Bulletins | CERT@VDE

New Rock Technologies Cloud Connected Devices

Title

New Rock Technologies Cloud Connected Devices

Published

Jan. 30, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-030-02

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: New Rock Technologies Equipment: Cloud Connected Devices Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Improper Neutralization of Wildcards or Matching Symbols 2. RISK EVALUATION Successful exploitation of these vulnerabilities ...

28.01.2025

Schneider Electric RemoteConnect and SCADAPack x70 Utilities

Title

Schneider Electric RemoteConnect and SCADAPack x70 Utilities

Published

Jan. 28, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-06

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low Attack Complexity Vendor: Schneider Electric Equipment: Electric RemoteConnect and SCADAPack x70 Utilities Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could lead to loss of confidentiality, integrity, and potential remote code execution on workstation when ...

28.01.2025

Schneider Electric Power Logic

Title

Schneider Electric Power Logic

Published

Jan. 28, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-02

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Power Logic Vulnerabilities: Authorization Bypass Through User-Controlled Key, Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to modify ...

28.01.2025

B&R Automation Runtime

Title

B&R Automation Runtime

Published

Jan. 28, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-01

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: B&R Equipment: Automation Runtime Vulnerability: Use of a Broken or Risky Cryptographic Algorithm 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to masquerade as legitimate services on impacted devices. 3. TECHNICAL DETAILS ...

Schneider Electric EcoStruxure Power Build Rapsody

Title

Schneider Electric EcoStruxure Power Build Rapsody

Published

Jan. 23, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-05

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 4.6 ATTENTION: Low attack complexity Vendor: Schneider Electric Equipment: EcoStruxure Power Build Rapsody Vulnerability: Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of this vulnerability could allow local attackers to potentially execute arbitrary code when ...

HMS Networks Ewon Flexy 202

Title

HMS Networks Ewon Flexy 202

Published

Jan. 23, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-06

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.9 ATTENTION: Low attack complexity Vendor: HMS Networks Equipment: Ewon Flexy 202 Vulnerability: Cleartext Transmission of Sensitive Information 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to disclose sensitive user credentials. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following ...

Schneider Electric EVlink Home Smart and Schneider Charge

Title

Schneider Electric EVlink Home Smart and Schneider Charge

Published

Jan. 23, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-03

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.5 ATTENTION: Low attack complexity Vendor: Schneider Electric Equipment: EVlink Home Smart and Schneider Charge Vulnerability: Cleartext Storage of Sensitive Information 2. RISK EVALUATION Successful exploitation of this vulnerability may expose test credentials in the firmware binary. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS ...

Hitachi Energy RTU500 Series Product

Title

Hitachi Energy RTU500 Series Product

Published

Jan. 23, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-023-02

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.2 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: RTU500 series products Vulnerability: Improperly Implemented Security Check for Standard 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to to update the RTU500 with unsigned firmware. 3. TECHNICAL DETAILS ...

21.01.2025

Traffic Alert and Collision Avoidance System (TCAS) II

Title

Traffic Alert and Collision Avoidance System (TCAS) II

Published

Jan. 21, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-01

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.1 ATTENTION: Exploitable from adjacent network Standard: Traffic Alert and Collision Avoidance System (TCAS) II Equipment: Collision Avoidance Systems Vulnerabilities: Reliance on Untrusted Inputs in a Security Decision, External Control of System or Configuration Setting 2. RISK EVALUATION Successful exploitation of these vulnerabilities ...

21.01.2025

Siemens SIMATIC S7-1200 CPUs

Title

Siemens SIMATIC S7-1200 CPUs

Published

Jan. 21, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-02

Summary

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY ...

21.01.2025

ZF Roll Stability Support Plus (RSSPlus)

Title

ZF Roll Stability Support Plus (RSSPlus)

Published

Jan. 21, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-021-03

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.9 ATTENTION: Exploitable from an adjacent network/low attack complexity Vendor: ZF Equipment: RSSPlus Vulnerability: Authentication Bypass By Primary Weakness 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely (proximal/adjacent with RF equipment) call diagnostic functions which could ...

Hitachi Energy FOX61x, FOXCST, and FOXMAN-UN Products

Title

Hitachi Energy FOX61x, FOXCST, and FOXMAN-UN Products

Published

Jan. 16, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-016-06

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 4.9 ATTENTION: Low attack complexity Vendor: Hitachi Energy Equipment: FOX61x, FOXCST, FOXMAN-UN Vulnerability: Improper Validation of Certificate with Host Mismatch 2. RISK EVALUATION Successful exploitation of this vulnerability could allow attackers to intercept or falsify data exchanges between the client and the server. ...

