Category: Security Feeds

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.3
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: Industrial Edge Devices
Vulnerability: Weak Authentication

2. RISK EVALUATION
Successful exploitation of the vulnerability could allow an unauthenticated attacker to bypass authentication and impersonate a legitimate user.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:

Siemens Industrial Edge Own Device (IEOD): All versions prior to V1.21.1-1-a
Siemens Industrial Edge Virtual Device: All versions prior to V1.21.1-1-a
Siemens SCALANCE LPE9413 (6GK5998-3GS01-2AC2): All versions
Siemens SIMATIC IPC127E Industrial Edge Device: All versions prior to V3.0
Siemens SIMATIC IPC227E Industrial Edge Device: All versions prior V3.0
Siemens SIMATIC IPC427E Industrial Edge Device: All versions
Siemens SIMATIC IPC847E Industrial Edge Device: All versions prior V3.0
Siemens SIMATIC IPC BX-39A Industrial Edge Device: All versions prior V3.0
Siemens SIMATIC IPC BX-59A Industrial Edge Device: All versions prior V3.0

3.2 VULNERABILITY OVERVIEW
3.2.1 WEAK AUTHENTICATION CWE-1390
The affected devices do not properly enforce user authentication on specific API endpoints when identity federation is used. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user.
CVE-2024-54092 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-54092. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

SCALANCE LPE9413 (6GK5998-3GS01-2AC2), SIMATIC IPC427E Industrial Edge Device: Currently no fix is available
Industrial Edge Virtual Device: Update to V1.21.1-1-a or later version
Industrial Edge Own Device (IEOD): Update to V1.21.1-1-a or later version
SIMATIC IPC BX-39A Industrial Edge Device, SIMATIC IPC BX-59A Industrial Edge Device, SIMATIC IPC127E Industrial Edge Device, SIMATIC IPC227E Industrial Edge Device, SIMATIC IPC847E Industrial Edge Device: Update to V3.0 or later version
Ensure network access to affected products is limited to trusted parties only

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-634640 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY

April 10, 2025: Initial Publication of Siemens SSA-634640 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: Industrial Edge Devices
• Vulnerability: Weak Authentication

2. RISK EVALUATION

Successful exploitation of the vulnerability could allow an unauthenticated attacker to bypass authentication and impersonate a legitimate user.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens Industrial Edge Own Device (IEOD): All versions prior to V1.21.1-1-a
• Siemens Industrial Edge Virtual Device: All versions prior to V1.21.1-1-a
• Siemens SCALANCE LPE9413 (6GK5998-3GS01-2AC2): All versions
• Siemens SIMATIC IPC127E Industrial Edge Device: All versions prior to V3.0
• Siemens SIMATIC IPC227E Industrial Edge Device: All versions prior V3.0
• Siemens SIMATIC IPC427E Industrial Edge Device: All versions
• Siemens SIMATIC IPC847E Industrial Edge Device: All versions prior V3.0
• Siemens SIMATIC IPC BX-39A Industrial Edge Device: All versions prior V3.0
• Siemens SIMATIC IPC BX-59A Industrial Edge Device: All versions prior V3.0

3.2 VULNERABILITY OVERVIEW

3.2.1 WEAK AUTHENTICATION CWE-1390

The affected devices do not properly enforce user authentication on specific API endpoints when identity federation is used. This could facilitate an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user.

CVE-2024-54092 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-54092. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• SCALANCE LPE9413 (6GK5998-3GS01-2AC2), SIMATIC IPC427E Industrial Edge Device: Currently no fix is available
• Industrial Edge Virtual Device: Update to V1.21.1-1-a or later version
• Industrial Edge Own Device (IEOD): Update to V1.21.1-1-a or later version
• SIMATIC IPC BX-39A Industrial Edge Device, SIMATIC IPC BX-59A Industrial Edge Device, SIMATIC IPC127E Industrial Edge Device, SIMATIC IPC227E Industrial Edge Device, SIMATIC IPC847E Industrial Edge Device: Update to V3.0 or later version
• Ensure network access to affected products is limited to trusted parties only

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-634640 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• April 10, 2025: Initial Publication of Siemens SSA-634640

 Read More

 ​Fortinet is aware of a threat actor creating a malicious file from previously exploited Fortinet RCE vulnerabilities within FortiOS and FortiGate products. This malicious file could enable read-only access to files on the devices’ file system, which may include configurations. 
See the following resource for more information:

Analysis of Threat Actor Activity | Fortinet Blog

CISA encourages administrators to review Fortinet’s advisory and:

Upgrade to FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16 to remove the malicious file and prevent re-compromise.
Review the configuration of all in-scope devices.
Reset potentially exposed credentials.
As a work-around mitigation until the patch is applied, consider disabling SSL-VPN functionality, as exploitation of the file requires the SSL-VPN to be enabled.

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870. 
For more mitigation information: Recommended steps to execute in case of a… – Fortinet Community 

Fortinet is aware of a threat actor creating a malicious file from previously exploited Fortinet RCE vulnerabilities within FortiOS and FortiGate products. This malicious file could enable read-only access to files on the devices’ file system, which may include configurations. 

