securityweek.com - August 2025 ICS Patch Tuesday advisories have been published by Siemens, Schneider, Aveva, Honeywell, ABB and Phoenix Contact.
August 2025 Patch Tuesday advisories have been published by several major companies offering industrial control system (ICS) and other operational technology (OT) solutions.
Siemens has published 22 new advisories. One of them is for CVE-2025-40746, a critical Simatic RTLS Locating Manager issue that can be exploited by an authenticated attacker for code execution with System privileges.
The company has also published advisories covering high-severity vulnerabilities in Comos (code execution), Siemens Engineering Platforms (code execution), Simcenter (crash or code execution), Sinumerik controllers (unauthorized remote access), Ruggedcom (authentication bypass with physical access), Simatic (code execution), Siprotect (DoS), and Opcenter Quality (unauthorized access).
Siemens also addressed vulnerabilities introduced by the use of third-party components, including OpenSSL, Linux kernel, Wibu Systems, Nginx, Nozomi Networks, and SQLite.
Medium- and low-severity issues have been resolved in Simotion Scout, Siprotec 5, Simatic RTLS Locating Manager, Ruggedcom ROX II, and Sicam Q products.
As usual, Siemens has released patches for many of these vulnerabilities, but only mitigations or workarounds are available for some of the flaws.
Schneider Electric has released five new advisories. One of them describes four high-severity vulnerabilities in EcoStruxure Power Monitoring Expert (PME), Power Operation (EPO), and Power SCADA Operation (PSO) products. Exploitation of the flaws can lead to arbitrary code execution or sensitive data exposure.
In the Modicon M340 controller and its communication modules the industrial giant fixed a high-severity DoS vulnerability that can be triggered with specially crafted FTP commands, as well as a high-severity issue that can lead to sensitive information exposure or a DoS condition.
In the Schneider Electric Software Update tool, the company patched a high-severity vulnerability that can allow an attacker to escalate privileges, corrupt files, obtain information, or cause a persistent DoS.
Medium-severity issues that can lead to privilege escalation, DoS, or sensitive credential exposure have been patched in Saitel and EcoStruxure products.
Honeywell has published six advisories focusing on building management products, including several advisories that inform customers about Windows patches for Maxpro and Pro-Watch NVR and VMS products. The company has also released advisories covering PW-series access controller patches and security enhancements.
Aveva has published an advisory for two issues in its PI Integrator for Business Analytics. Two vulnerabilities have been patched: one arbitrary file upload issue that could lead to code execution, and a sensitive data exposure weakness.
ABB told customers on Tuesday about several vulnerabilities affecting its Aspect, Nexus and Matrix products. Some of the flaws can be exploited without authentication for remote code execution, obtaining credentials, and to manipulate files and various components.
Phoenix Contact has informed customers about a privilege escalation vulnerability in Device and Update Management. The company has described it as a misconfiguration that allows a low-privileged local user to execute arbitrary code with admin privileges. Germany’s CERT@VDE has also published a copy of the Phoenix Contact advisory.
The US cybersecurity agency CISA has published three new advisories describing vulnerabilities in Santesoft Sante PACS Server, Johnson Controls iSTAR, and Ashlar-Vellum products. CISA has also distributed the Aveva advisory and one of the Schneider Electric advisories.
A few days prior to Patch Tuesday, Rockwell Automation published an advisory informing customers about several high-severity code execution vulnerabilities affecting its Arena Simulation product.
Also prior to Patch Tuesday, Mitsubishi Electric released an advisory describing an information tampering flaw in Genesis and MC Works64 products.
securityweek.com - Rockwell Automation has published several advisories describing critical and high-severity vulnerabilities affecting its products.
Rockwell Automation this week published several advisories describing critical- and high-severity vulnerabilities found recently in its products.
The industrial automation giant has informed customers about critical vulnerabilities in FactoryTalk, Micro800, and ControlLogix products.
In the FactoryTalk Linx Network Browser the vendor fixed CVE-2025-7972, a flaw that allows an attacker to disable FTSP token validation, which can be used to create, update, and delete FTLinx drivers.
In the case of Micro800 series PLCs, Rockwell resolved three older vulnerabilities affecting the Azure RTOS open source real-time operating system. The security holes can be exploited for remote code execution and privilege escalation. In addition to the Azure RTOS issues, the company has addressed a DoS vulnerability.
In ControlLogix products Rockwell patched a remote code execution vulnerability tracked as CVE-2025-7353.
The list of high-severity flaws includes two DoS issues in FLEX 5000, a code execution vulnerability in Studio 5000 Logix Designer, web server issues in ArmorBlock 5000, a privilege escalation in FactoryTalk ViewPoint, and an information exposure issue in FactoryTalk Action Manager.
None of these vulnerabilities have been exploited in the wild, according to Rockwell Automation.
The cybersecurity agency CISA has also published advisories for these vulnerabilities to inform organizations about the potential risks.
Unidentified hackers breached a Norwegian dam's control system in April, opening its valve for hours due to a weak password.
In a concerning incident this April, unidentified hackers managed to breach the control systems of a Norwegian dam. Reportedly, hackers breached the control systems of a Norwegian dam, causing its water valve to open fully. The incident occurred at the Lake Risevatnet dam, situated near the city of Svelgen in Southwest Norway. The valve remained open for four hours before the unauthorized activity was detected.
According to the Norwegian energy news outlet, Energiteknikk, the hack did not pose a danger, as the water flow barely exceeded the dam’s minimum requirement. The valve released an additional 497 litres per second, but officials noted that the riverbed could handle a much larger volume, up to 20,000 litres per second.
The incident was discovered on April 7 by the dam’s owner, Breivika Eiendom. Norwegian authorities, including NSM (National Security Authority), NVE (Norwegian Water Resources and Energy Directorate), and Kripos (a special agency of the Norwegian Police Service), were alerted on April 10, and an investigation is now underway.
Officials suspect the breach occurred because the valve’s web-accessible control panel was protected by a weak password. Breivika technical manager Bjarte Steinhovden speculated this was the likely vulnerability. The initial point of entry allowed attackers to bypass authentication controls and gain direct access to the operational technology (OT) environment.
Since the end of 2024, we have been continuously monitoring large-scale DDoS attacks orchestrated by an IoT botnet exploiting vulnerable IoT devices such as wireless routers and IP cameras.
Firmware in cellular routers, secure routers and network security appliances made by Moxa are vulnerable to a pair of high severity bugs.
"It could have been worse," one owner incredibly concluded.
On June 11th, 2024, we discovered a set of vulnerabilities in Kia vehicles that allowed remote control over key functions using only a license plate. These attacks could be executed remotely on any hardware-equipped vehicle in about 30 seconds, regardless of whether it had an active Kia Connect subscription.
Additionally, an attacker could silently obtain personal information, including the victim's name, phone number, email address, and physical address. This would allow the attacker to add themselves as an invisible second user on the victim's vehicle without their knowledge.
(6 Months later CZAT 7 Server is offline or changed to another ip address , this post was written 6 months ago, published today 9/2/2024)
I’m a big fan of trains, i like them, but never tough that someday i would take over train traction power substation located in Poland from my home in Costa Rica.
I’m not a train expert/engineer and i had no idea how the train management works , I’m a cyber security professional doing research in the internet about OT Industrial equipment exposed potentially vulnerable or misconfigured.
Everything explained here is just what i learned reading official documentation from the Elester-pkp website . https://elester-pkp.com.pl/
Executive Summary Lumen Technologies’ Black Lotus Labs identified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP). The incident took place over a 72-hour period between October 25-27, rendered the infected devices permanently inoperable, and required a hardware-based replacement. Public scan data Lumen Technologies’ Black Lotus Labs identified a destructive event, as over 600,000 small office/home office (SOHO) routers were taken offline belonging to a single internet service provider (ISP).
Infosec is, at it’s heart, all about that data. Obtaining access to it (or disrupting access to it) is in every ransomware gang and APT group’s top-10 to-do-list items, and so it makes sense that our research voyage would, at some point, cross paths with products intended to manage - and safeguard - this precious resource.
Executive Summary: The Black Lotus Labs team at Lumen Technologies is tracking a malware platform we’ve named Cuttlefish, that targets networking equipment, specifically enterprise-grade small office/home office (SOHO) routers. This malware is modular, designed primarily to steal authentication material found in web requests that transit the router from the adjacent local area network (LAN). A
How and why nation-state hackers and cybercriminals coexist in the same router botnet.
The recently disclosed Palo Alto Networks firewall vulnerability tracked as CVE-2024-3400, which has been exploited in attacks for at least one month, has been found to impact one of Siemens’ industrial products.
In an advisory published late last week, Siemens revealed that its Ruggedcom APE1808 devices configured with a Palo Alto Networks virtual next-generation firewall (NGFW) could be affected by CVE-2024-3400.
As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities. This research paper is part of a broader program that aims to shed light on the security of the world’s best-sellers in the IoT space. This report covers vulnerabilities discovered while researching the LG WebOS TV operating system.
Executive Summary The Black Lotus Labs team at Lumen Technologies has identified a multi-year campaign targeting end-of-life (EoL) small home/small office (SOHO) routers and IoT devices, associated with an updated version of “TheMoon” malware. TheMoon, which emerged in 2014, has been operating quietly while growing to over 40,000 bots from 88 countries in January and
Walmart and Temu pulled the affected doorbell cameras from their stores. Amazon and others have taken no action.
Researchers identify 23 vulnerabilities, some of which can exploited with no authentication.
The Lantronix EDS-MS is an "IoT gateway for mission critical medical devices and equipment connectivity". It is affected by multiple vulnerabilities.
Cado Security Labs has been monitoring on the rapid growth of a cross-platform botnet, named “P2Pinfect”. Here's the latest updates.
