The Cybersecurity and Infrastructure Security Agency (CISA) released five critical advisories on December 2, 2025, addressing high-severity vulnerabilities affecting industrial control systems across multiple vendors.
The advisories span video surveillance platforms, intelligent metering gateways, medical imaging software, and manufacturing control systems, collectively impacting critical infrastructure sectors worldwide, including energy, healthcare, and water systems.
The most critical disclosure involves Industrial Video & Control’s Longwatch video surveillance and monitoring system, affecting versions 6.309 to 6.334.
A code injection vulnerability CVE-2025-13658 with a CVSS v4 score of 9.3 allows unauthenticated attackers to execute arbitrary code remotely via unprotected HTTP GET requests.
The vulnerability stems from absent code signing and execution controls on an exposed endpoint, potentially granting attackers SYSTEM-level privileges.
Industrial Video & Control recommends immediate upgrades to version 6.335 or later. The vulnerability impacts critical infrastructure sectors, including energy and water systems deployed globally.
Five New ICS Advisories
Iskra’s iHUB and iHUB Lite smart metering gateway devices expose a critical missing authentication vulnerability (CVE-2025-13510, CVSS v4 9.3) affecting all versions.
The web management interface lacks authentication requirements, enabling unauthenticated users to reconfigure devices, update firmware, and manipulate connected systems.
Notably, Iskra did not respond to CISA’s coordination request, complicating patch availability. This vulnerability threatens energy sector infrastructure across the globe, particularly smart grid deployments.
Mirion Medical’s EC2 Software NMIS BioDose presents five distinct vulnerabilities (CVSS v4 8.7) affecting versions prior to 23.0.
Issues include improper file permission assignments enabling unauthorized code modification, hardcoded credentials embedded in application binaries, missing password field masking in configuration tools, and unrestricted database user privileges allowing remote code execution.
Healthcare organizations relying on this dosimetry system for radiation dose calculations require immediate upgrades to version 23.0 or later.
An uncontrolled search path element vulnerability (CVE-2016-2542, CVSS v3 7.0) impacts multiple Mitsubishi Electric CNC Series tools used in manufacturing environments.
The vulnerability exists in InstallShield and enables malicious DLL hijacking through setup-launcher execution.
Affected products include NC Designer2, NC Configurator2, NC Analyzer2, and NC Trainer2. Fixed versions are available for NC Trainer2 and related software, though older tools lack update paths.
Mitsubishi Electric’s MELSEC iQ-R and iQ-F Series EtherNet/IP modules contain four distinct vulnerabilities (CVSS v4 8.7) enabling authentication bypass via FTP functions.
Issues include weak password requirements, hardcoded credentials, unmasked password fields, and unrestricted file uploads.
These vulnerabilities allow remote unauthenticated attackers to access manufacturing equipment. While newer firmware versions support FTP disabling, organizations should implement network segmentation and firewall protections immediately.
Defensive Recommendations
These vulnerabilities allow remote unauthenticated attackers to access manufacturing equipment.
CISA emphasizes defense-in-depth strategies, recommending organizations isolate control systems behind firewalls, restrict internet exposure, implement VPN protections for remote access, and perform impact assessments before deploying mitigations.
While newer firmware versions support FTP disabling, organizations should implement network segmentation and firewall protections immediately.
No known active exploitations targeting these vulnerabilities have been reported, providing a window for remediation before potential weaponization.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.