View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 6.9
• ATTENTION: Exploitable remotely
• Vendor: Schneider Electric
• Equipment: System Monitor Application
• Vulnerability: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute untrusted code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports the following products are affected:

• System Monitor application in Harmony Industrial PC series: All versions
• System Monitor application in Pro-face Industrial PC series: All versions

3.2 Vulnerability Overview

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing

CVE-2020-11023 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric CPCERT reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Schneider Electric System Monitor application in Harmony Industrial PC series: Users can uninstall System Monitor application using the installer available for download here.
• Please follow the steps described in the guideline attached as a PDF in the downloaded uninstaller guide.
• Schneider Electric System Monitor application in Harmony Industrial PC series: If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit:
  • Stop the system monitor if not required by turning off the services as specified in the Harmony Industrial PC Series User Manual.
  • Set up network segmentation and implement a firewall to block all unauthorized access to configured HTTP/HTTPS ports.
• Schneider Electric System Monitor application in Pro-face Industrial PC series: Users can uninstall System Monitor application using the installer available for download here
• Please follow the steps described in the guideline attached as a PDF in the downloaded uninstaller guide.
• Schneider Electric System Monitor application in Pro-face Industrial PC series: If users choose not to apply the remediation provided above, they should immediately apply the following mitigations to reduce the risk of exploit:
  • Stop the system monitor if not required by turning off the services as specified in the Pro-face PS5000 legacy industrial PC Series User Manual.
  • Set up network segmentation and implement a firewall to block all unauthorized access to configured HTTP/HTTPS ports.

For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-189-02 System Monitor Application in Harmony and Pro-face PS5000 Legacy Industrial PCs - SEVD-2025-189-02 PDF Version, System Monitor Application in Harmony and Pro-face PS5000 Legacy Industrial PCs - SEVD-2025-189-02 CSAF Version.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• July 22, 2025: Initial Republication of Schneider Electric CPCERT SEVD-2025-189-02

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. See CISA’s Alert Microsoft Releases Guidance on Exploitation of SharePoint Vulnerability (CVE-2025-53770) for more information and to apply the recommended mitigations. 

• CVE-2025-53770: Microsoft SharePoint Server Remote Code Execution Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA is aware of active exploitation of a new remote code execution (RCE) vulnerability enabling unauthorized access to on-premise SharePoint servers. While the scope and impact continue to be assessed, the new Common Vulnerabilities and Exposures (CVE), CVE-2025-53770, is a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations. This exploitation activity, publicly reported as “ToolShell,” provides unauthenticated access to systems and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network. 

CISA recommends the following actions to reduce the risks associated with the RCE compromise: 

• Configure Antimalware Scan Interface (AMSI) in SharePoint and deploy Microsoft Defender AV on all SharePoint servers.
  • If AMSI cannot be enabled, disconnect affected products from service that are public-facing on the internet until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions.
  • Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
• For information on detection, prevention, and advanced threat hunting measures, see Microsoft’s Customer Guidance for SharePoint Vulnerability and advisory for CVE-2025-49706. Organizations are encouraged to review all articles and security updates published by Microsoft on July 8, 2025, relevant to the SharePoint platform deployed in their environment.
• Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
• Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.
• Update intrusion prevention system and web-application firewall rules to block exploit patterns and anomalous behavior. For more information, see CISA’s Guidance on SIEM and SOAR Implementation.
• Implement comprehensive logging to identify exploitation activity. For more information, see CISA’s Best Practices for Event Logging and Threat Detection.
• Audit and minimize layout and admin privileges.

For more information on this vulnerability, please see Eye Security’s reporting and Palo Alto Unit42’s post. CVE-2025-53770 has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on July 20, 2025. 

Note: This Alert may be updated to reflect new guidance issued by CISA or other parties.

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870.  

Disclaimer:  

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. 

Update (07/24/2025): CISA continues to update reporting on this ongoing activity, as threat actor tactics, techniques, and procedures (TTPs) continue to evolve. This update contains additional information on the deployment of ransomware, new webshells involved in exploitation, and enhanced detection guidance. 

Update (07/22/2025): This Alert was updated to reflect newly released information from Microsoft, and to correct the actively exploited Common Vulnerabilities and Exposures (CVEs), which have been confirmed as CVE-2025-49706, a network spoofing vulnerability, and CVE-2025-49704, a remote code execution (RCE) vulnerability.

