Category: Security Feeds

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 7.1
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: Modicon Controllers
Vulnerabilities: Improper Input Validation, Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), Uncontrolled Resource Consumption

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on the device or cause a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following products are affected:

Modicon Controllers M241: Versions prior to 5.3.12.51
Modicon Controllers M251: Versions prior to 5.3.12.51
Modicon Controllers M262: Versions prior to 5.3.9.18 (CVE-2025-3898, CVE-2025-3117)
Modicon Controllers M258: All versions (CVE-2025-3905, CVE-2025-3116, CVE-2025-3117)
Modicon Controllers LMC058: All versions (CVE-2025-3905, CVE-2025-3116, CVE-2025-3117)

3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER INPUT VALIDATION CWE-20
An improper input validation vulnerability exists that could cause a denial-of-service condition when an authenticated malicious user sends an HTTPS request containing invalid data type to the webserver.
CVE-2025-3898 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2025-3898. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.2 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79
An improper neutralization of input during web page generation (‘cross-site scripting’) vulnerability exists in the Certificates page on the webserver that could cause unvalidated data to be injected by an authenticated malicious user leading to the modification or reading of data in a victim’s browser.
CVE-2025-3899 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2025-3899. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N).
3.2.3 UNCONTROLLED RESOURCE CONSUMPTION CWE-400
An uncontrolled resource consumption vulnerability exists that could cause a denial-of-service condition when an authenticated malicious user sends a manipulated HTTPS Content-Length header to the webserver.
CVE-2025-3112 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2025-3112. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.4 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79
An improper neutralization of input during web page generation (‘cross-site scripting’) vulnerability exists impacting PLC system variables that could cause unvalidated data to be injected by an authenticated malicious user leading to the modification or reading of data in a victim’s browser.
CVE-2025-3905 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2025-3905. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N).
3.2.5 IMPROPER INPUT VALIDATION CWE-20
An improper input validation vulnerability exists that could cause a denial-of-service condition when an authenticated malicious user sends a special malformed HTTPS request containing improperly formatted body data to the controller.
CVE-2025-3116 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2025-3116. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.2.6 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79
An improper neutralization of input during web page generation (‘cross-site scripting’) vulnerability exists impacting configuration file paths that could cause unvalidated data to be injected by an authenticated malicious user leading to the modification or reading of data in a victim’s browser.
CVE-2025-3117 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2025-3117. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER
Loc Nguyen, Dat Phung, Thai Do, Minh Pham of Unit 515, OPSWAT reported these vulnerabilities to Schneider Electric.
4. MITIGATIONS
Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

Version 5.3.12.51 of Modicon Controllers M241 includes a fix for these vulnerabilities, which can be downloaded here.
Use the Controller Assistant feature of EcoStruxure Automation Expert – Motion V24.1 to update the M241 firmware and perform a reboot.
EcoStruxure Automation Expert – Motion V24.1 is available via the Schneider Electric Software Installer.
Version 5.3.12.51 of Modicon Controllers M251 includes a fix for these vulnerabilities, which can be downloaded here.
Use the Controller Assistant feature of EcoStruxure Automation Expert – Motion V24.1 to update the M251 firmware and perform a reboot.
EcoStruxure Automation Expert – Motion V24.1 is available via the Schneider Electric Software Installer.
(CVE-2025-3898, CVE-2025-3117) Versions from 5.3.9.18 of Modicon Controllers M262 include a fix for these vulnerabilities, which can be downloaded here.
Use the Controller Assistant feature of EcoStruxure Automation Expert – Motion V24.1 to update the M262 firmware and perform a reboot.
EcoStruxure Automation Expert – Motion V24.1 is available via the Schneider Electric Software Installer.
If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit:

Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks.
Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use.
Deactivate the webserver after use when not needed.
Use encrypted communication links.
Set up network segmentation and implement a firewall to block all unauthorized access to ports 80/HTTP and 443/HTTPS.
Use VPN (Virtual Private Networks) tunnels if remote access is required.
The “Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment” provide product specific hardening guidelines.

(CVE-2025-3905, CVE-2025-3116, CVE-2025-3117) Schneider Electric is establishing a remediation plan for all future versions of Modicon M258/LMC058 that will include a fix for these vulnerabilities. Schneider Electric will update SEVD-2025-161-02 when the remediation is available. Until then, users should immediately apply the above mitigations to reduce the risk of exploit.