See the following resource for more information:

• Analysis of Threat Actor Activity | Fortinet Blog

CISA encourages administrators to review Fortinet’s advisory and:

• Upgrade to FortiOS versions 7.6.2, 7.4.7, 7.2.11, 7.0.17, 6.4.16 to remove the malicious file and prevent re-compromise.
• Review the configuration of all in-scope devices.
• Reset potentially exposed credentials.
• As a work-around mitigation until the patch is applied, consider disabling SSL-VPN functionality, as exploitation of the file requires the SSL-VPN to be enabled.

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870. 

For more mitigation information: Recommended steps to execute in case of a… – Fortinet Community

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 6.9
ATTENTION: Low attack complexity
Vendor: Subnet Solutions Inc.
Equipment: PowerSYSTEM Center (PSC) 2020
Vulnerabilities: Out-of-Bounds Read, Deserialization of Untrusted Data

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Subnet Solutions products are affected:

PowerSYSTEM Center 2020: Versions 5.24.x and prior

3.2 VULNERABILITY OVERVIEW
3.2.1 OUT-OF-BOUNDS READ CWE-125
PowerSYSTEM Center’s SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters.
CVE-2025-31354 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).
A CVSS v4 score has also been calculated for CVE-2025-31354. A base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).
3.2.2 DESERIALIZATION OF UNTRUSTED DATA CWE-502
PowerSYSTEM Center is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the API may trigger an exception, resulting in a denial-of-service condition.
CVE-2025-31935 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2025-31935. A base score of 6.9 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Canada

3.4 RESEARCHER
Subnet Solutions Inc. reported this vulnerability to CISA.
4. MITIGATIONS
Subnet Solutions Inc. recommends users update PowerSYSTEM Center (PSC) to the latest versions:

PSC 2020 Update 25
PSC 2024

If updating PSC is not possible, Subnet Solutions Inc recommends users apply the following mitigations to help reduce risk:

Disable Notification Service, Email Dispatch Service, or the outgoing email server in Notifications/Settings.
Configure PowerSYSTEM Center DCS network firewall to only allow connections to an approved and authorized email server.
Manage administrator access to PowerSYSTEM Center DCS operating system.
Monitor user activity records to ensure users are following acceptable usage policies of the application.

For assistance with updating PSC, reach out directly to Subnet Solutions.
CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY

April 10, 2025: Initial Publication. 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 6.9
• ATTENTION: Low attack complexity
• Vendor: Subnet Solutions Inc.
• Equipment: PowerSYSTEM Center (PSC) 2020
• Vulnerabilities: Out-of-Bounds Read, Deserialization of Untrusted Data

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Subnet Solutions products are affected:

• PowerSYSTEM Center 2020: Versions 5.24.x and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS READ CWE-125

PowerSYSTEM Center’s SMTPS notification service can be affected by importing an EC certificate with crafted F2m parameters, which can lead to excessive CPU consumption during the evaluation of the curve parameters.

CVE-2025-31354 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2025-31354. A base score of 5.3 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.2.2 DESERIALIZATION OF UNTRUSTED DATA CWE-502

PowerSYSTEM Center is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the API may trigger an exception, resulting in a denial-of-service condition.

CVE-2025-31935 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-31935. A base score of 6.9 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Canada

3.4 RESEARCHER

Subnet Solutions Inc. reported this vulnerability to CISA.

4. MITIGATIONS

Subnet Solutions Inc. recommends users update PowerSYSTEM Center (PSC) to the latest versions:

• PSC 2020 Update 25
• PSC 2024

If updating PSC is not possible, Subnet Solutions Inc recommends users apply the following mitigations to help reduce risk:

• Disable Notification Service, Email Dispatch Service, or the outgoing email server in Notifications/Settings.
• Configure PowerSYSTEM Center DCS network firewall to only allow connections to an approved and authorized email server.
• Manage administrator access to PowerSYSTEM Center DCS operating system.
• Monitor user activity records to ensure users are following acceptable usage policies of the application.

For assistance with updating PSC, reach out directly to Subnet Solutions.

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• April 10, 2025: Initial Publication.

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.5
ATTENTION: Low attack complexity
Vendor: Rockwell Automation
Equipment: Arena
Vulnerabilities: Use of Uninitialized Variable, Out-of-bounds Write, Out-of-bounds Read, Stack-based Buffer Overflow

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could disclose information to an attacker or allow execution of arbitrary code on the system.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Rockwell Automation reports the following versions of Arena simulation software are affected:

