Posts by CISA (old posts, page 7)

RSS feed

Hitachi Energy MACH GWS Products

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.4
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Hitachi Energy
  • Equipment: MACH GWS products
  • Vulnerabilities: Improper Neutralization of Special Elements in Data Query Logic, Improper Limitation of a Pathname to a Restricted Directory, Authentication Bypass by Capture-replay, Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to inject code, read or modify files, hijack user sessions, or access exposed ports without authentication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Hitachi Energy products are affected:

  • MACH GWS: Version 2.1.0.0 (CVE-2024-4872, CVE-2024-3980)
  • MACH GWS: Versions 2.2.0.0 to 2.4.0.0 (CVE-2024-4872, CVE-2024-3980)
  • MACH GWS: Versions 3.0.0.0 to 3.3.0.0 (CVE-2024-4872, CVE-2024-3980, CVE-2024-3982)
  • MACH GWS: Versions 3.1.0.0 to 3.3.0.0 (CVE-2024-7940)

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN DATA QUERY LOGIC CWE-943

A vulnerability exists in the query validation of the MACH GWS product. If exploited this could allow an authenticated attacker to inject code towards persistent data. Note that to successfully exploit this vulnerability an attacker must have a valid credential.

CVE-2024-4872 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-4872. A base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22

The MACH GWS product allows an authenticated user input to control or influence paths or file names that are used in filesystem operations. If exploited the vulnerability allows the attacker to access or modify system files or other files that are critical to the application.

CVE-2024-3980 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-3980. A base score of 9.4 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.3 AUTHENTICATION BYPASS BY CAPTURE-REPLAY CWE-294

An attacker with local access to machine where MACH GWS is installed, could enable the session logging supporting the product and try to exploit a session hijacking of an already established session.

Note: By default, the session logging level is not enabled and only users with administrator rights can enable it.

CVE-2024-3982 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-3982. A base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:P/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.2.4 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The MACH GWS product exposes a service that is intended for local only to all network interfaces without any authentication.

CVE-2024-7940 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.3 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-7940. A base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:H/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).

3.3 PRODUCT IMPACT

Additional product-specific impact for MACH GWS 2 affected product vulnerable to the CVE:

3.4 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Switzerland

3.5 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy recommends that users update to the new versions listed below:

  • MACH GWS Versions 3.0.0.0 to 3.3.0.0: Upgrade to version 3.4.0.0.
  • MACH GWS Version 2.1.0.0: Apply the patch HF1 to HF6 sequentially.
  • MACH GWS Versions 2.2.0.0 to 2.4.0.0: Apply the patch HF3 to HF6 sequentially.

For more information, visit the Hitachi Energy security advisory.

Hitachi Energy recommended security practices and firewall configurations can help protect a process control network from attacks originating outside the network. Such practices include ensuring that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by a firewall system with a minimal number of exposed ports, evaluated on a case-by-case basis. Process control systems should not be used for Internet surfing, instant messaging, or receiving emails. Portable computers and removable storage media should be carefully scanned for viruses before being connected to a control system. Proper password policies and processes should be followed.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 13, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000211

Hitachi Energy Relion 670/650/SAM600-IO Series

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 7.1
  • ATTENTION: Low attack complexity
  • Vendor: Hitachi Energy
  • Equipment: Relion 670/650/SAM600-IO Series
  • Vulnerability: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

2. RISK EVALUATION

Successful exploitation of this vulnerability can allow an attacker to reboot the device and cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports the following products are affected:

  • Relion 670/650/SAM600-IO series: Versions 2.2.2.0 up to but not including 2.2.2.6
  • Relion 670/650/SAM600-IO series: Versions 2.2.3.0 up to but not including 2.2.3.7
  • Relion 670/650/SAM600-IO series: Versions 2.2.4.0 up to but not including 2.2.4.4
  • Relion 670/650/SAM600-IO series: Versions 2.2.5.6 up to but not including 2.2.5.6
  • Relion 670/650/SAM600-IO series: 2.2.0.x
  • Relion 670/650/SAM600-IO series: 2.2.1.x

3.2 VULNERABILITY OVERVIEW

3.2.1 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT ('CLASSIC BUFFER OVERFLOW') CWE-120

A vulnerability exists in the input validation of the GOOSE messages where out of range values received and processed by the IED cause a reboot of the device. In order for an attacker to exploit the vulnerability, GOOSE receiving blocks need to be configured.

