPUT CWE-1285
This vulnerability allows a remote attacker to read information in the product, cause a Denial-of-Service (DoS) condition in MELSOFT connection communication with Mitsubishi Electric FA products such as GX Works3 and GOT, or stop the operation of the CPU module (causing a DoS condition on the CPU module), by sending specially crafted packets. The product is needed to reset for recovery.
CVE-2025-3755 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER
Mitsubishi Electric reported this vulnerability to CISA.
4. MITIGATIONS
Mitsubishi Electric recommends users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
Use within a LAN and block access from untrusted networks and hosts through firewalls.
Use IP filter function to block access from untrusted hosts.
Restrict physical access to the affected products and the LAN that is connected by them.

For details on the IP filter function, please refer to the following manual for each product.”13.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Communication)Please download the manual from the following URL: https://www.mitsubishielectric.com/fa/download/index.html
For more information, see Mitsubishi Electric advisory 2025-003.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

June 3, 2025: Initial Republication of Mitsubishi Electric 2025-003 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 9.1
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Mitsubishi Electric
  • Equipment: MELSEC iQ-F Series
  • Vulnerability: Improper Validation of Specified Index, Position, or Offset in Input

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to read confidential information, cause a denial-of-service condition, or stop operations by sending specially crafted packets.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mitsubishi Electric MELSEC iQ-F Series are affected. Products with [Note *1] are sold in limited regions:

  • FX5U-xMy/z x=32, 64, 80, y=T, R, z=ES,DS, ESS, DSS: All versions
  • FX5UC-xMy/z x=32, 64, 96, y=T, z=D, DSS: All versions
  • FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: All versions
  • FX5UJ-xMy/z x=24, 40, 60, y=T, R, z=ES,DS,ESS,DSS: All versions
  • FX5UJ-xMy/ES-A[Note *1] x=24, 40, 60, y=T, R: All versions
  • FX5S-xMy/z x=30, 40, 60, 80[Note *1], y=T, R, z= ES,DS,ESS,DSS: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER VALIDATION OF SPECIFIED INDEX, POSITION, OR OFFSET IN INPUT CWE-1285

This vulnerability allows a remote attacker to read information in the product, cause a Denial-of-Service (DoS) condition in MELSOFT connection communication with Mitsubishi Electric FA products such as GX Works3 and GOT, or stop the operation of the CPU module (causing a DoS condition on the CPU module), by sending specially crafted packets. The product is needed to reset for recovery.

CVE-2025-3755 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric recommends users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

  • Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
  • Use within a LAN and block access from untrusted networks and hosts through firewalls.
  • Use IP filter function to block access from untrusted hosts.
  • Restrict physical access to the affected products and the LAN that is connected by them.

For details on the IP filter function, please refer to the following manual for each product.
“13.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Communication)
Please download the manual from the following URL: https://www.mitsubishielectric.com/fa/download/index.html

For more information, see Mitsubishi Electric advisory 2025-003.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • June 3, 2025: Initial Republication of Mitsubishi Electric 2025-003

 Read More

CISA Releases Three Industrial Control Systems Advisories

Posted on by itwadmin-security

 ​CISA released three Industrial Control Systems (ICS) advisories on June 3, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-25-153-01 Schneider Electric Wiser Home Automation
ICSA-25-153-02 Schneider Electric EcoStruxure Power Build Rapsody
ICSA-25-153-03 Mitsubishi Electric MELSEC iQ-F Series

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released three Industrial Control Systems (ICS) advisories on June 3, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More

Schneider Electric EcoStruxure Power Build Rapsody

Posted on by itwadmin-security

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 4.6
ATTENTION: Low attack complexity
Vendor: Schneider Electric
Equipment: EcoStruxure Power Build Rapsody
Vulnerability: Stack-based Buffer Overflow

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to achieve arbitrary code execution on the affected device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Schneider Electric product is affected:

EcoStruxure Power Build Rapsody: v2.7.12 FR and prior

3.2 VULNERABILITY OVERVIEW
3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121
Stack-based Buffer Overflow vulnerability exists that could cause local attackers being able to exploit these issues to potentially execute arbitrary code while the end user opens a malicious project file (SSD file) provided by the attacker.
CVE-2025-3916 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2025-3916. A base score of 4.6 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER
Michael Heinzl reported this vulnerability to Schneider Electric.Schneider Electric reported this vulnerability to CISA.
4. MITIGATIONS
Schneider Electric recommends users take the following actions:

Update to Version v2.8.1 FR of EcoStruxure Power Build-Rapsody, which includes a fix for this vulnerability. Reboot after installing the new version.

Additionally, Schneider Electric recommends that if users choose not to apply the remediation provided above, the following mitigations should be applied immediately to reduce the risk of exploitation:

Store the project files in a secure storage and restrict access to only trusted users.
When exchanging files over the network, use secure communication protocols.
Encrypt project files when stored.
Only open project files received from trusted sources.
Compute a hash of the project files and regularly check the consistency of this hash to verify the integrity before usage.
Harden the workstation running EcoStruxure™ Power Build Rapsody.
To ensure you are informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here: https://www.se.com/en/work/support/cybersecurity/security-notifications.jsp

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
5. UPDATE HISTORY

June 3, 2025: Initial Republication of Schneider Electric SEVD-2025-133-03 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 4.6
  • ATTENTION: Low attack complexity
  • Vendor: Schneider Electric
  • Equipment: EcoStruxure Power Build Rapsody
  • Vulnerability: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to achieve arbitrary code execution on the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Schneider Electric product is affected:

  • EcoStruxure Power Build Rapsody: v2.7.12 FR and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

Stack-based Buffer Overflow vulnerability exists that could cause local attackers being able to exploit these issues to potentially execute arbitrary code while the end user opens a malicious project file (SSD file) provided by the attacker.

CVE-2025-3916 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-3916. A base score of 4.6 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Michael Heinzl reported this vulnerability to Schneider Electric.
Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric recommends users take the following actions:

  • Update to Version v2.8.1 FR of EcoStruxure Power Build-Rapsody, which includes a fix for this vulnerability. Reboot after installing the new version.

Additionally, Schneider Electric recommends that if users choose not to apply the remediation provided above, the following mitigations should be applied immediately to reduce the risk of exploitation:

  • Store the project files in a secure storage and restrict access to only trusted users.
  • When exchanging files over the network, use secure communication protocols.
  • Encrypt project files when stored.
  • Only open project files received from trusted sources.
  • Compute a hash of the project files and regularly check the consistency of this hash to verify the integrity before usage.
  • Harden the workstation running EcoStruxure™ Power Build Rapsody.
  • To ensure you are informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here: https://www.se.com/en/work/support/cybersecurity/security-notifications.jsp

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

  • June 3, 2025: Initial Republication of Schneider Electric SEVD-2025-133-03

 Read More

Schneider Electric Wiser Home Automation

Posted on by itwadmin-security

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: Wiser AvatarOn 6K Freelocate, Wiser Cuadro H 5P Socket
Vulnerability: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to inject code or bypass authentication.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Schneider Electric products are affected:

Wiser AvatarOn 6K Freelocate: All versions
Wiser Cuadro H 5P Socket: All versions

3.2 VULNERABILITY OVERVIEW
3.2.1 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) CWE-120
Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’), Out-of-bounds Write, Download of Code Without Integrity Check vulnerability in Silicon Labs Gecko Bootloader on ARM (Firmware Update File Parser modules) allows Code Injection, Authentication Bypass. This issue affects “Standalone” and “Application” versions of Gecko Bootloader.
CVE-2023-4041 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-4041. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER
Schneider Electric reported this vulnerability to CISA.
4. MITIGATIONS
The Wiser AvatarOn 6K Freelocate and Wiser Cuadro H 5P Socket products have reached their end of life and are no longer supported. Users should immediately either disable the firmware update in the Zigbee Trust Center or remove the products from service to reduce the risk of exploitation.
To stay informed about all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here: https://www.se.com/en/work/support/cybersecurity/securitynotifications.jsp
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

