CISA Releases 3 ICS Advisories Covering Vulnerabilities and Exploits

CISA issued three significant Industrial Control Systems (ICS) advisories on July 17, 2025, addressing critical vulnerabilities affecting energy monitoring, healthcare imaging, and access control systems. 

These advisories highlight severe security flaws with CVSS v4 scores ranging from 8.5 to 8.7, exposing critical infrastructure across multiple sectors to potential cyberattacks and unauthorized access.

Key Takeaways
1. Leviton’s AcquiSuite and Energy Monitoring Hub suffer a high-severity cross-site scripting flaw.
2. Panoramic Corporation’s Digital Imaging Software is vulnerable to DLL hijacking.
3. Johnson Controls’ C- CURE 9000 Site Server exposes executable directories with incorrect default permissions.

Cross-Site Scripting in Leviton Systems

CISA advisory ICSA-25-198-01 reveals a severe cross-site scripting (XSS) vulnerability in Leviton AcquiSuite Version A8810 and Energy Monitoring Hub Version A8812. 

The flaw, designated CVE-2025-6185, carries a CVSS v4 score of 8.7 and enables attackers to craft malicious payloads in URL parameters that execute in client browsers. 

This CWE-79 classified vulnerability allows attackers to steal session tokens and potentially control the entire service remotely with low attack complexity.

The vulnerability affects communications infrastructure deployed worldwide, with researcher notnotnotveg reporting the flaw to CISA. 

Notably, Leviton has not responded to CISA’s requests for collaboration on mitigation strategies, leaving users to contact customer support independently for additional information and patches.

DLL Hijacking Flaw Exposes Healthcare Imaging Software

Healthcare systems face significant risk from ICSMA-25-198-01, which identifies a CWE-427 uncontrolled search path element vulnerability in Panoramic Corporation’s Digital Imaging Software Version 9.1.2.7600. 

The CVE-2024-22774 vulnerability, scoring 8.5 on CVSS v4, enables standard users to escalate privileges to NT Authority/SYSTEM through DLL hijacking techniques.

This vulnerability particularly threatens healthcare and public health infrastructure across North America. 

The flaw originates from an unsupported SDK component owned by Oy Ajat Ltd, making remediation complex. 

Damian Semon Jr. of Blue Team Alpha LLC discovered and reported this vulnerability, which requires local access but provides complete system compromise upon successful exploitation.

Johnson Controls Access Control Permission Flaw

The third advisory, ICSA-24-191-05 Update B, addresses incorrect default permissions in Johnson Controls’ Software House C●CURE 9000 Site Server Version 2.80 and prior versions. 

CVE-2024-32861 presents a CVSS v4 score of 8.5 and affects systems with optional C- CURE IQ Web and/or C- CURE Portal installations. 

The CWE-276 vulnerability provides insufficient protection of directories containing executables under certain circumstances.

This vulnerability impacts critical manufacturing, commercial facilities, government facilities, transportation systems, and energy sectors worldwide. 

Johnson Controls has released specific mitigation instructions through Product Security Advisory, recommending removal of Full control and Write permissions for non-administrator accounts on the C:CouchDBbin path.

Security Recommendations 

CISA emphasizes implementing defense-in-depth strategies and network segmentation to minimize exploitation risks. 

Key recommendations include isolating control systems from internet access, deploying firewalls between business and control networks, and utilizing secure VPN connections for remote access requirements. 

Organizations should prioritize proper impact analysis and risk assessment before deploying defensive measures. The agency encourages reporting suspected malicious activity and following established incident response procedures. 

While no known public exploitation has been reported for these vulnerabilities, their high CVSS scores and widespread deployment across critical infrastructure sectors necessitate immediate attention and remediation efforts.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now