CISA Issues ICS Advisories for Rockwell Automation, VMware, and Güralp Seismic Monitoring Systems

CISA released two high-severity Industrial Control Systems (ICS) advisories on July 31, 2025, highlighting critical vulnerabilities in widely deployed industrial equipment that could enable remote attackers to manipulate critical infrastructure systems. 

The flaws affect seismic monitoring devices and virtualized industrial systems used across global critical manufacturing sectors.

Key Takeaways
1. CISA issued advisories for Güralp seismic devices and Rockwell VMware systems.
2. Enable remote access and code execution on industrial infrastructure
3. Isolate systems from the internet and apply patches immediately

Güralp Seismic Monitoring Systems Vulnerability

The first advisory addresses a severe authentication bypass vulnerability in Güralp FMUS Series Seismic Monitoring Devices, affecting all versions currently deployed worldwide. 

The vulnerability, tracked as CVE-2025-8286 and classified under CWE-306 (Missing Authentication for Critical Function), carries a maximum CVSS v4 score of 9.3 and CVSS v3 score of 9.8.

Security researcher Souvik Kandar of MicroSec discovered that these devices expose an unauthenticated Telnet-based command line interface accessible remotely with low attack complexity. 

Successful exploitation could allow attackers to modify hardware configurations, manipulate seismic data, or perform factory resets on monitoring equipment critical to earthquake detection and industrial safety systems.

The vulnerability’s CVSS v4 vector string AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N indicates network-accessible attacks requiring no user interaction or privileges. 

Despite CISA’s coordination attempts, Güralp Systems has not responded to disclosure efforts, leaving users to implement network-level mitigations, including firewall isolation and VPN-secured remote access.

Rockwell Automation’s Using VMware

The second advisory targets Rockwell Automation’s Lifecycle Services utilizing VMware infrastructure, including Industrial Data Centers (IDC), VersaVirtual Appliances (VVA), Threat Detection Managed Services (TDMS), and Endpoint Protection Services. 

Four distinct vulnerabilities affect these systems, with CVSS v4 scores reaching 9.4.

Three critical out-of-bounds write vulnerabilities (CVE-2025-41236, CVE-2025-41237, CVE-2025-41238) stem from integer overflow and underflow conditions in VMware’s VMXNET3 virtual network adapter, Virtual Machine Communication Interface (VMCI), and Paravirtualized SCSI (PVSCSI) controller, respectively. 

Each carries identical CVSS v3.1 scores of 9.3 with vector strings CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating local access requirements but potential for complete system compromise.

Additionally, CVE-2025-41239 represents a CWE-908 (Use of Uninitialized Resource) vulnerability in vSockets that could leak sensitive memory contents, rated 8.2 on CVSS v4. 

These vulnerabilities collectively enable code execution on hypervisor hosts, potentially compromising entire industrial virtualization infrastructures.

Mitigations 

CISA emphasizes implementing defense-in-depth strategies immediately, as these vulnerabilities affect critical manufacturing sectors globally. 

Organizations must prioritize network segmentation, ensuring ICS devices remain isolated from internet access and business networks. 

For Rockwell systems, users with active managed service contracts will receive direct remediation support, while others should consult Broadcom’s security advisories for VMware patches.

No active exploitation has been reported for either vulnerability set, providing organizations a critical window for implementing protective measures before potential threat actor discovery and weaponization of these high-impact attack vectors.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches