The US Cybersecurity and Infrastructure Security Alliance has issued advisories for 11 critical and high-risk vulnerabilities in industrial control systems (ICS) products from several manufacturers.The issues include OS command injection, unsafe deserialization of data, use of broken cryptographic algorithms, authentication bypass, improper access controls, use of default credentials, sensitive information leaks, and more. The flaws affect products from B&R Industrial Automation, Schneider Electric, Rockwell Automation, and BD (Becton, Dickinson and Co.). CISA warned that Schneider Electric RemoteConnect and SCADAPack x70 Utilities is vulnerable to a deserialization flaw rated 8.5 (High) on the CVSS scale. Successful exploitation can lead to remote code execution on workstations when non-admin users open maliciously crafted project files.RemoteConnect and SCADAPack x70 Utilities is used to monitor, configure, and program SCADAPack smart remote terminal units (RTUs). SCADAPack x70 is one of the newest generations of Schneider RTUs used in the energy and critical manufacturing sectors.Schneider plans to address this vulnerability, tracked as CVE-2024-12703, in future releases of the software, but for now the company has released mitigation recommendations that include opening project files only from trusted sources, computing cryptographic hashes for projects and regularly checking them, encrypting project files when stored, and restricting access to project files.Another Schneider product, PowerLogic HDPM6000 High-Density Metering, a power meter for large and critical power applications, has two vulnerabilities: An authorization bypass through user-controlled key (CVSS 8.7) and a buffer overflow (CVSS 6.9).The authorization bypass (CVE-2024-10497) can be exploited by sending specifically crafted HTTPS requests to the device leading to privilege escalation. The buffer overflow (CVE-2024-10498) could lead to invalid data or a denial-of-service condition for the web interface functionality. The flaws have been patched in HDPM6000 version 0.62.11 and newer.
Rockwell Automation: Command injection flaw, misconfigurations, and more
Rockwell Automation patched two flaws in FactoryTalk View Machine Edition and another two in FactoryTalk View Site Edition. FactoryTalk provides an human-to-machine interface (HMI) for monitoring automation applications running on controllers.FactoryTalk View Machine Edition is vulnerable to an OS command injection issue (CVE-2025-24480) that could allow attackers to run commands with high privileges on the underlying system. The flaw is rated critical with a CVSS score of 9.3. The product also has a default setting that allows access to the Windows command prompt as a higher privileged user (CVE-2025-24479; CVSS 8.4).The flaws in the Site Edition, CVE-2025-24481 and CVE-2025-24482, are misconfigurations that could allow attackers to access system configuration without authentication or to execute DLLs with high-level permissions. The flaws are rated CVSS 7.0, which indicates high severity.FactoryTalk DataMosaix Private Cloud, an industrial DataOps solution that’s available either as a service or to be deployed in a private cloud, received patches for two other vulnerabilities: a path traversal issue that can lead to sensitive data exposure (CVE-2024-11932) and a critical use-after-free memory vulnerability inherited from the SQLite open-source component (CVE-2020-11656).
B&R Industrial Automation: Services impersonation
B&R Automation Runtime and mapp View software products generate self-signed certificates for its SSL/TLS component by using a signing algorithm that’s considered insecure. This issue, tracked as CVE-2024-8603, can allow attackers to impersonate services, although B&R notes that the self-signed certificates are meant to be used only for testing, not in real-world deployments.
BD: Default credential issues
Multiple BD Diagnostic Solutions for medical professionals use default credentials that could allow attackers to access, modify, or delete data, including protected health information (PHI) and personally identifiable information (PII). The flaw, tracked as CVE-2024-10476, can also be used to shut down the affected systems.Impacted products include BD BACTEC Blood Culture System, BD COR System, BD EpiCenter Microbiology Data Management System, BD MAX System, BD Phoenix M50 Automated Microbiology System, and Synapsys Informatics Solution.”BD has already communicated to users with affected products and is working with them to update default credentials on affected products,” CISA said. “For this vulnerability to be exploited, a threat actor will need direct access, whether logical or physical, into the clinical setting.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3811814/cisa-warns-of-critical-high-risk-flaws-in-ics-products-from-four-vendors.html