June 3, 2025: Initial Republication of Schneider Electric SEVD-2025-133-02 

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Schneider Electric
  • Equipment: Wiser AvatarOn 6K Freelocate, Wiser Cuadro H 5P Socket
  • Vulnerability: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to inject code or bypass authentication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Schneider Electric products are affected:

  • Wiser AvatarOn 6K Freelocate: All versions
  • Wiser Cuadro H 5P Socket: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) CWE-120

Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’), Out-of-bounds Write, Download of Code Without Integrity Check vulnerability in Silicon Labs Gecko Bootloader on ARM (Firmware Update File Parser modules) allows Code Injection, Authentication Bypass. This issue affects “Standalone” and “Application” versions of Gecko Bootloader.

CVE-2023-4041 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-4041. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

The Wiser AvatarOn 6K Freelocate and Wiser Cuadro H 5P Socket products have reached their end of life and are no longer supported. Users should immediately either disable the firmware update in the Zigbee Trust Center or remove the products from service to reduce the risk of exploitation.

To stay informed about all updates, including details on affected products and remediation plans, subscribe to Schneider Electric’s security notification service here: https://www.se.com/en/work/support/cybersecurity/securitynotifications.jsp

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • June 3, 2025: Initial Republication of Schneider Electric SEVD-2025-133-02

 Read More

CISA Adds Five Known Exploited Vulnerabilities to Catalog

Posted on by itwadmin-security

 ​CISA added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2021-32030 ASUS Routers Improper Authentication Vulnerability
CVE-2023-39780 ASUS RT-AX55 Routers OS Command Injection Vulnerability
CVE-2024-56145 Craft CMS Code Injection Vulnerability
CVE-2025-3935 ConnectWise ScreenConnect Improper Authentication Vulnerability
CVE-2025-35939 Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Please share your thoughts with us through our anonymous survey. We appreciate your feedback. 

CISA added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  • CVE-2021-32030 ASUS Routers Improper Authentication Vulnerability
  • CVE-2023-39780 ASUS RT-AX55 Routers OS Command Injection Vulnerability
  • CVE-2024-56145 Craft CMS Code Injection Vulnerability
  • CVE-2025-3935 ConnectWise ScreenConnect Improper Authentication Vulnerability
  • CVE-2025-35939 Craft CMS External Control of Assumed-Immutable Web Parameter Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

Please share your thoughts with us through our anonymous survey. We appreciate your feedback.

 Read More

Siemens SiPass Integrated

Posted on by itwadmin-security

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SiPass integrated
Vulnerability: Out-of-bounds Read

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to cause a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:

SiPass integrated: Versions prior to V2.95.3.18

3.2 VULNERABILITY OVERVIEW
3.2.1 OUT-OF-BOUNDS READ CWE-125
Affected server applications contain an out of bounds read past the end of an allocated buffer while checking the integrity of incoming packets. This could allow an unauthenticated remote attacker to create a denial of service condition.
CVE-2022-31812 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2022-31812. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Airbus Security reported this vulnerability to Siemens.Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

SiPass integrated: Update to V2.95.3.18 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-041082 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

May 29, 2025: Initial Republication of Siemens Security Advisory SSA-041082 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: SiPass integrated
  • Vulnerability: Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

  • SiPass integrated: Versions prior to V2.95.3.18

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS READ CWE-125

Affected server applications contain an out of bounds read past the end of an allocated buffer while checking the integrity of incoming packets. This could allow an unauthenticated remote attacker to create a denial of service condition.

CVE-2022-31812 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2022-31812. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Airbus Security reported this vulnerability to Siemens.
Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-041082 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 29, 2025: Initial Republication of Siemens Security Advisory SSA-041082

 Read More

Scroll to Top