Arena: Versions 16.20.08 and prior

3.2 VULNERABILITY OVERVIEW
3.2.1 Use of Uninitialized Variable CWE-457
A local code execution vulnerability exists in Rockwell Automation Arena due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVE-2025-2285 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-2285. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 Use of Uninitialized Variable CWE-457
A local code execution vulnerability exists in Rockwell Automation Arena due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVE-2025-2286 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-2286. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.3 Use of Uninitialized Variable CWE-457
A local code execution vulnerability exists in Rockwell Automation Arena due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVE-2025-2287 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-2287. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.4 Out-of-bounds Write CWE-787
A local code execution vulnerability exists in Rockwell Automation Arena due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVE-2025-2288 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-2288. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.5 Out-of-bounds Write CWE-787
A local code execution vulnerability exists in Rockwell Automation Arena due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVE-2025-2293 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-2293. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.6 Out-of-bounds Write CWE-787
A local code execution vulnerability exists in Rockwell Automation Arena due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVE-2025-2829 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-2829. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.7 Out-of-bounds Read CWE-125
A local code execution vulnerability exists in Rockwell Automation Arena due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVE-2025-3285 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-3285. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.8 Out-of-bounds Read CWE-125
A local code execution vulnerability exists in Rockwell Automation Arena due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVE-2025-3286 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-3286. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.9 Out-of-bounds Read CWE-125
A local code execution vulnerability exists in Rockwell Automation Arena due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVE-2025-3287 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-3287. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.10 Out-of-bounds Read CWE-125
A local code execution vulnerability exists in Rockwell Automation Arena due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVE-2025-3288 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-3288. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.11 Stack-based Buffer Overflow CWE-121
A local code execution vulnerability exists in Rockwell Automation Arena due to a stack-based memory buffer overflow. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
CVE-2025-3289 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-3289. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER
Michael Heinzl reported these vulnerabilities to CISA.
4. MITIGATIONS
Rockwell Automation recommends users upgrade to V16.20.09 or later.
For information on how to mitigate security risks on industrial automation control systems, Rockwell Automation encourages users to implement their suggested security best practices (login required) to minimize the risk of the vulnerability.
For more information about these issues, please see the Rockwell Automation security advisory SD1726.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
5. UPDATE HISTORY

April 10, 2025: Initial Republication of Rockwell Automation security advisory SD1726. 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.5
• ATTENTION: Low attack complexity
• Vendor: Rockwell Automation
• Equipment: Arena
• Vulnerabilities: Use of Uninitialized Variable, Out-of-bounds Write, Out-of-bounds Read, Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could disclose information to an attacker or allow execution of arbitrary code on the system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Rockwell Automation reports the following versions of Arena simulation software are affected:

• Arena: Versions 16.20.08 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 Use of Uninitialized Variable CWE-457

A local code execution vulnerability exists in Rockwell Automation Arena due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVE-2025-2285 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-2285. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Use of Uninitialized Variable CWE-457

A local code execution vulnerability exists in Rockwell Automation Arena due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVE-2025-2286 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-2286. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Use of Uninitialized Variable CWE-457

A local code execution vulnerability exists in Rockwell Automation Arena due to an uninitialized pointer. The flaw is result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVE-2025-2287 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-2287. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 Out-of-bounds Write CWE-787

A local code execution vulnerability exists in Rockwell Automation Arena due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVE-2025-2288 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-2288. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 Out-of-bounds Write CWE-787

A local code execution vulnerability exists in Rockwell Automation Arena due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVE-2025-2293 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-2293. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.6 Out-of-bounds Write CWE-787

A local code execution vulnerability exists in Rockwell Automation Arena due to a threat actor being able to write outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVE-2025-2829 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-2829. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.7 Out-of-bounds Read CWE-125

A local code execution vulnerability exists in Rockwell Automation Arena due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVE-2025-3285 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-3285. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.8 Out-of-bounds Read CWE-125

A local code execution vulnerability exists in Rockwell Automation Arena due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVE-2025-3286 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-3286. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.9 Out-of-bounds Read CWE-125

A local code execution vulnerability exists in Rockwell Automation Arena due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVE-2025-3287 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-3287. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.10 Out-of-bounds Read CWE-125

A local code execution vulnerability exists in Rockwell Automation Arena due to a threat actor being able to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVE-2025-3288 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-3288. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.11 Stack-based Buffer Overflow CWE-121

A local code execution vulnerability exists in Rockwell Automation Arena due to a stack-based memory buffer overflow. The flaw is result of improper validation of user-supplied data. If exploited a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.

CVE-2025-3289 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-3289. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Michael Heinzl reported these vulnerabilities to CISA.

4. MITIGATIONS

Rockwell Automation recommends users upgrade to V16.20.09 or later.

For information on how to mitigate security risks on industrial automation control systems, Rockwell Automation encourages users to implement their suggested security best practices (login required) to minimize the risk of the vulnerability.

For more information about these issues, please see the Rockwell Automation security advisory SD1726.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• April 10, 2025: Initial Republication of Rockwell Automation security advisory SD1726.

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 9.2
ATTENTION: Exploitable remotely/low attack complexity
Vendor: ABB
Equipment: Arctic Wireless Gateways
Vulnerabilities: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’), Improper Privilege Management, Exposure of Sensitive Information to an Unauthorized Actor, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could run arbitrary code in the product with privileged user permissions or could lead to a denial of service or tampering with unencrypted traffic.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
ABB reports there are vulnerabilities in the Telit PL62-W wireless modem module used in the following products:

Arctic ARP600, ARC600, ARR600: Firmware versions 3.4.10, 3.4.11, 3.4.12, 3.4.13 (CVE-2024-6387)
Arctic Wireless Gateways ARG600, ARC600, ARR600: All versions with Telit PLS62-W wireless modem module (CVE-2023-47610, CVE-2023-47611, CVE-2023-47612, CVE-2023-47613, CVE-2023-47614, CVE-2023-47615, CVE-2023-47616)