CISA is aware of active exploitation of a spoofing and RCE vulnerability chain involving CVE-2025-49706 and CVE-2025-49704, enabling unauthorized access to on-premise SharePoint servers. While the scope and impact continue to be assessed, the chain, publicly reported as “ToolShell,” provides unauthenticated access to systems and authenticated access through network spoofing, respectively, and enables malicious actors to fully access SharePoint content, including file systems and internal configurations, and execute code over the network. Beyond the typical webshells, such as .aspx and .exe, .dll payloads have been observed during exploitation. Most recently, threat actors have also been observed encrypting files and distributing Warlock ransomware on compromised systems.

While not actively exploited, Microsoft has identified the following new CVEs that pose a potential risk: 

• CVE-2025-53771 is a patch bypass for CVE-2025-49706.
• CVE-2025-53770 is a patch bypass for CVE-2025-49704. 

CISA recommends the following actions to reduce the risks associated with the RCE compromise: 

• Apply the necessary security updates released by Microsoft.
• Configure Antimalware Scan Interface (AMSI) in SharePoint as indicated by Microsoft and deploy Microsoft Defender AV on all SharePoint servers.
  • If AMSI cannot be enabled, disconnect affected products from service that are public-facing on the internet until official mitigations are available. Once mitigations are provided, apply them according to CISA and vendor instructions.
  • Follow the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.
• For information on detection, prevention, and advanced threat hunting measures, see Microsoft’s Disrupting active exploitation of on-premises SharePoint vulnerabilities and advisory for CVE-2025-49706. CISA encourages organizations to review all articles and security updates published by Microsoft on July 8, 2025, relevant to the SharePoint platform deployed in their environment.
• Beyond patching, it is critical for organizations to further investigate systems for signs of exploitation. Malware deployed via .dll payloads in particular are difficult to detect, and can be used to obtain machine keys.
• Rotate ASP.NET machine keys, then after applying Microsoft’s security update, rotate ASP.NET machine keys again, and restart the IIS web server.
• Disconnect public-facing versions of SharePoint Server that have reached their end-of-life (EOL) or end-of-service (EOS) from the internet. For example, SharePoint Server 2013 and earlier versions are end-of-life and should be discontinued if still in use.  
• Monitor suspicious requests to the sign-out page: /_layouts/SignOut.aspx is the exact HTTP header used by threat actors to exploit ToolPane.aspx for initial access
• Monitor for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit
• Conduct scanning for IPs 107.191.58[.]76, 104.238.159[.]149, and 96.9.125[.]147, particularly between July 18-19, 2025.
• Update intrusion prevention system and web-application firewall (WAF) rules to block exploit patterns and anomalous behavior. For more information, see CISA’s Guidance on SIEM and SOAR Implementation.
• Implement comprehensive logging to identify exploitation activity. For more information, see CISA’s Best Practices for Event Logging and Threat Detection.
• Employ robust cyber hygiene and hardening measures to prepare for, prevent, and mitigate ransomware incidents. For more information, see CISA and partners’ #StopRansomware Guide.
• Audit and minimize layout and admin privileges.

For more information on this vulnerability, please see Eye Security’s reporting and Palo Alto Networks Unit42’s post. CVE-2025-53770 was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog on July 20, 2025. CVE-2025-49706 and CVE-2025-49704 were added to the KEV on July 22, 2025.

Note: This Alert may be updated to reflect new guidance issued by CISA or other parties.

CISA would like to acknowledge the contributions of the security researcher community in rapidly sharing insights that enabled CISA to notify critical infrastructure organizations impacted by this activity.

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at SOC@mail.cisa.dhs.gov or 1-844-Say-CISA (1-844-729-2472).  

 

Disclaimer:  

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. 

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. 

CISA released three Industrial Control Systems (ICS) advisories on July 17, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-198-01 Leviton AcquiSuite and Energy Monitoring Hub
   
• ICSMA-25-198-01 Panoramic Corporation Digital Imaging Software
   
• ICSA-24-191-05 Johnson Controls Inc. Software House C●CURE 9000 (Update B)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Leviton
• Equipment: AcquiSuite, Energy Monitoring Hub
• Vulnerability: Cross-site Scripting

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to craft a malicious payload in URL parameters that would execute in a client browser when accessed by a user, steal session tokens, and control the service.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Leviton AcquiSuite and Leviton Energy Monitoring Hub are affected:

• AcquiSuite: Version A8810
• Energy Monitoring Hub: Version A8812

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79

The affected products are susceptible to a cross-site scripting (XSS) vulnerability, allowing an attacker to craft a malicious payload in URL parameters, which would execute in a client browser when accessed by a user, steal session tokens, and control the service.

