Bulletins | CERT@VDE

Siemens ST7 ScadaConnect

Title

Siemens ST7 ScadaConnect

Published

June 13, 2024, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-04

Summary

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global). View CSAF 1. EXECUTIVE SUMMARY ...

Siemens SIMATIC and SIPLUS

Title

Siemens SIMATIC and SIPLUS

Published

June 13, 2024, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-10

Summary

Siemens SINEC Traffic Analyzer

Title

Siemens SINEC Traffic Analyzer

Published

June 13, 2024, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-13

Summary

Siemens SITOP UPS1600

Title

Siemens SITOP UPS1600

Published

June 13, 2024, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-165-05

Summary

Rockwell Automation ControlLogix, GuardLogix, and CompactLogix

Title

Rockwell Automation ControlLogix, GuardLogix, and CompactLogix

Published

June 11, 2024, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-01

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.3 ATTENTION: Low attack complexity Vendor: Rockwell Automation Equipment: ControlLogix, GuardLogix, CompactLogix Vulnerability: Always-Incorrect Control Flow Implementation 2. RISK EVALUATION Successful exploitation of this vulnerability could compromise the availability of the device. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS Rockwell Automation reports that the ...

https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-02

AVEVA PI Web API

Title

AVEVA PI Web API

Published

June 11, 2024, 2 p.m.

URL

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.4 ATTENTION: Exploitable remotely/low attack complexity Vendor: AVEVA Equipment: PI Web API Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to perform remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions ...

Intrado 911 Emergency Gateway

Title

Intrado 911 Emergency Gateway

Published

June 11, 2024, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-04

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Intrado Equipment: 911 Emergency Gateway (EGW) Vulnerability: SQL Injection 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to execute malicious code, exfiltrate data, or manipulate the database. 3. TECHNICAL DETAILS 3.1 AFFECTED ...

AVEVA PI Asset Framework Client

Title

AVEVA PI Asset Framework Client

Published

June 11, 2024, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-163-03

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 7.0 ATTENTION: Low attack complexity Vendor: AVEVA Equipment: PI Asset Framework Client Vulnerability: Deserialization of Untrusted Data 2. RISK EVALUATION Successful exploitation of this vulnerability could allow malicious code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of AVEVA PI Asset ...

06.06.2024

Johnson Controls Software House iStar Pro Door Controller

Title

Johnson Controls Software House iStar Pro Door Controller

Published

June 6, 2024, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-04

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Johnson Controls Inc. Equipment: Software House iStar Pro Door Controller, ICU Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability may allow an attacker to perform a machine-in-the-middle attack to inject ...

06.06.2024

https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-02

Emerson Ovation

Title

Emerson Ovation

Published

June 6, 2024, 2 p.m.

URL

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Emerson Equipment: Ovation Vulnerabilities: Missing Authentication for Critical Function, Insufficient Verification of Data Authenticity CISA is aware of a public report, known as "OT:ICEFALL", detailing vulnerabilities found in multiple operational technology (OT) vendors. CISA is issuing ...

06.06.2024

Emerson PACSystem and Fanuc

Title

Emerson PACSystem and Fanuc

Published

June 6, 2024, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-158-01

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 5.6 ATTENTION: Low attack complexity Vendor: Emerson Equipment: PACSystem, Fanuc Vulnerabilities: Cleartext Transmission of Sensitive Information, Insufficient Verification of Data Authenticity Insufficiently Protected Credentials, Download of Code Without Integrity Check CISA is aware of a public report, known as "OT:ICEFALL", detailing vulnerabilities found ...

04.06.2024

Uniview NVR301-04S2-P4

Title

Uniview NVR301-04S2-P4

Published

June 4, 2024, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-156-01

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 4.8 ATTENTION: Exploitable remotely/low attack complexity/public exploits available Vendor: Uniview Equipment: NVR301-04S2-P4 Vulnerability: Cross-site Scripting 2. RISK EVALUATION An attacker could send a user a URL that if clicked on could execute malicious JavaScript in their browser. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS ...

May 2024

https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-03

Inosoft VisiWin

Title

Inosoft VisiWin

Published

May 30, 2024, 2 p.m.

URL

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low attack complexity/public exploits are available Vendor: Inosoft Equipment: VisiWin Vulnerability: Incorrect Default Permissions 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to gain SYSTEM privileges. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Inosoft products are ...

https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-01

LenelS2 NetBox

Title

LenelS2 NetBox

Published

May 30, 2024, 2 p.m.

URL

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: LenelS2 Equipment: NetBox Vulnerabilities: Use of Hard-coded Password, OS Command Injection, Argument Injection 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and execute malicious commands with elevated permissions 3. ...

https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-04

Westermo EDW-100

Title

Westermo EDW-100

Published

May 30, 2024, 2 p.m.

URL

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Westermo Equipment: EDW-100 Vulnerabilities: Use of Hard-coded Password, Insufficiently Protected Credentials 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to access the device using hardcoded credentials and download cleartext username and passwords. ...

Fuji Electric Monitouch V-SFT

Title

Fuji Electric Monitouch V-SFT

Published

May 30, 2024, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-02

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low attack complexity Vendor: Fuji Electric Equipment: Monitouch V-SFT Vulnerabilities: Out-of-Bounds Write, Stack-Based Buffer Overflow 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of ...

Fuji Electric Monitouch V-SFT (Update A)

Title

Fuji Electric Monitouch V-SFT (Update A)

Published

May 30, 2024, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-02

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low attack complexity Vendor: Fuji Electric Equipment: Monitouch V-SFT Vulnerabilities: Out-of-Bounds Write, Stack-Based Buffer Overflow, Type Confusion 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following ...

28.05.2024

Campbell Scientific CSI Web Server

Title

Campbell Scientific CSI Web Server

Published

May 28, 2024, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-149-01

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 6.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Campbell Scientific Equipment: CSI Web Server Vulnerabilities: Path Traversal, Weak Encoding for Password 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to download files and decode stored passwords. 3. TECHNICAL DETAILS 3.1 ...

23.05.2024

AutomationDirect Productivity PLCs

Title

AutomationDirect Productivity PLCs

Published

May 23, 2024, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-144-01

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 9.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: AutomationDirect Equipment: Productivity PLCs Vulnerabilities: Buffer Access with Incorrect Length Value, Out-of-bounds Write, Stack-based Buffer Overflow, Improper Access Control, Active Debug Code, Insufficient Verification of Data Authenticity 2. RISK EVALUATION Successful exploitation of these vulnerabilities could ...

Siemens SIMATIC CN 4100 Before V3.0

Title

Siemens SIMATIC CN 4100 Before V3.0

Published

May 16, 2024, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-137-06

Summary

Siemens Desigo Fire Safety UL and Cerberus PRO UL Fire Protection Systems

Title

Siemens Desigo Fire Safety UL and Cerberus PRO UL Fire Protection Systems

Published

May 16, 2024, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-137-12

Summary

Siemens Simcenter Nastran

Title

Siemens Simcenter Nastran

Published

May 16, 2024, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-137-05

Summary

Siemens PS/IGES Parasolid Translator Component

Title

Siemens PS/IGES Parasolid Translator Component

Published

May 16, 2024, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-137-08

Summary

Rockwell Automation FactoryTalk View SE

Title

Rockwell Automation FactoryTalk View SE

Published

May 16, 2024, 2 p.m.

URL

https://www.cisa.gov/news-events/ics-advisories/icsa-24-137-14

Summary

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Rockwell Automation Equipment: FactoryTalk View SE Vulnerability: Improper Input Validation 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to inject a malicious SQL statement in the SQL database, resulting in expose sensitive ...