For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-161-02 Modicon Controllers M241/M251/M258/LMC058/M262 – SEVD-2025-161-02 PDF Version, Modicon Controllers M241/M251/M258/LMC058/M262 – SEVD-2025-161-02 CSAF Version.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

June 24, 2025: Initial Republication of Schneider Electric CPCERT SEVD-2025-161-02 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: Modicon Controllers
• Vulnerabilities: Improper Input Validation, Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), Uncontrolled Resource Consumption

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on the device or cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

• Modicon Controllers M241: Versions prior to 5.3.12.51
• Modicon Controllers M251: Versions prior to 5.3.12.51
• Modicon Controllers M262: Versions prior to 5.3.9.18 (CVE-2025-3898, CVE-2025-3117)
• Modicon Controllers M258: All versions (CVE-2025-3905, CVE-2025-3116, CVE-2025-3117)
• Modicon Controllers LMC058: All versions (CVE-2025-3905, CVE-2025-3116, CVE-2025-3117)

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER INPUT VALIDATION CWE-20

An improper input validation vulnerability exists that could cause a denial-of-service condition when an authenticated malicious user sends an HTTPS request containing invalid data type to the webserver.

CVE-2025-3898 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-3898. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

An improper neutralization of input during web page generation (‘cross-site scripting’) vulnerability exists in the Certificates page on the webserver that could cause unvalidated data to be injected by an authenticated malicious user leading to the modification or reading of data in a victim’s browser.

CVE-2025-3899 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-3899. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N).

3.2.3 UNCONTROLLED RESOURCE CONSUMPTION CWE-400

An uncontrolled resource consumption vulnerability exists that could cause a denial-of-service condition when an authenticated malicious user sends a manipulated HTTPS Content-Length header to the webserver.

CVE-2025-3112 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-3112. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.4 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

An improper neutralization of input during web page generation (‘cross-site scripting’) vulnerability exists impacting PLC system variables that could cause unvalidated data to be injected by an authenticated malicious user leading to the modification or reading of data in a victim’s browser.

CVE-2025-3905 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-3905. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N).

3.2.5 IMPROPER INPUT VALIDATION CWE-20

An improper input validation vulnerability exists that could cause a denial-of-service condition when an authenticated malicious user sends a special malformed HTTPS request containing improperly formatted body data to the controller.

CVE-2025-3116 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-3116. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.6 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

An improper neutralization of input during web page generation (‘cross-site scripting’) vulnerability exists impacting configuration file paths that could cause unvalidated data to be injected by an authenticated malicious user leading to the modification or reading of data in a victim’s browser.

CVE-2025-3117 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-3117. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Loc Nguyen, Dat Phung, Thai Do, Minh Pham of Unit 515, OPSWAT reported these vulnerabilities to Schneider Electric.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Version 5.3.12.51 of Modicon Controllers M241 includes a fix for these vulnerabilities, which can be downloaded here.
• Use the Controller Assistant feature of EcoStruxure Automation Expert – Motion V24.1 to update the M241 firmware and perform a reboot.
• EcoStruxure Automation Expert – Motion V24.1 is available via the Schneider Electric Software Installer.
• Version 5.3.12.51 of Modicon Controllers M251 includes a fix for these vulnerabilities, which can be downloaded here.
• Use the Controller Assistant feature of EcoStruxure Automation Expert – Motion V24.1 to update the M251 firmware and perform a reboot.
• EcoStruxure Automation Expert – Motion V24.1 is available via the Schneider Electric Software Installer.
• (CVE-2025-3898, CVE-2025-3117) Versions from 5.3.9.18 of Modicon Controllers M262 include a fix for these vulnerabilities, which can be downloaded here.
• Use the Controller Assistant feature of EcoStruxure Automation Expert – Motion V24.1 to update the M262 firmware and perform a reboot.
• EcoStruxure Automation Expert – Motion V24.1 is available via the Schneider Electric Software Installer.
• If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit:
  • Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from public internet or untrusted networks.
  • Ensure usage of user management and password features. User rights are enabled by default and forced to create a strong password at first use.
  • Deactivate the webserver after use when not needed.
  • Use encrypted communication links.
  • Set up network segmentation and implement a firewall to block all unauthorized access to ports 80/HTTP and 443/HTTPS.
  • Use VPN (Virtual Private Networks) tunnels if remote access is required.
  • The “Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment” provide product specific hardening guidelines.
• (CVE-2025-3905, CVE-2025-3116, CVE-2025-3117) Schneider Electric is establishing a remediation plan for all future versions of Modicon M258/LMC058 that will include a fix for these vulnerabilities. Schneider Electric will update SEVD-2025-161-02 when the remediation is available. Until then, users should immediately apply the above mitigations to reduce the risk of exploit.

