CISA Releases New ICS Advisories Highlighting Ongoing Threats and Exploits
The Cybersecurity and Infrastructure Security Agency (CISA) has released eight new Industrial Control Systems (ICS) advisories on June 24, 2025, addressing critical vulnerabilities and ongoing threats to essential infrastructure.
These advisories provide detailed technical information and mitigation guidance for a range of ICS products used worldwide.
1.Kaleris Navis N4 Terminal Operating System: Remote Exploits and Data Exposure
Vulnerabilities Identified:
- Deserialization of Untrusted Data (CWE-502):
- CVE-2025-2566 — Allows unauthenticated remote code execution through unsafe Java deserialization.
- Cleartext Transmission of Sensitive Information (CWE-319):
- CVE-2025-5087 — Enables attackers to extract sensitive information, including plaintext credentials, via insecure HTTP communication.
Risk: Attackers could remotely exploit the system, execute arbitrary code, or extract sensitive credentials.
2.Delta Electronics CNCSoft: Multiple Out-of-Bounds Write Flaws
Vulnerabilities Identified:
- Out-of-Bounds Write (CWE-787):
- CVE-2025-47724
- CVE-2025-47725
- CVE-2025-47726
- CVE-2025-47727
All four vulnerabilities allow code execution if a user opens a malicious file.
Risk: Attackers can execute code within the context of the current process by exploiting file validation flaws.
3.Schneider Electric Modicon Controllers: Input Validation and XSS Risks
Vulnerabilities Identified:
- Improper Input Validation (CWE-20):
- CVE-2025-3898
- CVE-2025-3116
- Improper Neutralization of Input During Web Page Generation (Cross-site Scripting, CWE-79):
- CVE-2025-3899
- CVE-2025-3905
- CVE-2025-3117
- Uncontrolled Resource Consumption (CWE-400):
Risk: Successful exploitation could lead to denial-of-service, arbitrary code execution, or unauthorized data manipulation via web interfaces.
4.Schneider Electric EVLink WallBox: Path Traversal and Command Injection
Vulnerabilities Identified:
- Improper Limitation of a Pathname to a Restricted Directory (Path Traversal, CWE-22):
- CVE-2025-5740
- CVE-2025-5741
- Improper Neutralization of Input During Web Page Generation (Cross-site Scripting, CWE-79):
- Improper Neutralization of Special Elements used in an OS Command (OS Command Injection, CWE-78):
Risk: Attackers could gain remote control, read or write arbitrary files, or inject malicious code via the web server.
5.ControlID iDSecure On-Premises: Authentication Bypass and SQL Injection
Vulnerabilities Identified:
- Improper Authentication (CWE-287):
- Server-Side Request Forgery (SSRF, CWE-918):
- Improper Neutralization of Special Elements Used in an SQL Command (SQL Injection, CWE-89):
Risk: Exploits could allow attackers to bypass authentication, retrieve sensitive data, or execute arbitrary SQL commands.
6.Parsons AccuWeather Widget: Cross-site Scripting in Utility Portals
Vulnerability Identified:
- Improper Neutralization of Input During Web Page Generation (Cross-site Scripting, CWE-79):
Risk: Attackers may insert malicious links into RSS feeds, potentially compromising users who access the feed.
7.MICROSENS NMP Web+: Hard-coded Credentials and Path Traversal
Vulnerabilities Identified:
- Use of Hard-coded, Security-relevant Constants (CWE-547):
- Insufficient Session Expiration (CWE-613):
- Improper Limitation of a Pathname to a Restricted Directory (Path Traversal, CWE-22):
Risk: Attackers could bypass authentication, gain persistent access, overwrite files, or execute arbitrary code.
8.Mitsubishi Electric MELSEC-Q Series PLCs (Update B): Resource Exhaustion
Vulnerability Identified:
- Uncontrolled Resource Consumption (Resource Exhaustion, CWE-400):
Risk: Remote attackers can crash Ethernet and USB communication by sending specially crafted packets.
CISA urges all ICS users and administrators to review these advisories for technical details and apply recommended mitigations to safeguard critical infrastructure from ongoing threats.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