CVE-2023-4518 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-4518. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy PSIRT reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy identified the following specific workarounds and mitigations users can apply to reduce risk:

  • Relion 670 series Version 2.2.2.x up to but not including 2.2.2.6: Update to Version 2.2.2.6
  • Relion 670 series Version 2.2.3.x up to but not including 2.2.3.7: Update to Version 2.2.3.7
  • Relion 670/650 series Version 2.2.4.x up to but not including 2.2.4.4: Update to Version 2.2.4.4
  • Relion 670/650/SAM600-IO series Version 2.2.5.6 up to but not including 2.2.5.6: Update to Version 2.2.5.6
  • Relion 670 series Version 2.2.0 all revisions and Relion 670/650/SAM600-IO series Version 2.2.1 all revisions: Apply general mitigations.

For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000170 Cybersecurity Advisory - Improper Input Validation Vulnerability in Hitachi Energy's Relion® 670/650/SAM600-IO series Product.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 13, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000170

Hitachi Energy Service Suite

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Hitachi Energy
  • Equipment: Service Suite
  • Vulnerabilities: Use of Less Trusted Source, Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling'), Integer Overflow or Wraparound, Out-of-bounds Write, Allocation of Resources Without Limits or Throttling, Exposure of Sensitive Information to an Unauthorized Actor, Memory Allocation with Excessive Size Value, Out-of-bounds Read, Uncontrolled Resource Consumption, Improper Resource Shutdown or Release, Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to compromise the confidentiality, integrity, or availability of affected devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports the following products are affected:

  • Service Suite: Versions 9.8.1.3 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 Use of Less Trusted Source CWE-348

Apache HTTP Server 2.4.53 and earlier, which is part of the Service Suite product, may not send the X-Forwarded-* headers to the origin server due to the client-side Connection header hop-by-hop mechanism. This vulnerability can be exploited to bypass IP-based authentication on the origin server or application.

CVE-2022-31813 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2022-31813. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') CWE-444

Some mod_proxy configurations on Service Suite product's Apache HTTP Server versions 2.4.0 through 2.4.55 allow a HTTP request smuggling attack. Configurations are affected when mod_proxy is enabled along with some form of RewriteRule or ProxyPassMatch in which a non-specific pattern matches some portion of the user-supplied request-target (URL) data and is then re-inserted into the proxied request-target using variable substitution.

CVE-2023-25690 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2023-25690. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Integer Overflow or Wraparound CWE-190

Apache HTTP Server 2.4.53 and earlier, which is part of the Service Suite product, may crash or disclose information due to a read beyond bounds in ap_strcmp_match() when provided with an extremely large input buffer. While no code distributed with the server can be coerced into making such a call, third-party modules or Lua scripts that use ap_strcmp_match() may hypothetically be affected.

CVE-2022-28615 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2022-28615. A base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.4 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') CWE-444

An inconsistent interpretation of HTTP requests ('HTTP request smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server versions 2.4.54 and prior, which are part of the Service Suite product.

CVE-2022-36760 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2022-36760. A base score of 9.2 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') CWE-444

An HTTP response smuggling vulnerability exists in Apache HTTP Server via mod_proxy_uwsgi. This issue affects Apache HTTP Server versions 2.4.30 through 2.4.55, which are part of the Service Suite product. Special characters in the origin response header can truncate or split the response forwarded to the client.

CVE-2023-27522 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2023-27522. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.6 Out-of-bounds Write CWE-787

A carefully crafted If: request header can cause a memory read or write of a single zero byte in a pool (heap) memory location beyond the header value sent. This could cause the process to crash. This issue affects Apache HTTP Server versions 2.4.54 and earlier, which are part of the Service Suite product.