For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-161-02 Modicon Controllers M241/M251/M258/LMC058/M262 – SEVD-2025-161-02 PDF Version, Modicon Controllers M241/M251/M258/LMC058/M262 – SEVD-2025-161-02 CSAF Version.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• June 24, 2025: Initial Republication of Schneider Electric CPCERT SEVD-2025-161-02

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Kaleris
Equipment: Navis N4
Vulnerabilities: Deserialization of Untrusted Data, Cleartext Transmission of Sensitive Information

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to remotely exploit the operating system, achieve remote code execution, or extract sensitive information.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Kaleris Navis N4, a terminal operating system, are affected:

Navis N4: Versions prior to 4.0

3.2 VULNERABILITY OVERVIEW
3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502
Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server.
CVE-2025-2566 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-2566. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319
Kaleris NAVIS N4 ULC (Ultra Light Client) communicates insecurely using zlib-compressed data over HTTP. An attacker capable of observing network traffic between Ultra Light Clients and N4 servers can extract sensitive information, including plaintext credentials.
CVE-2025-5087 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-5087. A base score of 6.0 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Kaleris reported these vulnerabilities to CISA.
4. MITIGATIONS
Kaleris recommends users to implement the following versions or later:

Navis N4: Version 3.1.44+
Navis N4: Version 3.2.26+
Navis N4: Version 3.3.27+
Navis N4: Version 3.4.25+
Navis N4: Version 3.5.18+
Navis N4: Version 3.6.14+
Navis N4: Version 3.7.0+
Navis N4: Version 3.8.0+

If users are unable to update, Kaleris recommends following these mitigations:

If N4 does not need to be exposed to the internet, placing it behind a firewall.
If CAP needs to be exposed to the internet, disable the Ultra Light Client on the nodes being exposed. This can be done by blocking the Ultra Light Client URLs in the load balancer or firewall by blocking the following patterns: “url-pattern*.jnlp</url-pattern” and “url-pattern/ulc</url-pattern”
The Ultra Light Client endpoint can also be disabled on the N4 Cluster node by commenting out relevant code in the web.xml file and restarting the server.
If the Ultra Light Client must be exposed to the Internet, do one of the following:a. Set up a secure VPN connection to allow access for known external parties.b. Set up an authenticated jump system (Citrix, VDI, Etc.).c. Whitelist external allowed IPs. (least secure option)
Additionally, the following controls should be applied:a. Restrict the number of N4 nodes exposed to the internet.b. Ensure that HTTPS is enabled and configured on the filewall/loadbalancer.c. Use a reliable third-party party firewall with built in DDOS protection that can detect unwanted intrusions.
Users are required to implement TLS in their load balancer. The setup for this is included in the Application Security Guide that is provided to all users.
A final option to consider is upgrading to N4 4.0, where the Ultra Light Client has been fully replaced with the HTML UI.

Kaleris has sent a security advisory to all customers running Kaleris software.
For more information, users should email security@kaleris.com
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

June 24, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Kaleris
• Equipment: Navis N4
• Vulnerabilities: Deserialization of Untrusted Data, Cleartext Transmission of Sensitive Information

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to remotely exploit the operating system, achieve remote code execution, or extract sensitive information.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Kaleris Navis N4, a terminal operating system, are affected:

• Navis N4: Versions prior to 4.0

3.2 VULNERABILITY OVERVIEW

3.2.1 DESERIALIZATION OF UNTRUSTED DATA CWE-502

Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server.

CVE-2025-2566 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-2566. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

Kaleris NAVIS N4 ULC (Ultra Light Client) communicates insecurely using zlib-compressed data over HTTP. An attacker capable of observing network traffic between Ultra Light Clients and N4 servers can extract sensitive information, including plaintext credentials.

CVE-2025-5087 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-5087. A base score of 6.0 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Kaleris reported these vulnerabilities to CISA.

4. MITIGATIONS

Kaleris recommends users to implement the following versions or later:

• Navis N4: Version 3.1.44+
• Navis N4: Version 3.2.26+
• Navis N4: Version 3.3.27+
• Navis N4: Version 3.4.25+
• Navis N4: Version 3.5.18+
• Navis N4: Version 3.6.14+
• Navis N4: Version 3.7.0+
• Navis N4: Version 3.8.0+

If users are unable to update, Kaleris recommends following these mitigations:

