Bulletins | CERT@VDE

Siemens SIPROTEC 5 Products

Title

Siemens SIPROTEC 5 Products

Published

Jan. 16, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-016-04

Summary

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY ...

Hitachi Energy FOX61x, FOXCST, and FOXMAN-UN Products

Title

Hitachi Energy FOX61x, FOXCST, and FOXMAN-UN Products

Published

Jan. 16, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-016-06

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 4.9 ATTENTION: Low attack complexity Vendor: Hitachi Energy Equipment: FOX61x, FOXCST, FOXMAN-UN Vulnerability: Improper Validation of Certificate with Host Mismatch 2. RISK EVALUATION Successful exploitation of this vulnerability could allow attackers to intercept or falsify data exchanges between the client and the server. ...

Fuji Electric Alpha5 SMART

Title

Fuji Electric Alpha5 SMART

Published

Jan. 16, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-016-05

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low attack complexity Vendor: Fuji Electric Equipment: Alpha5 SMART Vulnerability: Stack-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Fuji Electric ...

https://www.cisa.gov/news-events/ics-advisories/icsa-25-016-01

Siemens Mendix LDAP

Title

Siemens Mendix LDAP

Published

Jan. 16, 2025, 1 p.m.

URL

Summary

Hitachi Energy FOX61x Products

Title

Hitachi Energy FOX61x Products

Published

Jan. 16, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-016-07

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 4.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: FOX61x Products Vulnerability: Relative Path Traversal 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to traverse the file system to access files or directories that would otherwise be inaccessible. ...

14.01.2025

Schneider Electric Vijeo Designer

Title

Schneider Electric Vijeo Designer

Published

Jan. 14, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-014-02

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low Attack Complexity Vendor: Schneider Electric Equipment: Vijeo Designer Vulnerability: Improper Privilege Management 2. RISK EVALUATION Successful exploitation of these vulnerabilities could cause a non-admin authenticated user to perform privilege escalation by tampering with the binaries. 3. TECHNICAL DETAILS 3.1 AFFECTED ...

14.01.2025

Belledonne Communications Linphone-Desktop

Title

Belledonne Communications Linphone-Desktop

Published

Jan. 14, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-014-04

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Belledonne Communications Equipment: Linphone-Desktop Vulnerability: NULL Pointer Dereference 2. RISK EVALUATION Successful exploitation of this vulnerability could could result in a remote attacker causing a denial-of-service condition on the affected devices. 3. TECHNICAL DETAILS 3.1 AFFECTED ...

Delta Electronics DRASimuCAD (Update A)

Title

Delta Electronics DRASimuCAD (Update A)

Published

Jan. 10, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-010-03

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.4 ATTENTION: Low attack complexity Vendor: Delta Electronics Equipment: DRASimuCAD Vulnerabilities: Out-of-bounds Write, Type Confusion 2. RISK EVALUATION Successful exploitation of these vulnerabilities could crash the device or potentially allow remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of ...

Delta Electronics DRASimuCAD

Title

Delta Electronics DRASimuCAD

Published

Jan. 10, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-010-03-0

Summary

Schneider Electric PowerChute Serial Shutdown

Title

Schneider Electric PowerChute Serial Shutdown

Published

Jan. 10, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-010-01

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: PowerChute Serial Shutdown Vulnerability: Improper Authentication 2. RISK EVALUATION Successful exploitation of this vulnerability could cause a denial of access to the web interface when someone on the local network repeatedly requests the ...

Schneider Electric Harmony HMI and Pro-face HMI Products

Title

Schneider Electric Harmony HMI and Pro-face HMI Products

Published

Jan. 10, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-010-02

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Harmony HMI and Pro-face HMI Products Vulnerability: Use of Unmaintained Third-Party Components 2. RISK EVALUATION Successful exploitation of this vulnerability could cause complete control of the device when an authenticated user installs malicious ...