CVE-2006-20001 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2006-20001. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.7 Allocation of Resources Without Limits or Throttling CWE-770

In Apache HTTP Server 2.4.53 and earlier, which are part of the Service Suite product, a malicious request to a Lua script that calls r:parsebody(0) may cause a denial of service due to the lack of a default limit on possible input size.

CVE-2022-29404 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2022-29404. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.8 Exposure of Sensitive Information to an Unauthorized Actor CWE-200

Apache HTTP Server 2.4.53 and earlier, which is part of the Service Suite product, may return lengths to applications calling r:wsread() that point past the end of the storage allocated for the buffer.

CVE-2022-30556 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2022-30556. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.9 Memory Allocation with Excessive Size Value CWE-789

If Apache HTTP Server 2.4.53, which is part of the Service Suite product, is configured to perform transformations with mod_sed in contexts where the input to mod_sed may be very large, mod_sed may make excessively large memory allocations and trigger an abort.

CVE-2022-30522 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2022-30522. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.10 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') CWE-444

An inconsistent interpretation of HTTP requests ('HTTP request smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product.

CVE-2022-26377 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2022-26377. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.11 Out-of-bounds Read CWE-125

An inconsistent interpretation of HTTP requests ('HTTP request smuggling') vulnerability in mod_proxy_ajp of Apache HTTP Server allows an attacker to smuggle requests to the AJP server it forwards requests to. This issue affects Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product.

CVE-2023-31122 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-31122. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.12 Uncontrolled Resource Consumption CWE-400

An attacker opening an HTTP/2 connection with an initial window size of 0 can block the handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well-known "slow loris" attack pattern. This issue affects Apache HTTP Server versions 2.4.55 through 2.4.57, which are part of the Service Suite product.

CVE-2023-43622 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-43622. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.13 Improper Resource Shutdown or Release CWE-404

When an HTTP/2 stream is reset (RST frame) by a client, there is a time window where the request's memory resources are not immediately reclaimed. Instead, deallocation is deferred until the connection closes. A client can send new requests and resets, keeping the connection busy and open, causing the memory footprint to keep growing. Upon connection close, all resources are reclaimed, but the process might run out of memory before that. This issue affects Apache HTTP Server versions 2.4.17 through 2.4.57, which are part of the Service Suite product.

CVE-2023-45802 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-45802. A base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.14 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') CWE-113

In Apache HTTP Server versions prior to 2.4.55, which are part of the Service Suite product, a malicious backend can cause the response headers to be truncated early, resulting in some headers being incorporated into the response body. If the later headers have any security purpose, they will not be interpreted by the client.

CVE-2022-37436 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2022-37436. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.15 Exposure of Sensitive Information to an Unauthorized Actor CWE-200

The ap_rwrite() function in Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product, may read unintended memory if an attacker can cause the server to reflect very large input using ap_rwrite() or ap_rputs(), such as with mod_lua's r:puts() function.

CVE-2022-28614 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2022-28614. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.16 Out-of-bounds Read CWE-125

Apache HTTP Server versions 2.4.53 and earlier, which are part of the Service Suite product on Windows, may read beyond bounds when configured to process requests with the mod_isapi module.

CVE-2022-28330 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2022-28330. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Energy
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy recommends affected users update to 9.8.1.4

For more information see the associated Hitachi Energy cybersecurity advisory 8DBD000209.

Hitachi Energy recommends security practices and firewall configurations to help protect process control networks from external attacks. These practices include ensuring that process control systems are physically protected from unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by a firewall system with a minimal number of exposed ports. Each case should be evaluated individually. Process control systems should not be used for Internet surfing, instant messaging, or receiving emails. Portable computers and removable storage media should be carefully scanned for viruses before being connected to a control system. Proper password policies and processes should also be followed.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 13, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000209

Update to How CISA Shares Cyber-Related Alerts and Notifications

Update May 13: In an effort to enhance user experience and highlight the most timely and actionable information for cyber defenders, CISA announced a shift in how we share cybersecurity alerts and advisories. We recognize this has caused some confusion in the cyber community. As such, we have paused immediate changes while we re-assess the best approach to sharing with our stakeholders.