• If N4 does not need to be exposed to the internet, placing it behind a firewall.
• If CAP needs to be exposed to the internet, disable the Ultra Light Client on the nodes being exposed. This can be done by blocking the Ultra Light Client URLs in the load balancer or firewall by blocking the following patterns: “url-pattern*.jnlp</url-pattern” and “url-pattern/ulc</url-pattern”
• The Ultra Light Client endpoint can also be disabled on the N4 Cluster node by commenting out relevant code in the web.xml file and restarting the server.
• If the Ultra Light Client must be exposed to the Internet, do one of the following:
  a. Set up a secure VPN connection to allow access for known external parties.
  b. Set up an authenticated jump system (Citrix, VDI, Etc.).
  c. Whitelist external allowed IPs. (least secure option)
• Additionally, the following controls should be applied:
  a. Restrict the number of N4 nodes exposed to the internet.
  b. Ensure that HTTPS is enabled and configured on the filewall/loadbalancer.
  c. Use a reliable third-party party firewall with built in DDOS protection that can detect unwanted intrusions.
• Users are required to implement TLS in their load balancer. The setup for this is included in the Application Security Guide that is provided to all users.
• A final option to consider is upgrading to N4 4.0, where the Ultra Light Client has been fully replaced with the HTML UI.

Kaleris has sent a security advisory to all customers running Kaleris software.

For more information, users should email security@kaleris.com

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• June 24, 2025: Initial Publication

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 7.3
ATTENTION: Low attack complexity
Vendor: Delta Electronics
Equipment: CNCSoft
Vulnerabilities: Out-of-bounds Write

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to execute code within the context of the current process.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Delta Electronics reports the following versions of CNCSoft, a human-machine interface, are affected:

CNCSoft: v1.01.34 and prior

3.2 VULNERABILITY OVERVIEW
3.2.1 OUT-OF-BOUNDS WRITE CWE-787
Delta Electronics CNCSoft does not properly validate user-supplied files. If a user opens a maliciously crafted file, an attacker can leverage this vulnerability to execute code within the context of the current process.
CVE-2025-47724 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-47724. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.2 OUT-OF-BOUNDS WRITE CWE-787
Delta Electronics CNCSoft does not properly validate user-supplied files. If a user opens a maliciously crafted file, an attacker can leverage this vulnerability to execute code within the context of the current process.
CVE-2025-47725 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-47725. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.3 OUT-OF-BOUNDS WRITE CWE-787
Delta Electronics CNCSoft does not properly validate user-supplied files. If a user opens a maliciously crafted file, an attacker can leverage this vulnerability to execute code within the context of the current process.
CVE-2025-47726 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-47726. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.4 OUT-OF-BOUNDS WRITE CWE-787
Delta Electronics CNCSoft does not properly validate user-supplied files. If a user opens a maliciously crafted file, an attacker can leverage this vulnerability to execute code within the context of the current process.
CVE-2025-47727 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-47727. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER
Natnael Samson working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.
4. MITIGATIONS
Delta Electronics does not plan to address these vulnerabilities because the A-series CNC products supported by CNCSoft have been discontinued. CNCSoft will be removed from the Delta Download Center. Delta recommends users migrate to newer Delta CNC products along with their corresponding software as soon as possible.
Delta Electronics offers the following general recommendations:

Do not click on untrusted Internet links or open unsolicited email attachments.
Avoid exposing control systems and equipment to the Internet.
Place systems and devices behind a firewall and isolate them from the business network.
When remote access is required, use a secure access method, such as a virtual private network (VPN).

For any product-related support inquiries, contact Delta through the company’s portal page to request any information or materials you may need.
Reference Delta’s product cybersecurity advisory for more information about these vulnerabilities.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY

June 24, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.3
• ATTENTION: Low attack complexity
• Vendor: Delta Electronics
• Equipment: CNCSoft
• Vulnerabilities: Out-of-bounds Write

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute code within the context of the current process.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Delta Electronics reports the following versions of CNCSoft, a human-machine interface, are affected:

• CNCSoft: v1.01.34 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

Delta Electronics CNCSoft does not properly validate user-supplied files. If a user opens a maliciously crafted file, an attacker can leverage this vulnerability to execute code within the context of the current process.

CVE-2025-47724 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-47724. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 OUT-OF-BOUNDS WRITE CWE-787

Delta Electronics CNCSoft does not properly validate user-supplied files. If a user opens a maliciously crafted file, an attacker can leverage this vulnerability to execute code within the context of the current process.

CVE-2025-47725 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-47725. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.3 OUT-OF-BOUNDS WRITE CWE-787

Delta Electronics CNCSoft does not properly validate user-supplied files. If a user opens a maliciously crafted file, an attacker can leverage this vulnerability to execute code within the context of the current process.

