CISA Issues 10 ICS Advisories Detailing Vulnerabilities and Exploits
The Cybersecurity and Infrastructure Security Agency (CISA) has released ten industrial control systems (ICS) advisories on August 7, 2025, highlighting critical vulnerabilities across various industrial automation and control platforms.
These advisories represent a comprehensive effort to address security gaps that could potentially impact critical infrastructure operations across multiple sectors including manufacturing, energy, and transportation systems.
CISA’s latest batch of industrial control systems advisories demonstrates the agency’s continued commitment to protecting critical infrastructure from evolving cybersecurity threats.
The ten advisories collectively address vulnerabilities spanning different industrial control system vendors and platforms, each presenting unique security challenges that require immediate attention from industrial operators and cybersecurity professionals.
1. Delta Electronics DIAView (ICSA-25-219-01)
A path traversal flaw (CWE-22) in DIAView v4.2.0.0 and prior allows remote attackers to read or write arbitrary files.
- CVE-2025-53417: CVSS v3.1 9.8; CVSS v4.0 9.3
2. Johnson Controls FX80 and FX90 (ICSA-25-219-02)
A dependency on a vulnerable third-party component (CWE-1395) enables configuration compromise.
- CVE-2025-43867: CVSS v3.1 7.7; CVSS v4.0 8.4
3. Burk Technology ARC Solo (ICSA-25-219-03)
Missing authentication for critical function (CWE-306) in versions prior to v1.0.62 allows takeover via password change endpoint.
- CVE-2025-5095: CVSS v3 9.8; CVSS v4 9.3
4. Rockwell Automation Arena (ICSA-25-219-04)
Multiple local code execution vulnerabilities due to out-of-bounds read, stack-based, and heap-based buffer overflows.
- CVE-2025-7025, CVE-2025-7032, CVE-2025-7033: CVSS v3.1 7.8; CVSS v4.0 8.4
5. Packet Power EMX and EG (ICSA-25-219-05)
Missing authentication for critical function (CWE-306) in default web interface.
- CVE-2025-8284: CVSS v3.1 9.8; CVSS v4.0 9.3
6. Dreame Technology iOS and Android Mobile Apps (ICSA-25-219-06)
Improper certificate validation (CWE-295) permits man-in-the-middle attacks on self-signed TLS connections.
- CVE-2025-8393: CVSS v3.1 7.3; CVSS v4.0 8.5
7. EG4 Electronics EG4 Inverters (ICSA-25-219-07)
Cleartext transmission, firmware integrity bypass, information disclosure via observable discrepancy, and excessive authentication attempts.
- CVE-2025-52586: CVSS v3.1 6.9; CVSS v4.0 7.5
- CVE-2025-53520: CVSS v3.1 8.8; CVSS v4.0 8.6
- CVE-2025-47872: CVSS v3.1 5.8; CVSS v4.0 6.9
- CVE-2025-46414: CVSS v3.1 8.1; CVSS v4.0 9.2
8. Yealink IP Phones & RPS (ICSA-25-219-08)
Multiple flaws—excessive authentication attempts (CWE-307), lack of rate limiting (CWE-770), incorrect authorization (CWE-863), and improper certificate validation (CWE-295).
- CVE-2025-52916: CVSS v3 2.2; CVSS v4 2.1
- CVE-2025-52917: CVSS v3 4.3; CVSS v4 5.3
- CVE-2025-52918: CVSS v3 5.0; CVSS v4 5.3
- CVE-2025-52919: CVSS v3 4.3; CVSS v4 5.3
9. Instantel Micromate (ICSA-25-148-04)
Missing authentication for critical function (CWE-306) on configuration port when connected via modem.
- CVE-2025-1907: CVSS v3.1 9.8; CVSS v4.0 9.3
10. Mitsubishi Electric ICONICS & Mitsubishi Electric Products (ICSA-25-140-04)
Execution with unnecessary privileges (CWE-250) via symbolic link in AlarmWorX64 Pager agent.
- CVE-2025-0921: CVSS v3.1 6.5; CVSS v4.0 8.3
- CVE-2025-7376: CVSS v3.1 5.9; CVSS v4.0 4.1
CISA’s release of ten industrial control systems advisories underscores the persistent and evolving nature of cybersecurity threats facing critical infrastructure.
Organizations operating industrial control systems must remain vigilant in implementing comprehensive cybersecurity programs that address both known vulnerabilities and emerging threat vectors.
The continued collaboration between government agencies, vendors, and operators remains essential for maintaining the security and resilience of critical infrastructure systems that underpin modern society.
The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free
Source link