3.2 VULNERABILITY OVERVIEW
3.2.1 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120
A buffer overflow vulnerability could allow a remote unauthenticated attacker to execute arbitrary code on the targeted system by sending a specially crafted short message service (SMS) message.
CVE-2023-47610 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-47610. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 IMPROPER PRIVILEGE MANAGEMENT CWE-269
An improper privilege management vulnerability could allow a local, low-privileged attacker to elevate privileges to “manufacturer” level on the targeted system by sending a specially crafted SMS message.
CVE-2023-47611 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-47611. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.3 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
Files or directories accessible to an external parties vulnerability could allow an attacker with physical access to the target system to obtain a read/write access to any files and directories on the wireless modem module, including hidden files and directories.
CVE-2023-47612 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2023-47612. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.4 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22
A relative path traversal vulnerability could allow a local, low-privileged attacker to escape from virtual directories and get read/write access to protected files on the wireless modem module.
CVE-2023-47613 has been assigned to this vulnerability. A CVSS v3 base score of 3.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2023-47613. A base score of 2.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).
3.2.5 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
An exposure of sensitive information to an unauthorized actor vulnerability could allow a local, low-privileged attacker to disclose hidden virtual paths and file names on the wireless modem module.
CVE-2023-47614 has been assigned to this vulnerability. A CVSS v3 base score of 3.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2023-47614. A base score of 2.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).
3.2.6 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
An exposure of sensitive information through environmental variables vulnerability could allow a local, low-privileged attacker to get access to sensitive data on the wireless modem module.
CVE-2023-47615 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-47615. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.7 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200
An exposure of sensitive information to an unauthorized actor vulnerability could allow an attacker with physical access to the target system to get access to sensitive data on the wireless modem module.
CVE-2023-47616 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2023-47616. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.2.8 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION (‘RACE CONDITION’) CWE-362
This vulnerability is a signal handler race condition in OpenSSH’s server (sshd) on glibc-based Linux systems, allowing unauthenticated remote code execution as root.
CVE-2024-6387 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-6387. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER
ABB reported these vulnerabilities to CISA.
4. MITIGATIONS
ABB recommends users to perform the following actions at their earliest convenience:

Modem module vulnerability mitigations: Mitigate the cellular module vulnerabilities by contacting the mobile network operator and requesting to disable binary SMS for a mobile subscription. Note that binary SMS service is often disabled by default based on operator restrictions. If SMS services are not used in the solution, consider disabling them completely.
SSH vulnerability mitigations: Establish remote connections through OpenVPN. If the SSH protocol is used for remote administration of Arctic wireless gateway, it is to be considered logging in to the wireless gateway through an OpenVPN tunnel. Do not expose SSH port to public networks. Keep the SSH port closed to public networks and thus limit the number of potential attackers who can attempt to exploit the vulnerability. This way only devices within the private network or those connected through a secure VPN can access the SSH server.
Common mitigations: Obtain a private cellular access point to limit impact of any potential exploit. Contact the cellular provider for availability. Restrict physical access to the product. Follow general security recommendations for further advice on how to keep the system secure.

For more information, please refer to ABB’s Cybersecurity Advisory 7PAA013309.
ABB strongly recommends the following (non-exhaustive) list of cyber security practices for any installation of software-related ABB products:

Isolate special purpose networks (e.g., for automation systems) and remote devices behind firewalls and separate them from any general purpose network (e.g., office or home networks).
Install physical controls so no unauthorized personnel can access the devices, components, peripheral equipment, and networks.
Never connect programming software or computers containing programing software to any network other than the network for the devices that it is intended for.
Scan all data imported into your environment before use to detect potential malware infections.
Minimize network exposure for all applications and endpoints to ensure that they are not accessible from the Internet unless they are designed for such exposure and the intended use requires such.
Ensure all nodes are always up to date in terms of installed software, operating system, and firmware patches as well as anti-virus and firewall.
When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

April 10, 2025: Initial Re-publication of ABB 7PAA013309. 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.2
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: ABB
• Equipment: Arctic Wireless Gateways
• Vulnerabilities: Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’), Improper Privilege Management, Exposure of Sensitive Information to an Unauthorized Actor, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could run arbitrary code in the product with privileged user permissions or could lead to a denial of service or tampering with unencrypted traffic.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

ABB reports there are vulnerabilities in the Telit PL62-W wireless modem module used in the following products:

• Arctic ARP600, ARC600, ARR600: Firmware versions 3.4.10, 3.4.11, 3.4.12, 3.4.13 (CVE-2024-6387)
• Arctic Wireless Gateways ARG600, ARC600, ARR600: All versions with Telit PLS62-W wireless modem module (CVE-2023-47610, CVE-2023-47611, CVE-2023-47612, CVE-2023-47613, CVE-2023-47614, CVE-2023-47615, CVE-2023-47616)

3.2 VULNERABILITY OVERVIEW

3.2.1 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

A buffer overflow vulnerability could allow a remote unauthenticated attacker to execute arbitrary code on the targeted system by sending a specially crafted short message service (SMS) message.

CVE-2023-47610 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-47610. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER PRIVILEGE MANAGEMENT CWE-269

An improper privilege management vulnerability could allow a local, low-privileged attacker to elevate privileges to “manufacturer” level on the targeted system by sending a specially crafted SMS message.

CVE-2023-47611 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-47611. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

Files or directories accessible to an external parties vulnerability could allow an attacker with physical access to the target system to obtain a read/write access to any files and directories on the wireless modem module, including hidden files and directories.