CVE-2025-47726 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-47726. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.4 OUT-OF-BOUNDS WRITE CWE-787

Delta Electronics CNCSoft does not properly validate user-supplied files. If a user opens a maliciously crafted file, an attacker can leverage this vulnerability to execute code within the context of the current process.

CVE-2025-47727 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-47727. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Natnael Samson working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta Electronics does not plan to address these vulnerabilities because the A-series CNC products supported by CNCSoft have been discontinued. CNCSoft will be removed from the Delta Download Center. Delta recommends users migrate to newer Delta CNC products along with their corresponding software as soon as possible.

Delta Electronics offers the following general recommendations:

• Do not click on untrusted Internet links or open unsolicited email attachments.
• Avoid exposing control systems and equipment to the Internet.
• Place systems and devices behind a firewall and isolate them from the business network.
• When remote access is required, use a secure access method, such as a virtual private network (VPN).

For any product-related support inquiries, contact Delta through the company’s portal page to request any information or materials you may need.

Reference Delta’s product cybersecurity advisory for more information about these vulnerabilities.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• June 24, 2025: Initial Publication

 Read More

 ​CISA released eight Industrial Control Systems (ICS) advisories on June 24, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-25-175-01 Kaleris Navis N4 Terminal Operating System
ICSA-25-175-02 Delta Electronics CNCSoft
ICSA-25-175-03 Schneider Electric Modicon Controllers
ICSA-25-175-04 Schneider Electric EVLink WallBox
ICSA-25-175-05 ControlID iDSecure On-Premises
ICSA-25-175-06 Parsons AccuWeather Widget
ICSA-25-175-07 MICROSENS NMP Web+ 
ICSA-19-029-02 Mitsubishi Electric MELSEC-Q Series PLCs (Update B)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released eight Industrial Control Systems (ICS) advisories on June 24, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-175-01 Kaleris Navis N4 Terminal Operating System
• ICSA-25-175-02 Delta Electronics CNCSoft
• ICSA-25-175-03 Schneider Electric Modicon Controllers
• ICSA-25-175-04 Schneider Electric EVLink WallBox
• ICSA-25-175-05 ControlID iDSecure On-Premises
• ICSA-25-175-06 Parsons AccuWeather Widget
• ICSA-25-175-07 MICROSENS NMP Web+
   
• ICSA-19-029-02 Mitsubishi Electric MELSEC-Q Series PLCs (Update B)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.6
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Schneider Electric
Equipment: EVLink WallBox
Vulnerabilities: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to gain remote control of the charging station.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Schneider Electric reports that the following products are affected:

EVLink WallBox: All versions

3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22
An improper limitation of a pathname to a restricted directory (‘path traversal’) vulnerability exists, which could cause arbitrary file writes when an unauthenticated user on the web server manipulates the file path.
CVE-2025-5740 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-5740. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22
An improper limitation of a pathname to a restricted directory (‘path traversal’) vulnerability exists, which could cause arbitrary file reads from the charging station. Exploitation of this vulnerability requires an authenticated session of the web server.
CVE-2025-5741 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-5741. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.3 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79
An improper neutralization of input during web page generation (‘cross-site scripting’) vulnerability exists when an authenticated user modifies the configuration parameters on the web server.
CVE-2025-5742 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2025-5742. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N).
3.2.4 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78
An improper neutralization of special elements used in an OS command (‘OS command injection’) vulnerability exists, which could cause remote control of the charging station when an authenticated user modifies configuration parameters on the web server.
CVE-2025-5743 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-5743. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER
Dutch Institute for Vulnerability Disclosure (DIVD) reported these vulnerabilities to Schneider Electric.
4. MITIGATIONS
According to Schneider Electric, EVLink WallBox product has reached its end of life and is no longer supported. Users should also consider upgrading to the replacement product offering EVLink Pro AC to resolve these issues. Users should immediately apply the following mitigations to reduce the risk of exploit:

Firewall Configuration and Logs:

Set up network segmentation and implement a firewall to block all unauthorized access to HTTP ports.
Periodically check the access log.

Password:

Choose a strong password.
Do not share your password.
Change your password periodically .

For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-161-03 EVLink WallBox – SEVD-2025-161-03 PDF Version, EVLink WallBox – SEVD-2025-161-03 CSAF Version.
Schneider Electric strongly recommends the following industry cybersecurity best practices.

Passwords should include upper case, lower case, number and special characters, a length of 20 characters is ideal.
A default Admin password must be changed immediately when first received and after a factory reset.
Device should only be used in a personal home network.
Device should not have a publicly accessible IP address.
Do NOT use port forwarding to access a device from the public internet.
A device should be on its own network segment. If your router supports a guest network or VLAN, it is preferable to locate the device there.
Use the strongest Wi-Fi encryption available, such as WPA3 or WPA2/3 with protected management frames.
Schedule regular reboots of your routing device, smartphones, and computers.
For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

June 24, 2025: Initial Republication of Schneider Electric CPCERT SEVD-2025-161-03 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.6
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: EVLink WallBox
• Vulnerabilities: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’), Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to gain remote control of the charging station.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

• EVLink WallBox: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

An improper limitation of a pathname to a restricted directory (‘path traversal’) vulnerability exists, which could cause arbitrary file writes when an unauthenticated user on the web server manipulates the file path.

CVE-2025-5740 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-5740. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

An improper limitation of a pathname to a restricted directory (‘path traversal’) vulnerability exists, which could cause arbitrary file reads from the charging station. Exploitation of this vulnerability requires an authenticated session of the web server.

CVE-2025-5741 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-5741. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION (‘CROSS-SITE SCRIPTING’) CWE-79

An improper neutralization of input during web page generation (‘cross-site scripting’) vulnerability exists when an authenticated user modifies the configuration parameters on the web server.

CVE-2025-5742 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-5742. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N).

3.2.4 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

An improper neutralization of special elements used in an OS command (‘OS command injection’) vulnerability exists, which could cause remote control of the charging station when an authenticated user modifies configuration parameters on the web server.

CVE-2025-5743 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-5743. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Dutch Institute for Vulnerability Disclosure (DIVD) reported these vulnerabilities to Schneider Electric.

4. MITIGATIONS

According to Schneider Electric, EVLink WallBox product has reached its end of life and is no longer supported. Users should also consider upgrading to the replacement product offering EVLink Pro AC to resolve these issues. Users should immediately apply the following mitigations to reduce the risk of exploit:

• Firewall Configuration and Logs:
  • Set up network segmentation and implement a firewall to block all unauthorized access to HTTP ports.
  • Periodically check the access log.
• Password:
  • Choose a strong password.
  • Do not share your password.
  • Change your password periodically .

For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-161-03 EVLink WallBox – SEVD-2025-161-03 PDF Version, EVLink WallBox – SEVD-2025-161-03 CSAF Version.

Schneider Electric strongly recommends the following industry cybersecurity best practices.

• Passwords should include upper case, lower case, number and special characters, a length of 20 characters is ideal.
• A default Admin password must be changed immediately when first received and after a factory reset.
• Device should only be used in a personal home network.
• Device should not have a publicly accessible IP address.
• Do NOT use port forwarding to access a device from the public internet.
• A device should be on its own network segment. If your router supports a guest network or VLAN, it is preferable to locate the device there.
• Use the strongest Wi-Fi encryption available, such as WPA3 or WPA2/3 with protected management frames.
• Schedule regular reboots of your routing device, smartphones, and computers.
• For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• June 24, 2025: Initial Republication of Schneider Electric CPCERT SEVD-2025-161-03

 Read More

 ​CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. 

 CVE-2023-0386 Linux Kernel Improper Ownership Management Vulnerability 

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. 

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.  

 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 4.6
ATTENTION: Exploitable remotely
Vendor: Siemens
Equipment: Mendix Studio Pro
Vulnerability: Path Traversal

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to write or modify arbitrary files in directories outside a developer’s project directory.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports the following versions of Mendix Studio Pro integrated development environment are affected:

Siemens Mendix Studio Pro 8: Versions prior to V8.18.35
Siemens Mendix Studio Pro 9: Versions prior to V9.24.35
Siemens Mendix Studio Pro 10: Versions prior to V10.23.0
Siemens Mendix Studio Pro 10.6: Versions prior to V10.6.24
Siemens Mendix Studio Pro 10.12: Versions prior to V10.12.17
Siemens Mendix Studio Pro 10.18: Versions prior to V10.18.7
Siemens Mendix Studio Pro 11: All versions

3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22
A zip path traversal vulnerability exists in the module installation process of Studio Pro. By crafting a malicious module and distributing it via (for example) the Mendix Marketplace, an attacker could write or modify arbitrary files in directories outside a developer’s project directory upon module installation.
CVE-2025-40592 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-40592. A base score of 4.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens has released new versions for several affected products and recommends users update to the latest versions. Siemens is preparing further fixed versions and recommends specific countermeasures for products where fixes are not, or not yet, available:

Mendix Studio Pro 8: Update to V8.18.35 or later version.
Mendix Studio Pro 9: Update to V9.24.35 or later version.
Mendix Studio Pro 10: Update to V10.23.0 or later version.
Mendix Studio Pro 10.6: Update to V10.6.24 or later version.
Mendix Studio Pro 10.12: Update to V10.12.17 or later version.
Mendix Studio Pro 10.18: Update to V10.18.7 or later version.
Mendix Studio Pro 11: Currently no fix is available.

