CISA released three significant Industrial Control Systems (ICS) advisories on August 26, 2025, alerting organizations to critical vulnerabilities affecting widely-deployed automation systems.
These advisories highlight severe security flaws across INVT Electric’s engineering tools, Schneider Electric’s Modicon controllers, and Danfoss refrigeration systems, with CVSS v4 scores reaching 8.7, indicating high-severity exploitable conditions.
Key Takeaways
1. CISA issued three ICS advisories for critical flaws in INVT VT-Designer/HMITool, Schneider Modicon, and Danfoss systems.
2. Vulnerabilities enable remote code execution or DoS.
3. Apply vendor patches immediately.
CISA advisory ICSA-25-238-01 exposes nine critical vulnerabilities in INVT Electric’s VT-Designer version 2.1.13 and HMITool version 7.1.011 software platforms.
The vulnerabilities, assigned CVE identifiers CVE-2025-7223 through CVE-2025-7231, primarily involve CWE-787 out-of-bounds write conditions and one CWE-843 type confusion vulnerability.
The affected applications suffer from inadequate input validation when parsing VPM files (in HMITool) and PM3 files (in VT-Designer).
Attackers exploiting these flaws can achieve arbitrary code execution within the current process context, requiring only user interaction such as opening malicious files or visiting compromised web pages.
Each vulnerability carries a CVSS v3.1 score of 7.8 and a CVSS v4 score of 8.5, with attack vectors characterized as AV:L/AC:L/PR:N/UI:R.
The vulnerability researcher Kimiya, working with Trend Micro’s Zero Day Initiative, reported these security flaws to CISA.
Notably, INVT Electric has not responded to CISA’s coordination attempts, leaving users without vendor-provided patches.
The affected systems span multiple critical infrastructure sectors, including Commercial Facilities, Critical Manufacturing, Energy, Information Technology, and Transportation Systems worldwide.
Schneider Electric Modicon Controllers Flaws
Advisory ICSA-25-238-03 addresses CVE-2025-6625, an improper input validation vulnerability (CWE-20) affecting Schneider Electric’s Modicon M340 controllers and associated communication modules.
The flaw enables remote attackers to trigger denial-of-service conditions through specially crafted FTP commands, earning a CVSS v4 score of 8.7 due to its network-accessible attack vector AV:N/AC:L/AT:N/PR:N/UI:N.
Affected products include all versions of the Modicon M340 controller, BMXNOR0200H Ethernet/Serial RTU modules, BMXNGD0100 M580 Global Data modules, and BMXNOC0401 communication modules.
However, Schneider Electric has released firmware updates for the BMXNOE0100 (version 3.60) and BMXNOE0110 (version 6.80) modules, requiring system reboots for implementation.
CyManII researchers discovered the vulnerability and its impacts on the Critical Manufacturing and Energy sectors globally.
Danfoss Refrigeration Systems Flaws
The updated advisory ICSA-25-140-03 reveals three distinct vulnerabilities in Danfoss AK-SM 8xxA Series refrigeration controllers.
CVE-2025-41450 represents an improper authentication vulnerability (CWE-287) caused by datetime-based password generation, enabling authentication bypass in versions prior to R4.2.
Additionally, CVE-2025-41451 involves command injection (CWE-77) through alarm-to-mail configuration fields, allowing post-authenticated remote code execution.
CVE-2025-41452 addresses external control of system settings (CWE-15), potentially causing denial-of-service through improper exception handling.
These vulnerabilities affect versions prior to 4.3.1, with Claroty Team82 researcher Tomer Goldschmidt credited for the discoveries.
Danfoss has released remediation updates, including release R4.2 and release R4.3.1, available through their official software upgrade process.
The vulnerabilities primarily impact Commercial Facilities infrastructure, though their high attack complexity requirements reduce immediate exploitation risks.
CISA emphasizes implementing defense-in-depth strategies across all affected systems, including network segmentation, firewall deployment, and VPN-secured remote access protocols.
Organizations should prioritize immediate patching where available and implement comprehensive monitoring for suspicious activities targeting these industrial automation platforms.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
Source link