CVE-2023-47612 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-47612. A base score of 5.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

A relative path traversal vulnerability could allow a local, low-privileged attacker to escape from virtual directories and get read/write access to protected files on the wireless modem module.

CVE-2023-47613 has been assigned to this vulnerability. A CVSS v3 base score of 3.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2023-47613. A base score of 2.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.5 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

An exposure of sensitive information to an unauthorized actor vulnerability could allow a local, low-privileged attacker to disclose hidden virtual paths and file names on the wireless modem module.

CVE-2023-47614 has been assigned to this vulnerability. A CVSS v3 base score of 3.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2023-47614. A base score of 2.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.6 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

An exposure of sensitive information through environmental variables vulnerability could allow a local, low-privileged attacker to get access to sensitive data on the wireless modem module.

CVE-2023-47615 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-47615. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.7 EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR CWE-200

An exposure of sensitive information to an unauthorized actor vulnerability could allow an attacker with physical access to the target system to get access to sensitive data on the wireless modem module.

CVE-2023-47616 has been assigned to this vulnerability. A CVSS v3 base score of 4.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2023-47616. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.8 CONCURRENT EXECUTION USING SHARED RESOURCE WITH IMPROPER SYNCHRONIZATION (‘RACE CONDITION’) CWE-362

This vulnerability is a signal handler race condition in OpenSSH’s server (sshd) on glibc-based Linux systems, allowing unauthenticated remote code execution as root.

CVE-2024-6387 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-6387. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

ABB reported these vulnerabilities to CISA.

4. MITIGATIONS

ABB recommends users to perform the following actions at their earliest convenience:

• Modem module vulnerability mitigations: Mitigate the cellular module vulnerabilities by contacting the mobile network operator and requesting to disable binary SMS for a mobile subscription. Note that binary SMS service is often disabled by default based on operator restrictions. If SMS services are not used in the solution, consider disabling them completely.
• SSH vulnerability mitigations: Establish remote connections through OpenVPN. If the SSH protocol is used for remote administration of Arctic wireless gateway, it is to be considered logging in to the wireless gateway through an OpenVPN tunnel. Do not expose SSH port to public networks. Keep the SSH port closed to public networks and thus limit the number of potential attackers who can attempt to exploit the vulnerability. This way only devices within the private network or those connected through a secure VPN can access the SSH server.
• Common mitigations: Obtain a private cellular access point to limit impact of any potential exploit. Contact the cellular provider for availability. Restrict physical access to the product. Follow general security recommendations for further advice on how to keep the system secure.

For more information, please refer to ABB’s Cybersecurity Advisory 7PAA013309.

ABB strongly recommends the following (non-exhaustive) list of cyber security practices for any installation of software-related ABB products:

• Isolate special purpose networks (e.g., for automation systems) and remote devices behind firewalls and separate them from any general purpose network (e.g., office or home networks).
• Install physical controls so no unauthorized personnel can access the devices, components, peripheral equipment, and networks.
• Never connect programming software or computers containing programing software to any network other than the network for the devices that it is intended for.
• Scan all data imported into your environment before use to detect potential malware infections.
• Minimize network exposure for all applications and endpoints to ensure that they are not accessible from the Internet unless they are designed for such exposure and the intended use requires such.
• Ensure all nodes are always up to date in terms of installed software, operating system, and firmware patches as well as anti-virus and firewall.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• April 10, 2025: Initial Re-publication of ABB 7PAA013309.

 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 7.3
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: Solid Edge SE2024, Solid Edge SE2025
Vulnerability: Out-of-bounds Write

2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to execute code.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:

Siemens Solid Edge SE2024: All versions prior to V224.0 Update 12
Siemens Solid Edge SE2025: All versions prior to V225.0 Update 3

3.2 VULNERABILITY OVERVIEW
3.2.1 OUT-OF-BOUNDS WRITE CWE-787
The affected application contains an out of bounds write past the end of an allocated buffer while parsing X_T data or a specially crafted file in X_T format. This could allow an attacker to execute code in the context of the current process.
CVE-2024-54091 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-54091. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens reported this vulnerability to CISA.
4. MITIGATIONS
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

Solid Edge SE2024: Update to V224.0 Update 12 or later version
Solid Edge SE2025: Update to V225.0 Update 3 or later version
Do not open untrusted X_T files or provide untrusted X_T data to affected applications

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-672923 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
5. UPDATE HISTORY

April 10, 2025: Initial Publication of Siemens Advisory SSA-672923 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.3
• ATTENTION: Low attack complexity
• Vendor: Siemens
• Equipment: Solid Edge SE2024, Solid Edge SE2025
• Vulnerability: Out-of-bounds Write

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens Solid Edge SE2024: All versions prior to V224.0 Update 12
• Siemens Solid Edge SE2025: All versions prior to V225.0 Update 3

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

The affected application contains an out of bounds write past the end of an allocated buffer while parsing X_T data or a specially crafted file in X_T format. This could allow an attacker to execute code in the context of the current process.