Siemens recommends that users do not install untrusted/unverified modules in Studio Pro projects.
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-627195 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.
5. UPDATE HISTORY

June 17, 2025: Initial Republication of Siemens SSA-627195 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 4.6
• ATTENTION: Exploitable remotely
• Vendor: Siemens
• Equipment: Mendix Studio Pro
• Vulnerability: Path Traversal

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to write or modify arbitrary files in directories outside a developer’s project directory.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports the following versions of Mendix Studio Pro integrated development environment are affected:

• Siemens Mendix Studio Pro 8: Versions prior to V8.18.35
• Siemens Mendix Studio Pro 9: Versions prior to V9.24.35
• Siemens Mendix Studio Pro 10: Versions prior to V10.23.0
• Siemens Mendix Studio Pro 10.6: Versions prior to V10.6.24
• Siemens Mendix Studio Pro 10.12: Versions prior to V10.12.17
• Siemens Mendix Studio Pro 10.18: Versions prior to V10.18.7
• Siemens Mendix Studio Pro 11: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

A zip path traversal vulnerability exists in the module installation process of Studio Pro. By crafting a malicious module and distributing it via (for example) the Mendix Marketplace, an attacker could write or modify arbitrary files in directories outside a developer’s project directory upon module installation.

CVE-2025-40592 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-40592. A base score of 4.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has released new versions for several affected products and recommends users update to the latest versions. Siemens is preparing further fixed versions and recommends specific countermeasures for products where fixes are not, or not yet, available:

• Mendix Studio Pro 8: Update to V8.18.35 or later version.
• Mendix Studio Pro 9: Update to V9.24.35 or later version.
• Mendix Studio Pro 10: Update to V10.23.0 or later version.
• Mendix Studio Pro 10.6: Update to V10.6.24 or later version.
• Mendix Studio Pro 10.12: Update to V10.12.17 or later version.
• Mendix Studio Pro 10.18: Update to V10.18.7 or later version.
• Mendix Studio Pro 11: Currently no fix is available.

Siemens recommends that users do not install untrusted/unverified modules in Studio Pro projects.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-627195 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• June 17, 2025: Initial Republication of Siemens SSA-627195

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.4
ATTENTION: Low attack complexity
Vendor: LS Electric
Equipment: GMWin 4
Vulnerabilities: Out-of-Bounds Write, Out-of-Bounds Read, Heap-based Buffer Overflow

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to disclose information or execute arbitrary code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of LS Electric GMWin 4, a programming software tool, are affected:

GMWin 4: Version 4.18

3.2 VULNERABILITY OVERVIEW
3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122
A Heap-based Buffer Overflow vulnerability exists within the parsing of PRJ files. The issues result from the lack of proper validation of user-supplied data, which can result in different memory corruption issues within the application, such as reading and writing past the end of allocated data structures.
CVE-2025-49850 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-49850. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 OUT-OF-BOUNDS READ CWE-125
An Out-of-bounds Read vulnerability exists within the parsing of PRJ files. The issues result from the lack of proper validation of user-supplied data, which can result in different memory corruption issues within the application, such as reading and writing past the end of allocated data structures.
CVE-2025-49849 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-49849. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.3 OUT-OF-BOUNDS WRITE CWE-787
An Out-of-bounds Write vulnerability exists within the parsing of PRJ files. The issues result from the lack of proper validation of user-supplied data, which can result in different memory corruption issues within the application, such as reading and writing past the end of allocated data structures.
CVE-2025-49848 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-49848. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: South Korea

3.4 RESEARCHER
Michael Heinzl reported these vulnerabilities to CISA.
4. MITIGATIONS
LS Electric GMWin 4 has been discontinued and is no longer available for service. LS electric recommends users to use the XGT series as a replacement.
For more information, contact LS Electric.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY

June 17, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.4
• ATTENTION: Low attack complexity
• Vendor: LS Electric
• Equipment: GMWin 4
• Vulnerabilities: Out-of-Bounds Write, Out-of-Bounds Read, Heap-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to disclose information or execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of LS Electric GMWin 4, a programming software tool, are affected:

• GMWin 4: Version 4.18

3.2 VULNERABILITY OVERVIEW

3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122

A Heap-based Buffer Overflow vulnerability exists within the parsing of PRJ files. The issues result from the lack of proper validation of user-supplied data, which can result in different memory corruption issues within the application, such as reading and writing past the end of allocated data structures.

