01-29-2025, 05:55 PM
News CISA warns of critical, high-risk flaws in ICS products from four vendors
<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>The US Cybersecurity and Infrastructure Security Agency has issued advisories for 11 critical and high-risk vulnerabilities in industrial control systems (ICS) products from several manufacturers.</p>
<p>The issues include OS command injection, unsafe deserialization of data, use of broken cryptographic algorithms, authentication bypass, improper access controls, use of default credentials, sensitive information leaks, and more. The flaws affect products from B&R Industrial Automation, Schneider Electric, Rockwell Automation, and BD (Becton, Dickinson and Co.).</p>
<h2 class="wp-block-heading" id="schneider-electric-rce-authorization-bypass-buffer-overflow-flaws">Schneider Electric: RCE, authorization bypass, buffer overflow flaws</h2>
<p>CISA warned that Schneider Electric RemoteConnect and SCADAPack x70 Utilities <a href="https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-06">is vulnerable to a deserialization flaw</a> rated 8.5 (High) on the CVSS scale. Successful exploitation can lead to remote code execution on workstations when non-admin users open maliciously crafted project files.</p>
<p>RemoteConnect and SCADAPack x70 Utilities is used to monitor, configure, and program SCADAPack smart remote terminal units (RTUs). SCADAPack x70 is one of the newest generations of Schneider RTUs used in the energy and critical manufacturing sectors.</p>
<p>Schneider plans to address this vulnerability, tracked as CVE-2024-12703, in future releases of the software, but for now the company <a href="https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-06&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-06.pdf">has released mitigation recommendations</a> that include opening project files only from trusted sources, computing cryptographic hashes for projects and regularly checking them, encrypting project files when stored, and restricting access to project files.</p>
<p>Another Schneider product, PowerLogic HDPM6000 High-Density Metering, a power meter for large and critical power applications, <a href="https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-02">has two vulnerabilities</a>: An authorization bypass through user-controlled key (CVSS 8.7) and a buffer overflow (CVSS 6.9).</p>
<p>The authorization bypass (CVE-2024-10497) can be exploited by sending specifically crafted HTTPS requests to the device leading to privilege escalation. The buffer overflow (CVE-2024-10498) could lead to invalid data or a denial-of-service condition for the web interface functionality. The flaws <a href="https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-08&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-08.pdf">have been patched</a> in HDPM6000 version 0.62.11 and newer.</p>
<h2 class="wp-block-heading" id="rockwell-automation-command-injection-flaw-misconfigurations-and-more">Rockwell Automation: Command injection flaw, misconfigurations, and more</h2>
<p>Rockwell Automation <a href="https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1719.html">patched two flaws in FactoryTalk View Machine Edition</a> and <a href="https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1720.html">another two in FactoryTalk View Site Edition</a>. FactoryTalk provides a human-to-machine interface (HMI) for monitoring automation applications running on controllers.</p>
<p>FactoryTalk View Machine Edition <a href="https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-03">is vulnerable to an OS command injection issue</a> (CVE-2025-24480) that could allow attackers to run commands with high privileges on the underlying system. The flaw is rated critical with a CVSS score of 9.3. The product also has a default setting that allows access to the Windows command prompt as a higher privileged user (CVE-2025-24479; CVSS 8.4).</p>
<p><a href="https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-04">The flaws in the Site Edition</a>, <a href="https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1720.html">CVE-2025-24481 and CVE-2025-24482</a>, are misconfigurations that could allow attackers to access system configuration without authentication or to execute DLLs with high-level permissions. The flaws are rated CVSS 7.0, which indicates high severity.</p>
<p>FactoryTalk DataMosaix Private Cloud, an industrial <a href="https://www.cio.com/article/227979/what-is-dataops-data-operations-analytics.html">DataOps</a> solution that’s available either as a service or to be deployed in a private cloud, received patches for <a href="https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-05">two other vulnerabilities</a>: a path traversal issue that can lead to sensitive data exposure (CVE-2024-11932) and a critical use-after-free memory vulnerability inherited from the SQLite open-source component (CVE-2020-11656).</p>
<h2 class="wp-block-heading" id="br-industrial-automation-services-impersonation">B&R Industrial Automation: Services impersonation</h2>
<p>B&R Automation Runtime and mapp View software products generate self-signed certificates for its SSL/TLS component by using a signing algorithm that’s considered insecure. <a href="https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-01">This issue</a>, tracked as CVE-2024-8603, can allow attackers to impersonate services, <a href="https://www.br-automation.com/fileadmin/SA25P001-c478fad6.pdf">although B&R notes</a> that the self-signed certificates are meant to be used only for testing, not in real-world deployments.</p>
<h2 class="wp-block-heading" id="bd-default-credential-issues">BD: Default credential issues</h2>
<p>Multiple BD Diagnostic Solutions for medical professionals use default credentials that could allow attackers to access, modify, or delete data, including protected health information (PHI) and personally identifiable information (PII). The flaw, tracked as CVE-2024-10476, can also be used to shut down the affected systems.</p>
<p>Impacted products include BD BACTEC Blood Culture System, BD COR System, BD EpiCenter Microbiology Data Management System, BD MAX System, BD Phoenix M50 Automated Microbiology System, and Synapsys Informatics Solution.</p>
<p>“BD has already communicated to users with affected products and is working with them to update default credentials on affected products,” <a href="https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-352-01/">CISA said</a>. “For this vulnerability to be exploited, a threat actor will need direct access, whether logical or physical, into the clinical setting.”</p>
</div></div></div></div>
https://www.csoonline.com/article/381181...ndors.html
<div id="remove_no_follow">
<div class="grid grid--cols-10@md grid--cols-8@lg article-column">