CVE-2024-54091 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-54091. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Solid Edge SE2024: Update to V224.0 Update 12 or later version
• Solid Edge SE2025: Update to V225.0 Update 3 or later version
• Do not open untrusted X_T files or provide untrusted X_T data to affected applications

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-672923 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• April 10, 2025: Initial Publication of Siemens Advisory SSA-672923

 Read More

 ​CISA released ten Industrial Control Systems (ICS) advisories on April 10, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

ICSA-25-100-01 Siemens License Server
ICSA-25-100-02 Siemens SIDIS Prime
ICSA-25-100-03 Siemens Solid Edge
ICSA-25-100-04 Siemens Industrial Edge Devices
ICSA-25-100-05 Siemens Insights Hub Private Cloud
ICSA-25-100-06 Siemens SENTRON 7KT PAC1260 Data Manager
ICSA-25-100-07 Rockwell Automation Arena
ICSA-25-100-08 Subnet Solutions PowerSYSTEM Center
ICSA-25-100-09 ABB Arctic Wireless Gateways 
ICSMA-25-100-01 INFINITT Healthcare INFINITT PACS

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations. 

CISA released ten Industrial Control Systems (ICS) advisories on April 10, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-100-01 Siemens License Server
• ICSA-25-100-02 Siemens SIDIS Prime
• ICSA-25-100-03 Siemens Solid Edge
• ICSA-25-100-04 Siemens Industrial Edge Devices
• ICSA-25-100-05 Siemens Insights Hub Private Cloud
• ICSA-25-100-06 Siemens SENTRON 7KT PAC1260 Data Manager
• ICSA-25-100-07 Rockwell Automation Arena
• ICSA-25-100-08 Subnet Solutions PowerSYSTEM Center
• ICSA-25-100-09 ABB Arctic Wireless Gateways
   
• ICSMA-25-100-01 INFINITT Healthcare INFINITT PACS

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 5.4
ATTENTION: Exploitable locally
Vendor: Siemens
Equipment: License Server
Vulnerabilities: Improper Privilege Management, Improper Certificate Validation

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow a low-privileged local user to escalate privileges or perform arbitrary code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:

License Server (SLS): All versions before V4.3

3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER PRIVILEGE MANAGEMENT CWE-269
The affected application searches for executable files in the application folder without proper validation. This could allow an attacker to execute arbitrary code with administrative privileges by placing a malicious executable in the same directory.
CVE-2025-29999 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-29999. A base score of 5.4 has been calculated; the CVSS vector string is (AV:L/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.2.2 IMPROPER CERTIFICATE VALIDATION CWE-295
The affected application does not properly restrict permissions of the users. This could allow a lowly-privileged attacker to escalate their privileges.
CVE-2025-30000 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-30000. A base score of 5.4 has been calculated; the CVSS vector string is (AV:L/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy, Food and Agriculture, Water and Wastewater Systems
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Intel PSIRT reported these vulnerabilities to Siemens.
4. MITIGATIONS
Siemens has released a new version for Siemens License Server (SLS)and recommends updating to the latest version:

Siemens License Server (SLS): Update to V4.3 or later version. (login required)

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-525431 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. These vulnerabilities have a high attack complexity.
5. UPDATE HISTORY

April 10, 2025: Initial Publication

  

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 5.4
• ATTENTION: Exploitable locally
• Vendor: Siemens
• Equipment: License Server
• Vulnerabilities: Improper Privilege Management, Improper Certificate Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a low-privileged local user to escalate privileges or perform arbitrary code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• License Server (SLS): All versions before V4.3

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER PRIVILEGE MANAGEMENT CWE-269

The affected application searches for executable files in the application folder without proper validation. This could allow an attacker to execute arbitrary code with administrative privileges by placing a malicious executable in the same directory.

CVE-2025-29999 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-29999. A base score of 5.4 has been calculated; the CVSS vector string is (AV:L/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER CERTIFICATE VALIDATION CWE-295

The affected application does not properly restrict permissions of the users. This could allow a lowly-privileged attacker to escalate their privileges.

CVE-2025-30000 has been assigned to this vulnerability. A CVSS v3 base score of 6.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30000. A base score of 5.4 has been calculated; the CVSS vector string is (AV:L/AC:H/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy, Food and Agriculture, Water and Wastewater Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Intel PSIRT reported these vulnerabilities to Siemens.

4. MITIGATIONS

Siemens has released a new version for Siemens License Server (SLS)
and recommends updating to the latest version:

• Siemens License Server (SLS): Update to V4.3 or later version. (login required)

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-525431 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. These vulnerabilities have a high attack complexity.

5. UPDATE HISTORY

• April 10, 2025: Initial Publication

 

 Read More

 ​As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 10.0
ATTENTION: Exploitable remotely/low attack complexity
Vendor: Siemens
Equipment: SENTRON 7KT PAC1260 Data Manager
Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Missing Authentication for Critical Function, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Use of Hard-coded Credentials, Cross-Site Request Forgery (CSRF), Unverified Password Change

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary code with root privileges or allow an unauthenticated remote attacker to read or clear the log files on the device, reset the device, set the date and time, access arbitrary files on the device with root privileges, or enable remote access to the device.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Siemens reports that the following products are affected:

SENTRON 7KT PAC1260 Data Manager: All versions

3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78
The web interface of affected devices does not sanitize the input parameters in specific GET requests. This could allow an authenticated remote attacker to execute arbitrary code with root privileges.
CVE-2024-41788 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for  CVE-2024-41788. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78
The web interface of affected devices does not sanitize the language parameter in specific POST requests. This could allow an authenticated remote attacker to execute arbitrary code with root privileges.
CVE-2024-41789 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for  CVE-2024-41789. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.3 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78
The web interface of affected devices does not sanitize the region parameter in specific POST requests. This could allow an authenticated remote attacker to execute arbitrary code with root privileges.
CVE-2024-41790 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for  CVE-2024-41790. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.4 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
The web interface of affected devices does not authenticate report creation requests. This could allow an unauthenticated remote attacker to read or clear the log files on the device, reset the device or set the date and time.
CVE-2024-41791 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
A CVSS v4 score has also been calculated for  CVE-2024-41791. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).
3.2.5 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22
The web interface of affected devices contains a path traversal vulnerability. This could allow an unauthenticated attacker to access arbitrary files on the device with root privileges.
CVE-2024-41792 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for  CVE-2024-41792. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N).
3.2.6 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
The web interface of affected devices provides an endpoint that allows to enable the SSH service without authentication. This could allow an unauthenticated remote attacker to enable remote access to the device via SSH.
CVE-2024-41793 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for  CVE-2024-41793. A base score of 7.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N).
3.2.7 USE OF HARD-CODED CREDENTIALS CWE-798
Affected devices contain hardcoded credentials for remote access to the device operating system with root privileges. This could allow unauthenticated remote attackers to gain full access to a device, if they are in possession of these credentials and if the SSH service is enabled (e.g., by exploitation of CVE-2024-41793).
CVE-2024-41794 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for  CVE-2024-41794. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
3.2.8 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352
The web interface of affected devices is vulnerable to cross-site request forgery (CSRF) attacks. This could allow an unauthenticated attacker to change arbitrary device settings by tricking a legitimate device administrator to click on a malicious link.
CVE-2024-41795 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for  CVE-2024-41795. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.2.9 UNVERIFIED PASSWORD CHANGE CWE-620
The web interface of affected devices allows changing the login password without knowing the current password. In combination with a prepared CSRF attack (CVE-2024-41795) an unauthenticated attacker could be able to set the password to an attacker-controlled value.
CVE-2024-41796 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for  CVE-2024-41796. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Energy
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER
Siemens Energy reported these vulnerabilities to Siemens.
4. MITIGATIONS
To fix the vulnerabilities, Siemens recommends users replace vulnerable devices with the new SENTRON 7KT PAC1261 Data Manager and update it to the latest available firmware version.
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

(CVE-2024-41795, CVE-2024-41796) SENTRON 7KT PAC1260 Data Manager: Do not access links from untrusted sources while logged in at affected devices.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-187636 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
5. UPDATE HISTORY

April 10, 2025: Initial Republication of Siemens SSA-187636 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 10.0
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SENTRON 7KT PAC1260 Data Manager
• Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Missing Authentication for Critical Function, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Use of Hard-coded Credentials, Cross-Site Request Forgery (CSRF), Unverified Password Change

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an authenticated remote attacker to execute arbitrary code with root privileges or allow an unauthenticated remote attacker to read or clear the log files on the device, reset the device, set the date and time, access arbitrary files on the device with root privileges, or enable remote access to the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• SENTRON 7KT PAC1260 Data Manager: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

The web interface of affected devices does not sanitize the input parameters in specific GET requests. This could allow an authenticated remote attacker to execute arbitrary code with root privileges.

CVE-2024-41788 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for  CVE-2024-41788. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

The web interface of affected devices does not sanitize the language parameter in specific POST requests. This could allow an authenticated remote attacker to execute arbitrary code with root privileges.

CVE-2024-41789 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for  CVE-2024-41789. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.3 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN OS COMMAND (‘OS COMMAND INJECTION’) CWE-78

The web interface of affected devices does not sanitize the region parameter in specific POST requests. This could allow an authenticated remote attacker to execute arbitrary code with root privileges.

CVE-2024-41790 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for  CVE-2024-41790. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.4 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The web interface of affected devices does not authenticate report creation requests. This could allow an unauthenticated remote attacker to read or clear the log files on the device, reset the device or set the date and time.

CVE-2024-41791 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for  CVE-2024-41791. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).

3.2.5 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

The web interface of affected devices contains a path traversal vulnerability. This could allow an unauthenticated attacker to access arbitrary files on the device with root privileges.

CVE-2024-41792 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for  CVE-2024-41792. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N).

3.2.6 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The web interface of affected devices provides an endpoint that allows to enable the SSH service without authentication. This could allow an unauthenticated remote attacker to enable remote access to the device via SSH.

CVE-2024-41793 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for  CVE-2024-41793. A base score of 7.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N).

3.2.7 USE OF HARD-CODED CREDENTIALS CWE-798

Affected devices contain hardcoded credentials for remote access to the device operating system with root privileges. This could allow unauthenticated remote attackers to gain full access to a device, if they are in possession of these credentials and if the SSH service is enabled (e.g., by exploitation of CVE-2024-41793).

CVE-2024-41794 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for  CVE-2024-41794. A base score of 10.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.8 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

The web interface of affected devices is vulnerable to cross-site request forgery (CSRF) attacks. This could allow an unauthenticated attacker to change arbitrary device settings by tricking a legitimate device administrator to click on a malicious link.