 

Starting May 12, CISA is changing how we announce cybersecurity updates and the release of new guidance. These announcements will only be shared through CISA social media platforms and email and will no longer be listed on our Cybersecurity Alerts & Advisories webpage.  

The focus of our Cybersecurity Alerts & Advisories webpage will now be on urgent information tied to emerging threats or major cyber activity. CISA wants this critical information to get the attention it deserves and ensure it is easier to find. We’ll continue to communicate releases and updates to our stakeholders. To stay informed, subscribe to receive our email notifications on CISA.gov. You can also follow us on X @CISACyber for timely cybersecurity updates. 

Note: If you’ve previously used RSS feeds to track Known Exploited Vulnerabilities Catalog updates, please subscribe to the KEV subscription topic through GovDelivery to continue receiving notifications.   

We greatly appreciate stakeholder feedback which played a part in this change and thank you for staying connected with CISA. 

CISA Releases Five Industrial Control Systems Advisories

CISA released five Industrial Control Systems (ICS) advisories on May 8, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

Hitachi Energy RTU500 Series

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.2
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Hitachi Energy
  • Equipment: RTU500 series
  • Vulnerabilities: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Validation of Specified Index, Position, or Offset in Input

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute cross-site scripting or trigger a denial-of-service condition on the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports the following products are affected:

  • RTU500 series: Versions 12.0.1 to 12.0.14
  • RTU500 series: Versions 12.2.1 to 12.2.11
  • RTU500 series: Versions 12.4.1 to 12.4.11
  • RTU500 series: Versions 12.6.1 to 12.6.9
  • RTU500 series: Versions 12.7.1 to 12.7.6
  • RTU500 series: Versions 13.2.1 to 13.2.6
  • RTU500 series: Versions 13.4.1 to 13.4.3

3.2 VULNERABILITY OVERVIEW

3.2.1 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-79

A vulnerability exists in the webserver that affects the RTU500 series product versions listed above. A malicious actor could perform cross-site scripting on the webserver due to an RDT language file being improperly sanitized.

CVE-2023-5767 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:L).

A CVSS v4 score has also been calculated for CVE-2023-5767. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N).

3.2.2 Improper Validation of Specified Index, Position, or Offset in Input CWE-1285

A vulnerability exists in the HCI IEC 60870-5-104 that affects the RTU500 series product versions listed above. An incomplete or incorrectly received APDU frame layout may cause blocking on the link layer. The error is caused by endless blocking when reading incoming frames on the link layer with incorrect length information of APDU or delayed reception of data octets. Only the communication link of the affected HCI IEC 60870-5-104 is blocked. If the attack sequence stops, the communication to the previously attacked link stabilizes.

CVE-2023-5768 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-5768. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.3 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-79

A vulnerability exists in the webserver that affects the RTU500 series product versions listed above. A malicious actor could perform cross-site scripting on the webserver due to user input being improperly sanitized.

CVE-2023-5769 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2023-5769. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy recommend users take the following actions as well as following general mitigation measures:

  • RTU500 series Versions 12.0.1 - 12.0.14: Update to CMU Firmware Version 12.0.15
  • RTU500 series Versions 12.2.1 - 12.2.11: Update to CMU Firmware Version 12.2.12
  • RTU500 series Versions 12.4.1 - 12.4.11: Update to CMU Firmware Version 12.4.12
  • RTU500 series Versions 12.6.1 - 12.6.9: Update to CMU Firmware Version 12.6.10
  • RTU500 series Versions 12.7.1 - 12.7.6: Update to CMU Firmware Version 12.7.7
  • RTU500 series Versions 13.2.1 - 13.2.6: Update to CMU Firmware Version 13.2.7
  • RTU500 series Versions 13.4.1 - 13.4.3: Update to CMU Firmware Version 13.4.4 or 13.5.1

