Security Reports (old posts, page 22)

RSS feed

Siemens SINEC NMS

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: SINEC NMS
  • Vulnerabilities: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'), Missing Authentication for Critical Function, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to elevate privileges and execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports the following products are affected:

  • Siemens SINEC NMS: All versions prior to V4.0

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN SQL COMMAND ('SQL INJECTION') CWE-89

The affected devices are vulnerable to SQL injection. This could allow an unauthenticated remote attacker to execute arbitrary SQL queries on the server database.

CVE-2025-40735 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-40735. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The affected application exposes an endpoint that allows an unauthorized modification of administrative credentials. This could allow an unauthenticated attacker to reset the superadmin password and gain full control of the application (ZDI-CAN-26569).

CVE-2025-40736 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-40736. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22

The affected application does not properly validate file paths when extracting uploaded ZIP files. This could allow an attacker to write arbitrary files to restricted locations and potentially execute code with elevated privileges (ZDI-CAN-26571).

CVE-2025-40737 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-40737. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22

The affected application does not properly validate file paths when extracting uploaded ZIP files. This could allow an attacker to write arbitrary files to restricted locations and potentially execute code with elevated privileges (ZDI-CAN-26572).

CVE-2025-40738 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-40738. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Trend Micro Zero Day Initiative coordinated CVE-2025-40736, CVE-2025-40737, and CVE-2025-40738 with Siemens.

Siemens ProductCERT reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-078892 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • July 10, 2025: Initial Republication of Siemens ProductCERT SSA-078892

Siemens SIPROTEC 5

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 6.0
  • ATTENTION: Exploitable remotely
  • Vendor: Siemens
  • Equipment: SIPROTEC 5
  • Vulnerability: Use of GET Request Method With Sensitive Query Strings

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to retrieve sensitive session data from browser history, logs, or other storage mechanisms, potentially leading to unauthorized access.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

  • SIPROTEC 5 6MD84 (CP300): All versions
  • SIPROTEC 5 7SA86 (CP300): All versions
  • SIPROTEC 5 7SA87 (CP300): All versions
  • SIPROTEC 5 7SD82 (CP100): All versions
  • SIPROTEC 5 7SD82 (CP150): All versions
  • SIPROTEC 5 7SD86 (CP300): All versions
  • SIPROTEC 5 7SD87 (CP300): All versions
  • SIPROTEC 5 7SJ81 (CP100): All versions
  • SIPROTEC 5 7SJ81 (CP150): All versions
  • SIPROTEC 5 7SJ82 (CP100): All versions
  • SIPROTEC 5 7SJ82 (CP150): All versions
  • SIPROTEC 5 6MD85 (CP300): All versions
  • SIPROTEC 5 7SJ85 (CP300): All versions
  • SIPROTEC 5 7SJ86 (CP300): All versions
  • SIPROTEC 5 7SK82 (CP100): All versions
  • SIPROTEC 5 7SK82 (CP150): All versions
  • SIPROTEC 5 7SK85 (CP300): All versions
  • SIPROTEC 5 7SL82 (CP100): All versions
  • SIPROTEC 5 7SL82 (CP150): All versions
  • SIPROTEC 5 7SL86 (CP300): All versions
  • SIPROTEC 5 7SL87 (CP300): All versions
  • SIPROTEC 5 7SS85 (CP300): All versions
  • SIPROTEC 5 6MD86 (CP300): All versions
  • SIPROTEC 5 7ST85 (CP300): All versions
  • SIPROTEC 5 7ST86 (CP300): All versions
  • SIPROTEC 5 7SX82 (CP150): All versions
  • SIPROTEC 5 7SX85 (CP300): All versions
  • SIPROTEC 5 7SY82 (CP150): All versions
  • SIPROTEC 5 7UM85 (CP300): All versions
  • SIPROTEC 5 7UT82 (CP100): All versions
  • SIPROTEC 5 7UT82 (CP150): All versions
  • SIPROTEC 5 7UT85 (CP300): All versions
  • SIPROTEC 5 7UT86 (CP300): All versions
  • SIPROTEC 5 6MD89 (CP300): All versions
  • SIPROTEC 5 7UT87 (CP300): All versions
  • SIPROTEC 5 7VE85 (CP300): All versions
  • SIPROTEC 5 7VK87 (CP300): All versions
  • SIPROTEC 5 7VU85 (CP300): All versions
  • SIPROTEC 5 Compact 7SX800 (CP050): All versions
  • SIPROTEC 5 6MD89 (CP300) V9.6: All versions
  • SIPROTEC 5 6MU85 (CP300): All versions
  • SIPROTEC 5 7KE85 (CP300): All versions
  • SIPROTEC 5 7SA82 (CP100): All versions
  • SIPROTEC 5 7SA82 (CP150): All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 USE OF GET REQUEST METHOD WITH SENSITIVE QUERY STRINGS CWE-598

