Category: CISA Alerts

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: SDG Technologies
Equipment: PnPSCADA
Vulnerability: Missing Authorization

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of SDG Technologies PnPSCADA, a web-based SCADA HMI, are affected:

PnPSCADA: Versions prior to 4

3.2 Vulnerability Overview
3.2.1 MISSING AUTHORIZATION CWE-862
SDG Technologies PnPSCADA allows a remote attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system.
CVE-2024-2882 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2024-2882 has been assigned to this vulnerability. A CVSS v4 base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater Systems, Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: South Africa

3.4 RESEARCHER
Momen Eldawakhly of Samurai Digital Security Ltd reported this vulnerability to CISA.
4. MITIGATIONS
SDG Technologies recommends that users use the updated PnPSCADA 4.
For more information about PnPSCADA 4 contact SDG Technologies.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

June 27, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: SDG Technologies
Equipment: PnPSCADA
Vulnerability: Missing Authorization

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of SDG Technologies PnPSCADA, a web-based SCADA HMI, are affected:

PnPSCADA: Versions prior to 4

3.2 Vulnerability Overview

3.2.1 MISSING AUTHORIZATION CWE-862

SDG Technologies PnPSCADA allows a remote attacker to attach various entities without requiring system authentication. This breach could potentially lead to unauthorized control, data manipulation, and access to sensitive information within the SCADA system.

CVE-2024-2882 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-2882 has been assigned to this vulnerability. A CVSS v4 base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy, Water and Wastewater Systems, Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: South Africa

3.4 RESEARCHER

Momen Eldawakhly of Samurai Digital Security Ltd reported this vulnerability to CISA.

4. MITIGATIONS

SDG Technologies recommends that users use the updated PnPSCADA 4.

For more information about PnPSCADA 4 contact SDG Technologies.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

June 27, 2025: Initial Publication
 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v3 6.8
ATTENTION: Exploitable remotely
Vendor: Johnson Controls, Inc.
Equipment: Illustra Essentials Gen 4
Vulnerability: Storing Passwords in a Recoverable Format

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an authenticated user to recover credentials for other Linux users.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Johnson Controls reports that the following versions of Illustra Essential Gen 4, an IP camera, are affected:

Illustra Essentials Gen 4: versions up to Illustra.Ess4.01.02.10.5982

3.2 Vulnerability Overview
3.2.1 Storing Passwords in a Recoverable Format CWE-257
Under certain circumstances the Linux users credentials may be recovered by an authenticated user.
CVE-2024-32756 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Government Facilities, Transportation Systems, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER
Sam Hanson of Dragos reported this vulnerability to Johnson Controls.
4. MITIGATIONS
Johnson Controls recommends users upgrade camera to Illustra.Ess4.01.02.13.6953For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-07 v1.
Aligning with CISA recommendations, Johnson Controls recommends taking steps to minimize risks to all building automation systems.
CISA provides a section for control systems security recommended practices on the ICS web page on us-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Further ICS security notices and product security guidance are located at Johnson Controls’ product security website
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.
5. UPDATE HISTORY

June 27, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v3 6.8
ATTENTION: Exploitable remotely
Vendor: Johnson Controls, Inc.
Equipment: Illustra Essentials Gen 4
Vulnerability: Storing Passwords in a Recoverable Format

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated user to recover credentials for other Linux users.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Johnson Controls reports that the following versions of Illustra Essential Gen 4, an IP camera, are affected:

Illustra Essentials Gen 4: versions up to Illustra.Ess4.01.02.10.5982

3.2 Vulnerability Overview

3.2.1 Storing Passwords in a Recoverable Format CWE-257

Under certain circumstances the Linux users credentials may be recovered by an authenticated user.

CVE-2024-32756 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Commercial Facilities, Government Facilities, Transportation Systems, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Ireland

3.4 RESEARCHER

Sam Hanson of Dragos reported this vulnerability to Johnson Controls.

4. MITIGATIONS

Johnson Controls recommends users upgrade camera to Illustra.Ess4.01.02.13.6953
For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2024-07 v1.

Aligning with CISA recommendations, Johnson Controls recommends taking steps to minimize risks to all building automation systems.

