The Cybersecurity and Infrastructure Security Agency (CISA) has recently issued multiple Industrial Control Systems (ICS) advisories highlighting significant security vulnerabilities across various critical infrastructure sectors.
These advisories reveal several high-severity and critical vulnerabilities that demand immediate attention from organizations operating industrial control systems.
This report analyzes the most critical vulnerabilities identified in recent ICS advisories, with a particular focus on the thirteen advisories.
Overview of the ICS Advisories
Siemens Teamcenter Visualization and Tecnomatix Plant Simulation Vulnerabilities
An out-of-bounds write vulnerability in Siemens Teamcenter Visualization and Tecnomatix Plant Simulation CVE-2025-23396 occurs when parsing specially crafted WRL files.
This vulnerability could allow attackers to execute arbitrary code in the context of the current process. An improper restriction of operations within memory buffer bounds CVE-2025-23397 in the affected applications.
Similar to CVE-2025-23397, this vulnerability also relates to improper memory buffer operations tracked as CVE-2025-23398. It allows memory corruption through malicious WRL file parsing that could lead to unauthorized code execution.
Another memory buffer restriction vulnerability, CVE-2025-23400, affects the same applications and enables memory corruption during specially crafted WRL file parsing.
An out-of-bounds read vulnerability CVE-2025-27438 where the applications read past the end of an allocated structure while parsing specially crafted WRL files.
Siemens SINEMA Remote Connect Server Vulnerabilities
An improper output neutralization for logs vulnerability CVE-2024-5594 in Siemens SINEMA Remote Connect Server. It allows a malicious OpenVPN peer to send garbage to the OpenVPN log or cause high CPU load.
When used in server roles, a resource management flaw CVE-2024-28882 in OpenVPN from version 2.6.0 through 2.6.10. This could potentially be exploited for unauthorized access.
Siemens SIMATIC S7-1500 TM MFP BIOS Vulnerabilities
A double-free vulnerability CVE-2024-41046 in the Linux kernel used in SIMATIC S7-1500 TM MFP BIOS. This could potentially lead to memory corruption or code execution.
A use-after-free vulnerability CVE-2024-41049 in the Linux kernel’s file locking mechanism. This race condition could lead to memory corruption or unauthorized code execution.
A NULL pointer dereference vulnerability CVE-2024-41055 in the Linux kernel’s memory management subsystem. This could result in denial-of-service conditions.
Siemens SiPass integrated AC5102/ACC-G2 and ACC-AP
The advisory includes missing authentication for critical functions and improper input validation vulnerabilities tracked as CVE-2024-52285, CVE-2025-27493, and CVE-2025-27494.
It could allow an attacker to execute commands on the device with root privileges and access sensitive data.
Siemens SINAMICS S200
An Improper Authentication vulnerability was tracked as CVE-2024-56336. A CVSS v3 base score of 9.8 has been calculated.
Successful exploitation of this vulnerability could allow an attacker to download untrusted firmware that could damage or compromise the device.
Siemens SCALANCE LPE9403
The advisory includes Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection‘), which is tracked as CVE-2025-27392, CVE-2025-27393, CVE-2025-27398, and CVE-2025-27394.
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) CVE-2025-27395, CVE-2025-27397 and Improper Check for Dropped Privileges tracked as CVE-2025-27396.
Siemens SCALANCE M-800 and SC-600 Families
Partial String Comparison vulnerability is tracked as CVE-2025-23384. Successful exploitation of this vulnerability could allow an attacker to obtain partial invalid usernames accepted by the server.
A remote attacker would need access to a valid certificate in order to perform a successful attack.
Siemens Tecnomatix Plant Simulation
This includes Files or Directories Accessible to External Parties and vulnerabilities assigned as CVE-2025-25266 and CVE-2025-25267.
Exploiting these vulnerabilities could allow an unauthorized attacker to read or delete arbitrary files or the entire device file system.
Siemens OPC UA
The vulnerabilities include observable timing discrepancy tracked as CVE-2024-42512 and authentication bypass by primary weakness tracked as CVE-2024-42513.
The vulnerabilities could allow an attacker to bypass application authentication and gain access to the data managed by the server.
Siemens SINEMA Remote Connect Client Vulnerabilities
An integer overflow vulnerability CVE-2024-1305 in the tap-windows6 driver (version 9.26 and earlier) is used in the SINEMA Remote Connect Client.
An unrestricted file upload vulnerability CVE-2024-27903 in OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier.
Siemens SIMATIC IPC Family, ITP1000, and Field PGs
Protection mechanism failure flaws tracked as CVE-2024-56181 and CVE-2024-56182.
Successful exploitation of these vulnerabilities could allow an authenticated attacker to alter the secure boot configuration or to disable the BIOS password.
Sungrow iSolarCloud Android App and WiNet Firmware
The CISA advisory for Sungrow’s products addresses multiple vulnerabilities in their iSolarCloud Android App and WiNet Firmware.
These vulnerabilities range from improper certificate validation to authorization bypasses and buffer overflows.
The issues could allow remote attackers to intercept sensitive communications, gain unauthorized access, and potentially execute arbitrary code.
Philips Intellispace Cardiovascular (ISCV)
The advisory includes vulnerabilities such as CVE-2025-2230 and CVE-2025-2229 that could allow privilege escalation and arbitrary code execution. This potentially exposes sensitive patient cardiac information, including medical images and diagnostic details.
Mitigations
CISA’s advisories include detailed technical information and recommended mitigations for each vulnerability.
Typical recommendations include applying firmware updates, implementing network segmentation, and restricting access to affected systems. CISA often suggests temporary workarounds for critical vulnerabilities when immediate patching isn’t feasible.
Security professionals across industrial sectors are strongly encouraged to promptly review and implement recommended mitigations.
The significant number of vulnerabilities across major industrial systems highlights the ongoing challenge of securing increasingly connected operational technology environments against evolving cyber threats.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