07.01.2025

Nedap Librix Ecoreader

Title

Nedap Librix Ecoreader

Published

Jan. 7, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-007-02

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Nedap Librix Equipment: Ecoreader Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could result in remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Ecoreader are ...

07.01.2025

ABB ASPECT-Enterprise, NEXUS, and MATRIX Series Products

Title

ABB ASPECT-Enterprise, NEXUS, and MATRIX Series Products

Published

Jan. 7, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-007-01

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: ABB Equipment: ASPECT-Enterprise, NEXUS, and MATRIX series Vulnerabilities: Files or Directories Accessible to External Parties, Improper Validation of Specified Type of Input, Cleartext Transmission of Sensitive Information, Cross-site Scripting, Server-Side Request Forgery (SSRF), Improper Neutralization of ...

December 2024

Tibbo AggreGate Network Manager

Title

Tibbo AggreGate Network Manager

Published

Dec. 19, 2024, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-05

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Tibbo Equipment: AggreGate Network Manager Vulnerability: Unrestricted Upload of File with Dangerous Type 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to achieve code execution on the affected device. 3. TECHNICAL DETAILS ...

Siemens User Management Component

Title

Siemens User Management Component

Published

Dec. 19, 2024, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-04

Summary

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS ...

Delta Electronics DTM Soft

Title

Delta Electronics DTM Soft

Published

Dec. 19, 2024, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-03

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low attack complexity Vendor: Delta Electronics Equipment: DTM Soft Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Delta Electronics products ...

Hitachi Energy RTU500 series CMU

Title

Hitachi Energy RTU500 series CMU

Published

Dec. 19, 2024, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-01

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.9 ATTENTION: Exploitable remotely Vendor: Hitachi Energy Equipment: RTU500 series CMU Vulnerability: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 ...

Schneider Electric Accutech Manager

Title

Schneider Electric Accutech Manager

Published

Dec. 19, 2024, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-06

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Accutech Manager Vulnerability: Classic Buffer Overflow 2. RISK EVALUATION Successful exploitation could allow an attacker to cause a crash of the Accutech Manager when receiving a specially crafted request over port 2536/TCP. 3. ...

Hitachi Energy SDM600

Title

Hitachi Energy SDM600

Published

Dec. 19, 2024, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-354-02

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.0 ATTENTION: Exploitable from adjacent network Vendor: Hitachi Energy Equipment: SDM600 Vulnerabilities: Origin Validation Error, Incorrect Authorization 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges and access sensitive information. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Hitachi ...

Schneider Electric Modicon

Title

Schneider Electric Modicon

Published

Dec. 17, 2024, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-04

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Modicon M241 / M251 / M258 / LMC058 Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could lead to a denial-of-service and a loss of confidentiality and integrity in ...

ThreatQuotient ThreatQ Platform

Title

ThreatQuotient ThreatQ Platform

Published

Dec. 17, 2024, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-01

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: ThreatQuotient Inc. Equipment: ThreatQ Platform Vulnerability: Command Injection 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to perform remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of ThreatQuotient ...

Hitachi Energy TropOS Devices Series 1400/2400/6400

Title

Hitachi Energy TropOS Devices Series 1400/2400/6400

Published

Dec. 17, 2024, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-02

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: TropOS Devices Series 1400/2400/6400 Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following ...

Rockwell Automation PowerMonitor 1000 Remote

Title

Rockwell Automation PowerMonitor 1000 Remote

Published

Dec. 17, 2024, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-352-03

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: PowerMonitor 1000 Remote Vulnerabilities: Unprotected Alternate Channel, Heap-based Buffer Overflow, Classic Buffer Overflow 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to perform edit operations, create admin users, perform ...

12.12.2024

Siemens Solid Edge SE2024

Title

Siemens Solid Edge SE2024

Published

Dec. 12, 2024, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-347-07

Summary

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY CVSS ...

12.12.2024