CISA's advisories serve as a stark reminder of the growing threats to industrial infrastructure and the urgent need for robust cybersecurity measures, including firmware updates.
CISA's Latest Industrial Control Systems Advisories: A Call to Action for Cybersecurity Professionals
On April 22, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released five critical advisories targeting vulnerabilities in Industrial Control Systems (ICS). These advisories serve as a stark reminder of the growing threats to industrial infrastructure and the urgent need for robust cybersecurity measures.
These advisories highlight vulnerabilities in widely-used ICS products from Siemens, ABB, and Schneider Electric. Here's a brief overview:
....................................................
Vendor/Product: Siemens TeleControl Server SQL
Description: Multiple vulnerabilities, including SQL injection flaws, could allow unauthorized access to critical system databases.
Impact: Successful exploitation of these vulnerabilities could allow an attacker to read and write to the application's database, cause a denial-of-service condition, and execute code in an OS shell.
Critical Infrastructure Sectors: Energy, Transportation, Water and Wastewater Systems
- Source: CVE-2025-27495: A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'CreateTrace' method. This could allow an unauthenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on. (ZDI-CAN-25911). CVSS Score: 9.3 Critical
- Source: CVE-2025-27539: A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'VerifyUser' method. This could allow an unauthenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on. (ZDI-CAN-25914). CVSS Score: 9.3 Critical
- Source: CVE-2025-30002: A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'UpdateConnectionVariables' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on. (ZDI-CAN-25909). CVSS Score: 8.7 High
- Source: CVE-2025-30030: A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'ImportDatabase' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on. (ZDI-CAN-25924). CVSS Score: 8.7 High
- Source: CVE-2025-32822: A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected application is vulnerable to SQL injection through the internally used 'DeleteProject' method. This could allow an authenticated remote attacker to bypass authorization controls, to read from and write to the application's database and execute code with "NT AUTHORITY\NetworkService" permissions. A successful attack requires the attacker to be able to access port 8000 on a system where a vulnerable version of the affected application is executed on. CVSS Score: 8.7 High
Mitigation: As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity
....................................................
Vendor/Product: Siemens TeleControl Server Basic
Description: Improper Handling of Length Parameter Inconsistency. The affected product does not properly validate a length field in a serialized message, which it uses to determine the amount of memory to be allocated for deserialization. This could allow an unauthenticated remote attacker to cause the application to allocate exhaustive amounts of memory and subsequently create a partial denial-of-service condition. Successful exploitation is only possible in redundant TeleControl Server Basic setups and only if the connection between the redundant servers has been disrupted.
Impact: Successful exploitation of these vulnerabilities could allow an attacker to read and write to the application's database, cause a denial-of-service condition, and execute code in an OS shell.
Critical Infrastructure Sectors: Energy, Transportation, Water and Wastewater Systems
Source: CVE-2025-29931 A vulnerability has been identified in TeleControl Server Basic (All versions < V3.1.2.2). The affected product does not properly validate a length field in a serialized message which it uses to determine the amount of memory to be allocated for deserialization. This could allow an unauthenticated remote attacker to cause the application to allocate exhaustive amounts of memory and subsequently create a partial denial of service condition. Successful exploitation is only possible in redundant Telecontrol Server Basic setups and only if the connection between the redundant servers has been disrupted.
CVSS Score: 6.3 Medium
Mitigation: As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity
....................................................
Vendor/Product: Schneider Electric Wiser Home Controller WHC-5918A
Description: Vulnerabilities such as authentication bypass and remote command execution could disrupt home automation systems. Firmware updates and strict access controls are recommended.
Impact: An information exposure vulnerability exists that could cause disclosure of credentials when a specially crafted message is sent to the device.
Source: CVE-2024-6047
Critical Infrastructure Sectors: Energy
Max Severity: Critical
CVSS Score: 9.8
Mitigation: Schneider Electric reports the Wiser Home Controller WHC-5918A product has been discontinued and is out of support. Users should consider upgrading to the latest product offering, C-Bus, Home Controller, SpaceLogic IP, Free Standing, 24V DC, 5200WHC2, or removing the Wiser Home Controller WHC-5918A from service.
....................................................
Vendor/Product: Schneider Electric Modicon M580 PLCs, BMENOR2200H and EVLink Pro AC (Update A)
Description: The affected product is vulnerable to an incorrect calculation of buffer size vulnerability that could cause a denial-of-service of the product when an unauthenticated user is sending a crafted HTTPS packet to the webserver.
Impact: Failure to apply the fix or mitigations provided below may risk buffer overflow attack, which could result in Denial-of-Service.
Source: CVE-2024-11425
Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy
Max Severity: High
CVSS Score: 8.7
Mitigation: Schneider Electric recommends firmware updates for Modicon M580 PLCs, BMENOR2200H, and EVLink Pro AC devices
....................................................
Vendor/Product: ABB MV Drives
Description: Multiple denial-of-service vulnerabilities could shut down industrial processes, leading to potential revenue loss or safety incidents. Network segmentation and firmware updates are crucial.
Impact: Successful exploitation of these vulnerabilities could allow an attacker to gain full access to the drive or cause a denial-of-service condition.
Critical Infrastructure Sectors: Critical Manufacturing
- Source: CVE-2022-4046: In CODESYS Control in multiple versions an improper restriction of operations within the bounds of a memory buffer allow a remote attacker with user privileges to gain full access of the device. CVSS Score: 8.8 High
- Source: CVE-2023-37550: In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37548 and CVE-2023-37549. CVSS Score: 6.5 Medium
- Source: CVE-2023-37549: In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37548 and CVE-2023-37549. CVSS Score: 6.5 Medium
- Source: CVE-2023-37548: In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37547, CVE-2023-37549 and CVE-2023-37550. CVSS Score: 6.5 Medium
- Source: CVE-2023-37547: In multiple Codesys products in multiple versions, after successful authentication as a user, specific crafted network communication requests with inconsistent content can cause the CmpApp component to read internally from an invalid address, potentially leading to a denial-of-service condition. This vulnerability is different to CVE-2023-37545, CVE-2023-37546, CVE-2023-37548, CVE-2023-37549 and CVE-2023-37550. CVSS Score: 6.5 Medium
Mitigation: ABB recommends users apply a firmware update as soon as possible to the latest firmware, i.e. LAAAB v. 5.07 and higher, for the affected products. ABB has addressed the CODESYS Runtime System vulnerabilities by disabling the IEC online programming communication by default. As a result, CODESYS communication between affected products and the ABB Automation Builder or ABB Drive Application Builder tools is disabled.
It should be noted that the CODESYS application continues to run on the Drive and if it is necessary to establish communication with CODESYS RTS, for example to debug the CODESYS application, this is possible through the drive parameter configuration. Open the user lock via the "96.02 Pass code" parameter and make sure that bit 9 "Enable online IEC programming" is set to TRUE in the "96.102 User lock functionality" parameter. IMPORTANT: After this task, be sure to disable CODESYS communication by setting the bit back to FALSE.
A future firmware update is planned to update the CODESYS RTS library, which will further strengthen defenses for the vulnerabilities mentioned above.
Why These Advisories Matter
The increasing frequency and sophistication of cyberattacks on industrial systems underscore the importance of proactive measures. ICS are integral to critical infrastructure, and their compromise can have far-reaching consequences, including operational disruptions and safety risks.
What Can Be Done?
CISA urges operators, administrators, and security professionals to review the technical details and mitigations provided in these advisories. Key actions include:
- Applying the latest security updates.
- Implementing network segmentation to isolate critical systems.
- Conducting regular audits and monitoring for suspicious activity.
- Firmware monitoring, detecting malicious firmware and regular firmware updates.
Conclusion
The release of these advisories is a wake-up call for the industry. By addressing these vulnerabilities promptly, organizations can safeguard their operations and contribute to the resilience of critical infrastructure.