CVE-2025-49850 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-49850. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 OUT-OF-BOUNDS READ CWE-125

An Out-of-bounds Read vulnerability exists within the parsing of PRJ files. The issues result from the lack of proper validation of user-supplied data, which can result in different memory corruption issues within the application, such as reading and writing past the end of allocated data structures.

CVE-2025-49849 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-49849. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 OUT-OF-BOUNDS WRITE CWE-787

An Out-of-bounds Write vulnerability exists within the parsing of PRJ files. The issues result from the lack of proper validation of user-supplied data, which can result in different memory corruption issues within the application, such as reading and writing past the end of allocated data structures.

CVE-2025-49848 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-49848. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: South Korea

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA.

4. MITIGATIONS

LS Electric GMWin 4 has been discontinued and is no longer available for service. LS electric recommends users to use the XGT series as a replacement.

For more information, contact LS Electric.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• June 17, 2025: Initial Publication

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.2
ATTENTION: Exploitable remotely/Low attack complexity
Vendor: Dover Fueling Solutions
Equipment: ProGauge MagLink LX consoles
Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION
Successful exploitation of this vulnerability could result in an attacker gaining control of the monitoring device, manipulating fueling operations, deleting system configurations, or deploying malware.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of ProGauge MagLink LX, a fuel and water tank monitor, are affected:

ProGauge MagLink LX 4: Versions prior to 4.20.3
ProGauge MagLink LX Plus: Versions prior to 4.20.3
ProGauge MagLink LX Ultimate: Versions prior to 5.20.3

3.2 VULNERABILITY OVERVIEW
3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
The device exposes an undocumented and unauthenticated Target Communication Framework (TCF) interface on a specific port. Files can be created, deleted, or modified, potentially leading to remote code execution.
CVE-2025-5310 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-5310. A base score of 9.2 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Souvik Kandar of Microsec (microsec.io) reported this vulnerability to CISA.
4. MITIGATIONS
Dover Fueling Solutions recommends users update their ProGauge MagLink devices to Version 4.20.3 or later for MagLink LX 4 and MagLink LX Plus models. The upgrade can be downloaded from the Dover Fueling Solutions website.
For MagLink LX Ultimate devices, Dover Fueling Solutions recommends users update to version 5.20.3 or later.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

June 17, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.2
• ATTENTION: Exploitable remotely/Low attack complexity
• Vendor: Dover Fueling Solutions
• Equipment: ProGauge MagLink LX consoles
• Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in an attacker gaining control of the monitoring device, manipulating fueling operations, deleting system configurations, or deploying malware.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ProGauge MagLink LX, a fuel and water tank monitor, are affected:

• ProGauge MagLink LX 4: Versions prior to 4.20.3
• ProGauge MagLink LX Plus: Versions prior to 4.20.3
• ProGauge MagLink LX Ultimate: Versions prior to 5.20.3

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The device exposes an undocumented and unauthenticated Target Communication Framework (TCF) interface on a specific port. Files can be created, deleted, or modified, potentially leading to remote code execution.

CVE-2025-5310 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-5310. A base score of 9.2 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Souvik Kandar of Microsec (microsec.io) reported this vulnerability to CISA.

4. MITIGATIONS

Dover Fueling Solutions recommends users update their ProGauge MagLink devices to Version 4.20.3 or later for MagLink LX 4 and MagLink LX Plus models. The upgrade can be downloaded from the Dover Fueling Solutions website.

For MagLink LX Ultimate devices, Dover Fueling Solutions recommends users update to version 5.20.3 or later.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• June 17, 2025: Initial Publication

 Read More

 ​CISA released five Industrial Control Systems (ICS) advisories on June 17, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-25-168-01 Siemens Mendix Studio Pro
ICSA-25-168-02 LS Electric GMWin 4
ICSA-25-168-04 Fuji Electric Smart Editor
ICSA-25-168-05 Dover Fueling Solutions ProGauge MagLink LX Consoles 
ICSA-24-347-10 Siemens SENTRON Powercenter 1000 (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released five Industrial Control Systems (ICS) advisories on June 17, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-168-01 Siemens Mendix Studio Pro
• ICSA-25-168-02 LS Electric GMWin 4
• ICSA-25-168-04 Fuji Electric Smart Editor
• ICSA-25-168-05 Dover Fueling Solutions ProGauge MagLink LX Consoles
   
• ICSA-24-347-10 Siemens SENTRON Powercenter 1000 (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More