The affected devices include session identifiers in URL requests for certain functionalities. This could allow an attacker to retrieve sensitive session data from browser history, logs, or other storage mechanisms, potentially leading to unauthorized access.

CVE-2025-40742 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-40742. A base score of 6.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy, Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Siemens

3.4 RESEARCHER

Nozomi Networks reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens is preparing fixed versions and recommends countermeasures for products where fixes are unavailable or not yet available.

Operators of critical power systems (e.g., TSOs or DSOs) worldwide are typically required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. Therefore, operators should check whether appropriate resilient protection measures are in place. The risk of cyber incidents affecting the grid's reliability can thus be minimized by the grid design. Siemens strongly recommends applying the provided security updates using the corresponding tools and documented procedures that accompany the product. If the product supports this capability, an automated method can be used to apply the security updates across multiple product instances. Siemens strongly recommends validating any security update before it is applied and ensuring that trained staff supervise the update process in the target environment. As a general security measure, Siemens strongly recommends protecting network access with appropriate security mechanisms (e.g., firewalls, segmentation, VPN). It is advised that the environment be configured according to Siemens' operational guidelines to operate the devices in a protected IT environment.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-904646 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

  • July 10, 2025: Initial Republication of Siemens SSA-904646

Siemens Solid Edge

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 7.3
  • ATTENTION: High attack complexity
  • Vendor: Siemens
  • Equipment: Solid Edge SE2025
  • Vulnerabilities: Out-of-bounds Read, Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to crash the application or execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports the following products are affected:

  • Solid Edge SE2025: All versions prior to V225.0 Update 5

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process.

CVE-2025-40739 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-40739. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted PAR files. This could allow an attacker to execute code in the context of the current process.

CVE-2025-40740 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-40740. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 STACK-BASED BUFFER OVERFLOW CWE-121

The affected applications contain a stack-based buffer overflow vulnerability while parsing specially crafted CFG files. This could allow an attacker to execute code in the context of the current process.

CVE-2025-40741 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-40741. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Michael Heinzl coordinated these vulnerabilities with Siemens.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Solid Edge SE2025: Update to V225.0 Update 5 or a later version.
  • (CVE-2025-40739, CVE-2025-40740) Solid Edge SE2025: Do not open untrusted PAR files in the affected applications.
  • (CVE-2025-40741) Solid Edge SE2025: Do not open untrusted CFG files in affected applications.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-091753 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

  • July 10, 2025: Initial Republication of Siemens ProductCERT SSA-091753

Siemens TIA Administrator

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.5
  • ATTENTION: Low attack complexity
  • Vendor: Siemens
  • Equipment: TIA Administrator
  • Vulnerabilities: Improper Verification of Cryptographic Signature, Improper Access Control

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to escalate privilege or execute arbitrary code during installations.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

  • TIA Administrator: All versions prior to V3.0.6

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347

The affected application improperly validates code signing certificates. This could allow an attacker to bypass the check and execute arbitrary code during installations.

CVE-2025-23364 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-23364. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.2 IMPROPER ACCESS CONTROL CWE-284

The affected application allows low-privileged users to trigger installations by overwriting cache files and modifying the downloads path. This would allow an attacker to escalate privilege and execute arbitrary code.