For more information see the associated Hitachi Energy PSIRT security advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 8, 2025: Initial Republication of Hitachi Energy Advisory 8DBD000176

Horner Automation Cscape

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.4
  • ATTENTION: Low attack complexity
  • Vendor: Horner Automation
  • Equipment: Cscape
  • Vulnerability: Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to disclose information and execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Horner Automation Cscape, a control system application programming software, are affected:

  • Cscape: Version 10.0 (10.0.415.2) SP1

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS READ CWE-125

Horner Automation Cscape version 10.0 (10.0.415.2) SP1 is vulnerable to an out-of-bounds read vulnerability that could allow an attacker to disclose information and execute arbitrary code on affected installations of Cscape.

CVE-2025-4098 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-4098. A base score of 8.4 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Michael Heinzl reported this vulnerability to CISA.

4. MITIGATIONS

Horner Automation has released Cscape version 10.1 SP1 for download.

For more information, see Horner Automation's release notes.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

  • May 8, 2025: Initial Publication

Mitsubishi Electric CC-Link IE TSN

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.2
  • ATTENTION: Exploitable remotely
  • Vendor: Mitsubishi Electric
  • Equipment: CC-Link IE TSN Remote I/O module, CC-Link IE TSN Analog-Digital Converter module, CC-Link IE TSN Digital-Analog Converter module, CC-Link IE TSN FPGA module, CC-Link IE TSN Remote Station Communication LSI CP620 with GbE-PHY
  • Vulnerability: Improper Validation of Specified Quantity in Input

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition on the affected products.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mitsubishi Electric CC-Link IE TSN, a network controller, are affected:

  • CC-Link IE TSN Remote I/O module NZ2GN2S1-32D/32T/32TE/32DT/32DTE: Versions 09 and prior
  • CC-Link IE TSN Remote I/O module NZ2GN2B1-32D/32T/32TE/32DT/32DTE: Versions 09 and prior
  • CC-Link IE TSN Remote I/O module NZ2GNCF1-32D/32T: Versions 09 and prior
  • CC-Link IE TSN Remote I/O module NZ2GNCE3-32D/32DT: Versions 09 and prior
  • CC-Link IE TSN Remote I/O module NZ2GN12A4-16D/16DE: Versions 09 and prior
  • CC-Link IE TSN Remote I/O module NZ2GN12A2-16T/16TE: Versions 09 and prior
  • CC-Link IE TSN Remote I/O module NZ2GN12A42-16DT/16DTE: Versions 09 and prior
  • CC-Link IE TSN Remote I/O module NZ2GN2S1-16D/16T/16TE: Versions 09 and prior
  • CC-Link IE TSN Remote I/O module NZ2GN2B1-16D/16T/16TE: Versions 09 and prior
  • CC-Link IE TSN Analog-Digital Converter module NZ2GN2S-60AD4: Versions 07 and prior
  • CC-Link IE TSN Analog-Digital Converter module NZ2GN2B-60AD4: Versions 07 and prior
  • CC-Link IE TSN Digital-Analog Converter module NZ2GN2S-60DA4: Versions 07 and prior
  • CC-Link IE TSN Digital-Analog Converter module NZ2GN2B-60DA4: Versions 07 and prior
  • CC-Link IE TSN FPGA module NZ2GN2S-D41P01/D41D01/D41PD02: Version 01
  • CC-Link IE TSN Remote Station Communication LSI CP620 with GbE-PHY NZ2GACP620-300/60: Versions 1.08J and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER VALIDATION OF SPECIFIED QUANTITY IN INPUT CWE-1284

A remote attacker could cause a denial-of-service (DoS) condition in the products by sending specially crafted UDP packets. The threat arises when the affected product does not receive a valid UDP packet within 3 seconds after receiving a specially crafted UDP packet from a remote attacker, necessitating a system reset of the product for recovery.