CISA provides a section for control systems security recommended practices on the ICS web page on us-cert.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Further ICS security notices and product security guidance are located at Johnson Controls’ product security website

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

June 27, 2024: Initial Publication
 Read More

 ​CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2022-24816 GeoSolutionsGroup JAI-EXT Code Injection Vulnerability
CVE-2022-2586 Linux Kernel Use-After-Free Vulnerability
CVE-2020-13965 Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria. 

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

CVE-2022-24816 GeoSolutionsGroup JAI-EXT Code Injection Vulnerability
CVE-2022-2586 Linux Kernel Use-After-Free Vulnerability
CVE-2020-13965 Roundcube Webmail Cross-Site Scripting (XSS) Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

 Read More

 ​Today, CISA, in partnership with the Federal Bureau of Investigation, Australian Signals Directorate’s Australian Cyber Security Centre, and Canadian Cyber Security Center, released Exploring Memory Safety in Critical Open Source Projects. This guidance was crafted to provide organizations with findings on the scale of memory safety risk in selected open source software (OSS).
This joint guidance builds on the guide The Case for Memory Safe Roadmaps by providing a starting point for software manufacturers to create memory safe roadmaps, including plans to address memory safety in external dependencies which commonly include OSS. Exploring Memory Safety in Critical Open Source Projects also aligns with the 2023 National Cybersecurity Strategy and corresponding implementation plan, which discusses investing in memory safety and collaborating with the open source community—including the establishment of the interagency Open Source Software Security Initiative (OS3I) and investment in memory-safe programming languages.
CISA encourages all organizations and software manufacturers to review the methodology and results found in the guidance to:

Reduce memory safety vulnerabilities;
Make secure and informed choices;
Understand the memory-unsafety risk in OSS;
Evaluate approaches to reducing this risk; and
Continue efforts to drive risk-reducing action by software manufacturers.

To learn more about taking a top-down approach to developing secure products, visit CISA’s Secure by Design webpage. 

Today, CISA, in partnership with the Federal Bureau of Investigation, Australian Signals Directorate’s Australian Cyber Security Centre, and Canadian Cyber Security Center, released Exploring Memory Safety in Critical Open Source Projects. This guidance was crafted to provide organizations with findings on the scale of memory safety risk in selected open source software (OSS).

This joint guidance builds on the guide The Case for Memory Safe Roadmaps by providing a starting point for software manufacturers to create memory safe roadmaps, including plans to address memory safety in external dependencies which commonly include OSS. Exploring Memory Safety in Critical Open Source Projects also aligns with the 2023 National Cybersecurity Strategy and corresponding implementation plan, which discusses investing in memory safety and collaborating with the open source community—including the establishment of the interagency Open Source Software Security Initiative (OS3I) and investment in memory-safe programming languages.

CISA encourages all organizations and software manufacturers to review the methodology and results found in the guidance to:

Reduce memory safety vulnerabilities;
Make secure and informed choices;
Understand the memory-unsafety risk in OSS;
Evaluate approaches to reducing this risk; and
Continue efforts to drive risk-reducing action by software manufacturers.

To learn more about taking a top-down approach to developing secure products, visit CISA’s Secure by Design webpage.

 Read More

 ​CISA released two Industrial Control Systems (ICS) advisories on June 25, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-177-01 ABB Ability System 800xA
ICSA-24-177-02 PTC Creo Elements/Direct License Server

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations. 

CISA released two Industrial Control Systems (ICS) advisories on June 25, 2024. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-24-177-01 ABB Ability System 800xA
ICSA-24-177-02 PTC Creo Elements/Direct License Server

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 6.9
ATTENTION: Low attack complexity
Vendor: ABB
Equipment: 800xA Base
Vulnerabilities: Improper Input Validation

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could cause services to crash and restart.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
ABB reports that the vulnerability only affects 800xA services in PC based client/server nodes. Controllers are not affected by this vulnerability:

ABB 800xA Base: versions 6.1.1-2 and prior

3.2 Vulnerability Overview
3.2.1 Improper Input Validation CWE-20
An attacker who successfully exploited this vulnerability could cause services to crash and restart by sending specifically crafted messages.
CVE-2024-3036 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-3036. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Dams, Energy, Food and Agriculture, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER
Uri Sade, Roman Dvorkin, Ariel Harush and Eran Jacob from OTORIO reported these vulnerabilities to ABB.
4. MITIGATIONS
ABB recommends updating to an active product version to obtain the latest corrections. The problem is or will be corrected in the following product versions:

ABB 800xA Base 6.2.0-0 (part of System 800xA 6.2.0.0)
ABB 800xA Base 6.1.1-3 (part of System 800xA 6.1.1.2)
ABB 800xA Base 6.0.3-x (included in next revision)

For more information, please refer to ABB’s Cybersecurity Advisory 7PAA013309.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

June 25, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 6.9
ATTENTION: Low attack complexity
Vendor: ABB
Equipment: 800xA Base
Vulnerabilities: Improper Input Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could cause services to crash and restart.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

ABB reports that the vulnerability only affects 800xA services in PC based client/server nodes. Controllers are not affected by this vulnerability:

ABB 800xA Base: versions 6.1.1-2 and prior

3.2 Vulnerability Overview

3.2.1 Improper Input Validation CWE-20

An attacker who successfully exploited this vulnerability could cause services to crash and restart by sending specifically crafted messages.

CVE-2024-3036 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.7 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-3036. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Dams, Energy, Food and Agriculture, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Uri Sade, Roman Dvorkin, Ariel Harush and Eran Jacob from OTORIO reported these vulnerabilities to ABB.

4. MITIGATIONS

ABB recommends updating to an active product version to obtain the latest corrections. The problem is or will be corrected in the following product versions:

ABB 800xA Base 6.2.0-0 (part of System 800xA 6.2.0.0)
ABB 800xA Base 6.1.1-3 (part of System 800xA 6.1.1.2)
ABB 800xA Base 6.0.3-x (included in next revision)

For more information, please refer to ABB’s Cybersecurity Advisory 7PAA013309.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

June 25, 2024: Initial Publication
 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: PTC
Equipment: Creo Elements/Direct License Server
Vulnerability: Missing Authorization

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow unauthenticated remote attackers to execute arbitrary OS commands.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
PTC reports that the following versions of Creo Elements/Direct License Server are affected; note that this vulnerability does not impact “Creo License server”:

Creo Elements/Direct License Server: Version 20.7.0.0 and prior

3.2 Vulnerability Overview
3.2.1 Missing Authorization CWE-122
Creo Elements Direct License Server exposes a web interface which can be used by unauthenticated remote attackers to execute arbitrary OS commands on the server.
CVE-2024-6071 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-6071. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Thomas Riedmaier of Siemens Energy reported this vulnerability to PTC.
4. MITIGATIONS
PTC recommends that users upgrade to Creo Elements/Direct License Server 20.7.0.1 or higher version:

Creo Elements/Direct Drafting
Creo Elements/Direct Model/Drawing Mgr
Creo Elements/Direct Modeling
Creo Elements/Direct WorkManager

If additional questions remain, please contact PTC Technical Support.
For more information, see PTC’s CS article.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

June 25, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: PTC
Equipment: Creo Elements/Direct License Server
Vulnerability: Missing Authorization

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow unauthenticated remote attackers to execute arbitrary OS commands.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

PTC reports that the following versions of Creo Elements/Direct License Server are affected; note that this vulnerability does not impact “Creo License server”:

Creo Elements/Direct License Server: Version 20.7.0.0 and prior

3.2 Vulnerability Overview

3.2.1 Missing Authorization CWE-122

Creo Elements Direct License Server exposes a web interface which can be used by unauthenticated remote attackers to execute arbitrary OS commands on the server.

CVE-2024-6071 has been assigned to this vulnerability. A CVSS v3.1 base score of 10.0 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-6071. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Thomas Riedmaier of Siemens Energy reported this vulnerability to PTC.

4. MITIGATIONS

PTC recommends that users upgrade to Creo Elements/Direct License Server 20.7.0.1 or higher version:

Creo Elements/Direct Drafting
Creo Elements/Direct Model/Drawing Mgr
Creo Elements/Direct Modeling
Creo Elements/Direct WorkManager

If additional questions remain, please contact PTC Technical Support.