CVE-2025-23365 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-23365. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-573669 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

  • July 10, 2025: Initial Republication of Siemens SSA-573669

Siemens TIA Project-Server and TIA Portal

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 5.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Siemens
  • Equipment: Project-Server and TIA Portal
  • Vulnerability: Unrestricted Upload of File with Dangerous Type

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

  • TIA Project-Server: Versions prior to V2.1.1
  • TIA Project-Server V17: All versions
  • Totally Integrated Automation Portal (TIA Portal) V17: All versions
  • Totally Integrated Automation Portal (TIA Portal) V18: All versions
  • Totally Integrated Automation Portal (TIA Portal) V19: All versions
  • Totally Integrated Automation Portal (TIA Portal) V20: Versions prior to V20 Update 3

3.2 VULNERABILITY OVERVIEW

3.2.1 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

The affected application improperly handles uploaded projects in the document root. This could allow an attacker with contributor privileges to cause denial of service by uploading a malicious project.

CVE-2025-27127 has been assigned to this vulnerability. A CVSS v3 base score of 4.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2025-27127. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has released new versions for several affected products and recommends updating to the latest versions. Siemens is preparing further fix versions and recommends countermeasures for products where fixes are unavailable or not yet available:

  • TIA Project-Server V17, TIA Portal V17, TIA Portal V18: Currently no fix is planned
  • TIA Portal V19: Currently no fix is available
  • TIA Project-Server: Update to V2.1.1 or later version
  • Totally Integrated Automation Portal (TIA Portal) V20: Update to V20 Update 3 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-460466 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • July 10, 2025: Initial Republication of Siemens SSA-460466

Emerson ValveLink Products

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/Low attack complexity
  • Vendor: Emerson
  • Equipment: ValveLink Products
  • Vulnerabilities: Cleartext Storage of Sensitive Information in Memory, Protection Mechanism Failure, Uncontrolled Search Path Element, Improper Input Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker with access to the system to read sensitive information stored in cleartext, tamper with parameters, and run un-authorized code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following ValveLink products are affected:

  • ValveLink SOLO: All versions prior to ValveLink 14.0
  • ValveLink DTM: All versions prior to ValveLink 14.0
  • ValveLink PRM: All versions prior to ValveLink 14.0
  • ValveLink SNAP-ON: All versions prior to ValveLink 14.0

3.2 VULNERABILITY OVERVIEW

3.2.1 CLEARTEXT STORAGE OF SENSITIVE INFORMATION IN MEMORY CWE-316

The product stores sensitive information in cleartext in memory. The sensitive memory might be saved to disk, stored in a core dump, or remain uncleared if the product crashes, or if the programmer does not properly clear the memory before freeing it.

CVE-2025-52579 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2025-52579. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N).

3.2.2 CLEARTEXT STORAGE OF SENSITIVE INFORMATION IN MEMORY CWE-316

The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

CVE-2025-50109 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-50109. A base score of 8.5 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.3 PROTECTION MECHANISM FAILURE CWE-693

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

CVE-2025-46358 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-46358. A base score of 8.5 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.4 UNCONTROLLED SEARCH PATH ELEMENT CWE-427

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

CVE-2025-48496 has been assigned to this vulnerability. A CVSS v3 base score of 5.1 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-48496. A base score of 5.9 has been calculated; the CVSS vector string is (AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.5 IMPROPER INPUT VALIDATION CWE-20

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CVE-2025-53471 has been assigned to this vulnerability. A CVSS v3 base score of 5.1 has been calculated; the CVSS vector string is (AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-53471. A base score of 5.9 has been calculated; the CVSS vector string is (AV:L/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Emerson reported these vulnerabilities to CISA.

4. MITIGATIONS

Emerson recommends users update their Valvelink software to ValveLink 14.0 or later. The upgrade can be downloaded from the Emerson website.