<div class="col-12 col-10@md col-6@lg col-start-3@lg">
<div class="article-column__content">
<section class="wp-block-bigbite-multi-title"><div class="container"></div></section>
<p>The US Cybersecurity and Infrastructure Security Agency has issued advisories for 11 critical and high-risk vulnerabilities in industrial control systems (ICS) products from several manufacturers.</p>
<p>The issues include OS command injection, unsafe deserialization of data, use of broken cryptographic algorithms, authentication bypass, improper access controls, use of default credentials, sensitive information leaks, and more. The flaws affect products from B&R Industrial Automation, Schneider Electric, Rockwell Automation, and BD (Becton, Dickinson and Co.).</p>
<h2 class="wp-block-heading" id="schneider-electric-rce-authorization-bypass-buffer-overflow-flaws">Schneider Electric: RCE, authorization bypass, buffer overflow flaws</h2>
<p>CISA warned that Schneider Electric RemoteConnect and SCADAPack x70 Utilities <a href="https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-06">is vulnerable to a deserialization flaw</a> rated 8.5 (High) on the CVSS scale. Successful exploitation can lead to remote code execution on workstations when non-admin users open maliciously crafted project files.</p>
<p>RemoteConnect and SCADAPack x70 Utilities is used to monitor, configure, and program SCADAPack smart remote terminal units (RTUs). SCADAPack x70 is one of the newest generations of Schneider RTUs used in the energy and critical manufacturing sectors.</p>
<p>Schneider plans to address this vulnerability, tracked as CVE-2024-12703, in future releases of the software, but for now the company <a href="https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-06&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-06.pdf">has released mitigation recommendations</a> that include opening project files only from trusted sources, computing cryptographic hashes for projects and regularly checking them, encrypting project files when stored, and restricting access to project files.</p>
<p>Another Schneider product, PowerLogic HDPM6000 High-Density Metering, a power meter for large and critical power applications, <a href="https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-02">has two vulnerabilities</a>: An authorization bypass through user-controlled key (CVSS 8.7) and a buffer overflow (CVSS 6.9).</p>
<p>The authorization bypass (CVE-2024-10497) can be exploited by sending specifically crafted HTTPS requests to the device leading to privilege escalation. The buffer overflow (CVE-2024-10498) could lead to invalid data or a denial-of-service condition for the web interface functionality. The flaws <a href="https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-014-08&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2025-014-08.pdf">have been patched</a> in HDPM6000 version 0.62.11 and newer.</p>
<h2 class="wp-block-heading" id="rockwell-automation-command-injection-flaw-misconfigurations-and-more">Rockwell Automation: Command injection flaw, misconfigurations, and more</h2>
<p>Rockwell Automation <a href="https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1719.html">patched two flaws in FactoryTalk View Machine Edition</a> and <a href="https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1720.html">another two in FactoryTalk View Site Edition</a>. FactoryTalk provides a human-to-machine interface (HMI) for monitoring automation applications running on controllers.</p>
<p>FactoryTalk View Machine Edition <a href="https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-03">is vulnerable to an OS command injection issue</a> (CVE-2025-24480) that could allow attackers to run commands with high privileges on the underlying system. The flaw is rated critical with a CVSS score of 9.3. The product also has a default setting that allows access to the Windows command prompt as a higher privileged user (CVE-2025-24479; CVSS 8.4).</p>
<p><a href="https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-04">The flaws in the Site Edition</a>, <a href="https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1720.html">CVE-2025-24481 and CVE-2025-24482</a>, are misconfigurations that could allow attackers to access system configuration without authentication or to execute DLLs with high-level permissions. The flaws are rated CVSS 7.0, which indicates high severity.</p>
<p>FactoryTalk DataMosaix Private Cloud, an industrial <a href="https://www.cio.com/article/227979/what-is-dataops-data-operations-analytics.html">DataOps</a> solution that’s available either as a service or to be deployed in a private cloud, received patches for <a href="https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-05">two other vulnerabilities</a>: a path traversal issue that can lead to sensitive data exposure (CVE-2024-11932) and a critical use-after-free memory vulnerability inherited from the SQLite open-source component (CVE-2020-11656).</p>
<h2 class="wp-block-heading" id="br-industrial-automation-services-impersonation">B&R Industrial Automation: Services impersonation</h2>
<p>B&R Automation Runtime and mapp View software products generate self-signed certificates for its SSL/TLS component by using a signing algorithm that’s considered insecure. <a href="https://www.cisa.gov/news-events/ics-advisories/icsa-25-028-01">This issue</a>, tracked as CVE-2024-8603, can allow attackers to impersonate services, <a href="https://www.br-automation.com/fileadmin/SA25P001-c478fad6.pdf">although B&R notes</a> that the self-signed certificates are meant to be used only for testing, not in real-world deployments.</p>
<h2 class="wp-block-heading" id="bd-default-credential-issues">BD: Default credential issues</h2>
<p>Multiple BD Diagnostic Solutions for medical professionals use default credentials that could allow attackers to access, modify, or delete data, including protected health information (PHI) and personally identifiable information (PII). The flaw, tracked as CVE-2024-10476, can also be used to shut down the affected systems.</p>
<p>Impacted products include BD BACTEC Blood Culture System, BD COR System, BD EpiCenter Microbiology Data Management System, BD MAX System, BD Phoenix M50 Automated Microbiology System, and Synapsys Informatics Solution.</p>
<p>“BD has already communicated to users with affected products and is working with them to update default credentials on affected products,” <a href="https://www.cisa.gov/news-events/ics-medical-advisories/icsma-24-352-01/">CISA said</a>. “For this vulnerability to be exploited, a threat actor will need direct access, whether logical or physical, into the clinical setting.”</p>
</div></div></div></div>
https://www.csoonline.com/article/381181...ndors.html