For more information, see PTC’s CS article.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

June 25, 2024: Initial Publication
 Read More

 ​Juniper Networks released a security bulletin to address multiple vulnerabilities affecting Juniper Secure Analytics optional applications. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.
Users and administrators are encouraged to review the following and apply the necessary updates:

Juniper Security Bulletin JSA82681 

Juniper Networks released a security bulletin to address multiple vulnerabilities affecting Juniper Secure Analytics optional applications. A cyber threat actor could exploit one of these vulnerabilities to take control of an affected system.

Users and administrators are encouraged to review the following and apply the necessary updates:

Juniper Security Bulletin JSA82681
 Read More

 ​Today, CISA released Barriers to Single Sign-On (SSO) Adoption for Small and Medium-Sized Businesses: Identifying Challenges and Opportunities, a detailed report exploring challenges to SSO adoption by small and medium-sized businesses (SMBs). The report also identifies potential ways to overcome these challenges and improve an SMB’s level of security. 
CISA also released a related blog post, Why SMBs Don’t Deploy Single Sign-On (SSO), urging software manufacturers to consider how their business practices may inadvertently reduce the security posture of their customers.
For more information, visit CISA’s Secure by Design webpage. To learn more about identity and access management, visit Identity, Credential, and Access Management (ICAM). 

Today, CISA released Barriers to Single Sign-On (SSO) Adoption for Small and Medium-Sized Businesses: Identifying Challenges and Opportunities, a detailed report exploring challenges to SSO adoption by small and medium-sized businesses (SMBs). The report also identifies potential ways to overcome these challenges and improve an SMB’s level of security. 

CISA also released a related blog post, Why SMBs Don’t Deploy Single Sign-On (SSO), urging software manufacturers to consider how their business practices may inadvertently reduce the security posture of their customers.

For more information, visit CISA’s Secure by Design webpage. To learn more about identity and access management, visit Identity, Credential, and Access Management (ICAM).

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: CAREL
Equipment: Boss-Mini
Vulnerability: Path Traversal

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to manipulate an argument path, which would lead to information disclosure.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of CAREL Boss-Mini, a local supervisor solution, are affected:

Boss-Mini: Version 1.4.0 (Build 6221)

3.2 Vulnerability Overview
Under certain conditions, a malicious actor already present in the same network segment of the affected product, could abuse Local File Inclusion (LFI) techniques to access unauthorized file system resources, such as configuration files, password files, system logs, or other sensitive data. This could expose confidential information and potentially lead to further threats.
CVE-2023-3643 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-3643. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER
Werley Ferreira, Anderson Cezar, João Luz reported this vulnerability to CAREL.
4. MITIGATIONS
CAREL recommends updating to v1.6.0 or later
If immediate upgrade is not possible, users should consider and implement the following mitigations:

Ensure that default login credentials have been changed;
Use strong, non-compromised passwords (i.e. passwords making use of uppercase and lowercase letters, special characters and numbers)
Ensure the device has been deployed in a segregated internal network as per CAREL’s security recommendations (doc code +030220471 available at carel.com).

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

June 20, 2024: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: CAREL
Equipment: Boss-Mini
Vulnerability: Path Traversal

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to manipulate an argument path, which would lead to information disclosure.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of CAREL Boss-Mini, a local supervisor solution, are affected:

Boss-Mini: Version 1.4.0 (Build 6221)

3.2 Vulnerability Overview

Under certain conditions, a malicious actor already present in the same network segment of the affected product, could abuse Local File Inclusion (LFI) techniques to access unauthorized file system resources, such as configuration files, password files, system logs, or other sensitive data. This could expose confidential information and potentially lead to further threats.

CVE-2023-3643 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-3643. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Italy

3.4 RESEARCHER

Werley Ferreira, Anderson Cezar, João Luz reported this vulnerability to CAREL.

4. MITIGATIONS

CAREL recommends updating to v1.6.0 or later

If immediate upgrade is not possible, users should consider and implement the following mitigations:

Ensure that default login credentials have been changed;
Use strong, non-compromised passwords (i.e. passwords making use of uppercase and lowercase letters, special characters and numbers)
Ensure the device has been deployed in a segregated internal network as per CAREL’s security recommendations (doc code +030220471 available at carel.com).

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

June 20, 2024: Initial Publication
 Read More