Siemens SIPROTEC 5 Products

Title

Siemens SIPROTEC 5 Products

Published

Jan. 16, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-016-04

Summary

Hitachi Energy FOX61x Products

Title

Hitachi Energy FOX61x Products

Published

Jan. 16, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-016-07

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 4.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Hitachi Energy Equipment: FOX61x Products Vulnerability: Relative Path Traversal 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to traverse the file system to access files or directories that would otherwise be inaccessible. ...

https://www.cisa.gov/news-events/ics-advisories/icsa-25-016-01

Siemens Mendix LDAP

Title

Siemens Mendix LDAP

Published

Jan. 16, 2025, 1 p.m.

URL

Summary

Fuji Electric Alpha5 SMART

Title

Fuji Electric Alpha5 SMART

Published

Jan. 16, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-016-05

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low attack complexity Vendor: Fuji Electric Equipment: Alpha5 SMART Vulnerability: Stack-based Buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Fuji Electric ...

14.01.2025

Schneider Electric Vijeo Designer

Title

Schneider Electric Vijeo Designer

Published

Jan. 14, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-014-02

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low Attack Complexity Vendor: Schneider Electric Equipment: Vijeo Designer Vulnerability: Improper Privilege Management 2. RISK EVALUATION Successful exploitation of these vulnerabilities could cause a non-admin authenticated user to perform privilege escalation by tampering with the binaries. 3. TECHNICAL DETAILS 3.1 AFFECTED ...

14.01.2025

Belledonne Communications Linphone-Desktop

Title

Belledonne Communications Linphone-Desktop

Published

Jan. 14, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-014-04

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Belledonne Communications Equipment: Linphone-Desktop Vulnerability: NULL Pointer Dereference 2. RISK EVALUATION Successful exploitation of this vulnerability could could result in a remote attacker causing a denial-of-service condition on the affected devices. 3. TECHNICAL DETAILS 3.1 AFFECTED ...

Delta Electronics DRASimuCAD

Title

Delta Electronics DRASimuCAD

Published

Jan. 10, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-010-03-0

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.4 ATTENTION: Low attack complexity Vendor: Delta Electronics Equipment: DRASimuCAD Vulnerabilities: Out-of-bounds Write, Type Confusion 2. RISK EVALUATION Successful exploitation of these vulnerabilities could crash the device or potentially allow remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of ...

Schneider Electric Harmony HMI and Pro-face HMI Products

Title

Schneider Electric Harmony HMI and Pro-face HMI Products

Published

Jan. 10, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-010-02

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.7 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: Harmony HMI and Pro-face HMI Products Vulnerability: Use of Unmaintained Third-Party Components 2. RISK EVALUATION Successful exploitation of this vulnerability could cause complete control of the device when an authenticated user installs malicious ...

Schneider Electric PowerChute Serial Shutdown

Title

Schneider Electric PowerChute Serial Shutdown

Published

Jan. 10, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-010-01

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: PowerChute Serial Shutdown Vulnerability: Improper Authentication 2. RISK EVALUATION Successful exploitation of this vulnerability could cause a denial of access to the web interface when someone on the local network repeatedly requests the ...

Delta Electronics DRASimuCAD (Update A)

Title

Delta Electronics DRASimuCAD (Update A)

Published

Jan. 10, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-010-03

Summary

07.01.2025

Nedap Librix Ecoreader

Title

Nedap Librix Ecoreader

Published

Jan. 7, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-007-02

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Nedap Librix Equipment: Ecoreader Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could result in remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Ecoreader are ...

07.01.2025

ABB ASPECT-Enterprise, NEXUS, and MATRIX Series Products

Title

ABB ASPECT-Enterprise, NEXUS, and MATRIX Series Products

Published

Jan. 7, 2025, 1 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-25-007-01

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: ABB Equipment: ASPECT-Enterprise, NEXUS, and MATRIX series Vulnerabilities: Files or Directories Accessible to External Parties, Improper Validation of Specified Type of Input, Cleartext Transmission of Sensitive Information, Cross-site Scripting, Server-Side Request Forgery (SSRF), Improper Neutralization of ...

December 2024

19.12.2024