For more information see the associated Emerson security notification.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • July 8, 2025: Initial Publication

CISA Adds Four Known Exploited Vulnerabilities to Catalog

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

  • CVE-2014-3931 Multi-Router Looking Glass (MRLG) Buffer Overflow Vulnerability
  • CVE-2016-10033 PHPMailer Command Injection Vulnerability
  • CVE-2019-5418 Rails Ruby on Rails Path Traversal Vulnerability
  • CVE-2019-9621 Synacor Zimbra Collaboration Suite (ZCS) Server-Side Request Forgery (SSRF) Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA Releases Four Industrial Control Systems Advisories

CISA released four Industrial Control Systems (ICS) advisories on July 3, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

Hitachi Energy MicroSCADA X SYS600

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 7.1
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Hitachi Energy
  • Equipment: MicroSCADA X SYS600
  • Vulnerabilities: Incorrect Default Permissions, External Control of File Name or Path, Improper Validation of Integrity Check Value, Exposure of Sensitive Information Through Data Queries, Improper Certificate Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to tamper with the system file, overwrite files, create a denial-of-service condition, or leak file content.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports that the following products are affected:

  • Hitachi Energy MicroSCADA Pro/X SYS600: version 10.0 up to 10.6 (CVE-2025-39201, CVE-2025-39202, CVE-2025-39204, CVE-2025-39205)
  • Hitachi Energy MicroSCADA Pro/X SYS600: version 10.5 up to 10.6 (CVE-2025-39203)
  • Hitachi Energy MicroSCADA Pro/X SYS600: version 10.3 up to 10.6 (CVE-2025-39205)

3.2 VULNERABILITY OVERVIEW

3.2.1 INCORRECT DEFAULT PERMISSIONS CWE-276

A vulnerability exists in the mailslot functionality of the MicroSCADA X SYS600 product. If exploited this could allow a local attacker to tamper the mailslot configuration file, making denial of mailslot a related service.

CVE-2025-39201 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2025-39201. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:L).

3.2.2 EXTERNAL CONTROL OF FILE NAME OR PATH CWE-73

A vulnerability exists in Monitor Pro and Supervision log of MicroSCADA X SYS600 product. Local, authenticated low privilege user can see and overwrite files causing information leak and data corruption.

CVE-2025-39202 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-39202. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:H/SA:H).

3.2.3 IMPROPER VALIDATION OF INTEGRITY CHECK VALUE CWE-354

Crafted message content from IED or remote system can cause denial-of-service resulting in disconnection loop.

CVE-2025-39203 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-39203. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H).

3.2.4 EXPOSURE OF SENSITIVE INFORMATION THROUGH DATA QUERIES CWE-202

Filtering query in MicroSCADA X SYS600 can be malformed, so returning data can leak any file content.

CVE-2025-39204 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-39204. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H).

3.2.5 IMPROPER CERTIFICATE VALIDATION CWE-295

A vulnerability exists in MicroSCADA X SYS600 certificate validation system. TLS protocol was allowing remote Man-in-the-Middle attack due to giving too many permissions.

CVE-2025-39205 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-39205. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy PSIRT reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

  • (CVE-2025-39201, CVE-2025-39202, CVE-2025-39204) Hitachi Energy MicroSCADA X SYS600 versions from 10.0 to 10.6: Update to version 10.7
  • (CVE-2025-39203) Hitachi Energy MicroSCADA X SYS600 versions from 10.5 to 10.6: Update to version 10.7
  • (CVE-2025-39205) Hitachi Energy MicroSCADA X SYS600 versions from 10.3 to 10.6: Update to version 10.7

The following product versions have been fixed:

  • MicroSCADA X SYS600 10.7 is a fixed version for CVE-2025-39201
  • MicroSCADA X SYS600 10.7 is a fixed version for CVE-2025-39202
  • MicroSCADA X SYS600 10.7 is a fixed version for CVE-2025-39203
  • MicroSCADA X SYS600 10.7 is a fixed version for CVE-2025-39204
  • MicroSCADA X SYS600 10.7 is a fixed version for CVE-2025-39205

For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000218 Cybersecurity Advisory - Multiple vulnerabilities in Hitachi Energy MicroSCADA Pro/X SYS600 product.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • July 03, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000218.