CVE-2025-3511 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.9 has been calculated; the CVSS vector string is (AV: N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-3511. A base score of 8.2 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Mitsubishi Electric reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric recommends that users update to the following:

  • CC-Link IE TSN Remote I/O module NZ2GN2S1-32D/32T/32TE/32DT/32DTE: Versions 10 or later
  • CC-Link IE TSN Remote I/O module NZ2GN2B1-32D/32T/32TE/32DT/32DTE: Versions 10 or later
  • CC-Link IE TSN Remote I/O module NZ2GNCF1-32D/32T: Versions 10 or later
  • CC-Link IE TSN Remote I/O module NZ2GNCE3-32D/32DT: Versions 10 or later
  • CC-Link IE TSN Remote I/O module NZ2GN12A4-16D/16DE: Versions 10 or later
  • CC-Link IE TSN Remote I/O module NZ2GN12A2-16T/16TE: Versions 10 or later
  • CC-Link IE TSN Remote I/O module NZ2GN12A42-16DT/16DTE: Versions 10 or later
  • CC-Link IE TSN Remote I/O module NZ2GN2S1-16D/16T/16TE: Versions 10 or later
  • CC-Link IE TSN Remote I/O module NZ2GN2B1-16D/16T/16TE: Versions 10 or later
  • CC-Link IE TSN Analog-Digital Converter module NZ2GN2S-60AD4: Versions 08 or later
  • CC-Link IE TSN Analog-Digital Converter module NZ2GN2B-60AD4: Versions 08 or later
  • CC-Link IE TSN Digital-Analog Converter module NZ2GN2S-60DA4: Versions 08 or later
  • CC-Link IE TSN Digital-Analog Converter module NZ2GN2B-60DA4: Versions 08 or later
  • CC-Link IE TSN FPGA module NZ2GN2S-D41P01/D41D01/D41PD02: Versions 02 or later
  • CC-Link IE TSN Remote Station Communication LSI CP620 with GbE-PHY NZ2GACP620-300/60: Versions 1.09K or later

Mitsubishi Electric recommends users take the following mitigation measures to minimize the risk of exploiting this vulnerability:

  • Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
  • Use within a LAN and block access from untrusted networks and hosts through firewalls.
  • Restrict physical access to the affected products and the LAN to which they are connected.
  • Install anti-virus software on your PC that can access the product.

For more information, see Mitsubishi Electric advisory 2025-001.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

  • May 8, 2025 - Initial Republication Mitsubishi Electric Advisory 2025-001

Pixmeo OsiriX MD

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Pixmeo
  • Equipment: OsiriX MD
  • Vulnerabilities: Use After Free, Cleartext Transmission of Sensitive Information

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause memory corruption, resulting in a denial-of-service condition or to steal credentials.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Pixmeo products are affected:

  • OsiriX MD: Versions 14.0.1 (Build 2024-02-28) and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 USE AFTER FREE CWE-416

The affected product is vulnerable to a use after free scenario, which could allow an attacker to upload a crafted DICOM file and cause memory corruption leading to a denial-of-service condition.

CVE-2025-27578 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-27578. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.2 USE AFTER FREE CWE-416

The affected product is vulnerable to a local use after free scenario, which could allow an attacker to locally import a crafted DICOM file and cause memory corruption or a system crash.

CVE-2025-31946 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.2 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-31946. A base score of 6.9 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.3 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

The Osirix MD Web Portal sends credential information without encryption, which could allow an attacker to steal credentials.

CVE-2025-27720 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.4 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27720. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Healthcare and Public Health
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Chizuru Toyama of TXOne Networks and Canaan Kao of TXOne Networks reported these vulnerabilities to CISA.

4. MITIGATIONS

Pixmeo recommends users to download the latest version of OsiriX MD.

For additional support regarding OsiriX MD, users should contact Pixmeo directly.

CISA recommends users take defensive measures to minimize the risk of exploitation of this these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

  • May 8, 2025: Initial Publication