CVE-2024-41795 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for  CVE-2024-41795. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.9 UNVERIFIED PASSWORD CHANGE CWE-620

The web interface of affected devices allows changing the login password without knowing the current password. In combination with a prepared CSRF attack (CVE-2024-41795) an unauthenticated attacker could be able to set the password to an attacker-controlled value.

CVE-2024-41796 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for  CVE-2024-41796. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens Energy reported these vulnerabilities to Siemens.

4. MITIGATIONS

To fix the vulnerabilities, Siemens recommends users replace vulnerable devices with the new SENTRON 7KT PAC1261 Data Manager and update it to the latest available firmware version.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• (CVE-2024-41795, CVE-2024-41796) SENTRON 7KT PAC1260 Data Manager: Do not access links from untrusted sources while logged in at affected devices.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-187636 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• April 10, 2025: Initial Republication of Siemens SSA-187636

 Read More

 ​View CSAF
1. EXECUTIVE SUMMARY

CVSS v4 8.7
ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
Vendor: INFINITT Healthcare
Equipment: INFINITT PACS
Vulnerabilities: Unrestricted Upload of File with Dangerous Type, Exposure of Sensitive System Information to an Unauthorized Control Sphere,

2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to upload malicious files and access unauthorized system resources, resulting in arbitrary code execution or information disclosure.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following INFINITT Healthcare products are affected:

INFINITT PACS System Manager: Versions 3.0.11.5 BN9 and prior

3.2 VULNERABILITY OVERVIEW
3.2.1 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434
An attacker could exploit this vulnerability by uploading arbitrary files via the a specific endpoint, leading to unauthorized remote code execution or system compromise.
CVE-2025-27714 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2025-27714. A base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).
3.2.2 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434
An attacker could exploit this vulnerability by uploading arbitrary files via a specific service, which could lead to system compromise.
CVE-2025-24489 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2025-24489. A base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).
3.2.3 EXPOSURE OF SENSITIVE SYSTEM INFORMATION TO AN UNAUTHORIZED CONTROL SPHERE CWE-497
Unauthorized users can access the system without proper authorization, which could lead to unauthorized access to system resources.
CVE-2025-27721 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-27721. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: South Korea

3.4 RESEARCHER
Piotr Kijewski of the Shadowserver Foundation reported these vulnerabilities to CISA.
4. MITIGATIONS
INFINITT recommends the following mitigations:
The latest version of the software (3.0.11.5 BN10 or later) is NOT affected, as it includes default security patches.
INFINITT ULite is NOT affected by these vulnerabilities. However, if INFINITT ULite is operating as an integrated system with INFINITT PACS, patching is required to secure the PACS environment.

For CVE-2025-27714 and CVE-2025-24489: Apply the security patch and configure the System Manager settings to restrict unauthorized file uploads.
For CVE-2025-27721: Apply the patch, enforce strong password policies, and enable logging to monitor for unauthorized access attempts.
Network Security Recommendations: Minimize network exposure for PACS servers, ensuring they are not directly accessible from the internet.
Contact Information: Customers requiring additional support should contact INFINITT Security Team. (cybersecurity@infinitt.com)

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

Locate control system networks and remote devices behind firewalls and isolating them from business networks.
When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

5. UPDATE HISTORY

April 10, 2025: Initial Publication 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
• Vendor: INFINITT Healthcare
• Equipment: INFINITT PACS
• Vulnerabilities: Unrestricted Upload of File with Dangerous Type, Exposure of Sensitive System Information to an Unauthorized Control Sphere,

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to upload malicious files and access unauthorized system resources, resulting in arbitrary code execution or information disclosure.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following INFINITT Healthcare products are affected:

• INFINITT PACS System Manager: Versions 3.0.11.5 BN9 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

An attacker could exploit this vulnerability by uploading arbitrary files via the a specific endpoint, leading to unauthorized remote code execution or system compromise.

CVE-2025-27714 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-27714. A base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).

3.2.2 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

An attacker could exploit this vulnerability by uploading arbitrary files via a specific service, which could lead to system compromise.

CVE-2025-24489 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-24489. A base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N).

3.2.3 EXPOSURE OF SENSITIVE SYSTEM INFORMATION TO AN UNAUTHORIZED CONTROL SPHERE CWE-497

Unauthorized users can access the system without proper authorization, which could lead to unauthorized access to system resources.

CVE-2025-27721 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27721. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: South Korea

3.4 RESEARCHER

Piotr Kijewski of the Shadowserver Foundation reported these vulnerabilities to CISA.

4. MITIGATIONS

INFINITT recommends the following mitigations:

The latest version of the software (3.0.11.5 BN10 or later) is NOT affected, as it includes default security patches.

INFINITT ULite is NOT affected by these vulnerabilities. However, if INFINITT ULite is operating as an integrated system with INFINITT PACS, patching is required to secure the PACS environment.

• For CVE-2025-27714 and CVE-2025-24489: Apply the security patch and configure the System Manager settings to restrict unauthorized file uploads.
• For CVE-2025-27721: Apply the patch, enforce strong password policies, and enable logging to monitor for unauthorized access attempts.
• Network Security Recommendations: Minimize network exposure for PACS servers, ensuring they are not directly accessible from the internet.
• Contact Information: Customers requiring additional support should contact INFINITT Security Team. (cybersecurity@infinitt.com)

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

5. UPDATE HISTORY

• April 10, 2025: Initial Publication

 Read More