Industrial giants Siemens, Schneider Electric, Aveva, Rockwell Automation, ABB, Phoenix Contact, Mitsubishi Electric, and Moxa have published new ICS security advisories since the previous Patch Tuesday.
Siemens has published nine new advisories since the previous Patch Tuesday.
Vulnerabilities with a ‘critical’ severity rating are mentioned only in one advisory covering older Wi-Fi vulnerabilities affecting Scalance W-700 devices.
Siemens has addressed high-severity vulnerabilities in Sinec NMS (authentication/authorization bypass), Ruggedcom Crossbow (privilege escalation, code execution, DoS), and Industrial Edge Management (authorization bypass). Medium-severity issues have been resolved in TPM and Analytics Toolkit.
The company also announced that it’s participating in the CVE Program’s new Supplier Authorized Data Publisher (SADP) project, which enables vendors such as Siemens to add information to vulnerability entries. Cisco, Microsoft, HeroDevs, Oracle, and Red Hat also took part in the SADP pilot.
Schneider Electric has published three new advisories. One of them describes the impact of the BlastRadius vulnerability disclosed in 2024 on the company’s Modicon Networking Managed Switch.
The other two advisories cover medium-severity vulnerabilities in the PowerChute Serial Shutdown UPS management software and Easergy MiCOM Px40 protection relays.
Aveva released an advisory to inform customers about a critical missing authorization and privilege escalation vulnerability in Pipeline Simulation.
Since the last Patch Tuesday, Rockwell Automation published an important notice urging customers to disconnect PLCs from the internet after becoming aware of potential threat actor activity. The alert is likely related to the attacks conducted by Iran-linked threat groups against critical infrastructure organizations via PLC hacking.
ABB has issued four advisories since the previous Patch Tuesday. Three of them cover third-party component vulnerabilities in Ability Camera Connect, Ability Symphony, and System 800xA products. The last advisory describes a DoS vulnerability in the System 800xA and Symphony Plus IEC 61850 communication stack.
Phoenix Contact has one new advisory that informs customers about multiple flaws in FL Switch products.
Mitsubishi Electric released two new advisories: one for a DoS vulnerability introduced by Realtek chips in home appliances; and one for multiple information disclosure, tampering, and DoS flaws in Genesis64, Iconics Suite, MobileHMI, Hyper Historian, AnalytiX, and MC Works64 products.
Moxa has a new advisory covering an MxGeneralIo security hole that can lead to DoS or privilege escalation.
Since the previous Patch Tuesday, CISA has published advisories for vulnerabilities in GPL Odorizers, Contemporary Controls, Mitsubishi Electric, Hitachi Energy, Yokogawa, PX4, Anritsu, PTC, OpenCode Systems, Wago, Pharos, Grassroots, Automated Logic, IGL-Technologies, CTEK, Codesys, and Inductive Automation products.
Germany’s CERT@VDE has released advisories for Codesys, MB Connect Line, Helmholz, Wago, Phoenix Contact, Baade M2M-Products, and Endress+Hauser products.
Related: ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Moxa, Mitsubishi Electric
Related: ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Aveva, Phoenix Contact