CVE-2025-6185 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-6185. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Communications
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

notnotnotveg (notnotnotveg@gmail.com) reported this vulnerability to CISA.

4. MITIGATIONS

Leviton has not responded to requests to work with CISA in mitigating this vulnerability. Users of these affected products are welcome to contact Leviton's customer support for additional information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities of their own and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• July 17, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.5
• ATTENTION: Low attack complexity
• Vendor: Panoramic Corporation
• Equipment: Digital Imaging Software
• Vulnerability: Uncontrolled Search Path Element

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a standard user to obtain NT Authority/SYSTEM privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Panoramic Corporation products are affected:

• Digital Imaging Software: Version 9.1.2.7600

3.2 VULNERABILITY OVERVIEW

3.2.1 UNCONTROLLED SEARCH PATH ELEMENT CWE-427

The affected product is vulnerable to DLL hijacking, which may allow an attacker to obtain NT Authority/SYSTEM as a standard user.

CVE-2024-22774 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-22774. A base score of 8.5 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
• COUNTRIES/AREAS DEPLOYED: North America
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Damian Semon Jr. of Blue Team Alpha LLC reported this vulnerability to CISA.

4. MITIGATIONS

The affected software is vulnerable due to an SDK component owned by Oy Ajat Ltd, which is no longer supported. Panoramic Corporation is not the owner of this vulnerable component. Panoramic Corporation did not recommend any specific mitigation for this vulnerability. Users should contact Panoramic Corporation's support address for further information.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• July 17, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.2
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: ABB
• Equipment: RMC-100
• Vulnerabilities: Use of Hard-coded Cryptographic Key, Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to gain unauthenticated access to the MQTT configuration data, cause a denial-of-service condition on the MQTT configuration web server (REST interface), or decrypt encrypted MQTT broker credentials.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

ABB reports the following versions of RMC-100 with the REST interface are affected. The vulnerabilities are only present when the REST interface is enabled. This interface is disabled by default:

• RMC-100: 2105457-043 through 2105457-045
• RMC-100 LITE: 2106229-015 through 2106229-016

3.2 VULNERABILITY OVERVIEW

3.2.1 USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321

When the REST interface is enabled by the user, and an attacker gains access to the source code and the control network, the attacker can bypass REST interface authentication and gain access to MQTT configuration data.

CVE-2025-6074 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-6074. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.2 STACK-BASED BUFFER OVERFLOW CWE-121

When the REST interface is enabled by the user, if an attacker gains access to the control network, user/password broker authentication is enabled, and CVE-2025-6074 is exploited, the attacker can overflow the buffer for the username or password.

CVE-2025-6073 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-6073. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.3 STACK-BASED BUFFER OVERFLOW CWE-121

When the REST interface is enabled by the user, if an attacker gains access to the control network and exploits CVE-2025-6074, the attacker can use the JSON configuration to overflow the expiration date field.

CVE-2025-6072 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-6072. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.4 USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321

An attacker can gain access to salted information to decrypt MQTT information.

CVE-2025-6071 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-6071. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide, except regions mandated to follow EU CRA
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Vera Mens of Claroty Team82 reported these vulnerabilities to ABB.

4. MITIGATIONS

ABB recommends disabling the REST interface when it is not being used to configure the MQTT functionality. By default, when the REST interface is disabled so there is no risk. The RMC-100 is not intended for access over public networks such as the Internet. An attacker would need access to the user's private control network to exploit these vulnerabilities. Proper network segmentation is recommended.

For more information, see ABB's cybersecurity advisory.

For any installation of software-related products, ABB strongly recommends the following (non-exhaustive) list of cybersecurity practices:

• Isolate special-purpose networks (e.g., for automation systems) and remote devices behind firewalls and separate them from any general-purpose networks (e.g., office or home networks).
• Install physical controls to ensure that no unauthorized personnel can access devices, components, peripheral equipment, and networks.
• Never connect programming software or computers containing programming software to any network other than the network for the devices that it is intended for.
• Scan all data imported into your environment before use to detect potential malware infections.
• Minimize network exposure for all applications and endpoints to ensure that they are not accessible from the Internet unless they are designed for such exposure and the intended use requires such.
• Ensure all nodes are always up-to-date in terms of installed software, operating system, and firmware patches as well as antivirus and firewall.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• July 15, 2025: Initial Publication