securityweek.com - August 2025 ICS Patch Tuesday advisories have been published by Siemens, Schneider, Aveva, Honeywell, ABB and Phoenix Contact.
August 2025 Patch Tuesday advisories have been published by several major companies offering industrial control system (ICS) and other operational technology (OT) solutions.
Siemens has published 22 new advisories. One of them is for CVE-2025-40746, a critical Simatic RTLS Locating Manager issue that can be exploited by an authenticated attacker for code execution with System privileges.
The company has also published advisories covering high-severity vulnerabilities in Comos (code execution), Siemens Engineering Platforms (code execution), Simcenter (crash or code execution), Sinumerik controllers (unauthorized remote access), Ruggedcom (authentication bypass with physical access), Simatic (code execution), Siprotect (DoS), and Opcenter Quality (unauthorized access).
Siemens also addressed vulnerabilities introduced by the use of third-party components, including OpenSSL, Linux kernel, Wibu Systems, Nginx, Nozomi Networks, and SQLite.
Medium- and low-severity issues have been resolved in Simotion Scout, Siprotec 5, Simatic RTLS Locating Manager, Ruggedcom ROX II, and Sicam Q products.
As usual, Siemens has released patches for many of these vulnerabilities, but only mitigations or workarounds are available for some of the flaws.
Schneider Electric has released five new advisories. One of them describes four high-severity vulnerabilities in EcoStruxure Power Monitoring Expert (PME), Power Operation (EPO), and Power SCADA Operation (PSO) products. Exploitation of the flaws can lead to arbitrary code execution or sensitive data exposure.
In the Modicon M340 controller and its communication modules the industrial giant fixed a high-severity DoS vulnerability that can be triggered with specially crafted FTP commands, as well as a high-severity issue that can lead to sensitive information exposure or a DoS condition.
In the Schneider Electric Software Update tool, the company patched a high-severity vulnerability that can allow an attacker to escalate privileges, corrupt files, obtain information, or cause a persistent DoS.
Medium-severity issues that can lead to privilege escalation, DoS, or sensitive credential exposure have been patched in Saitel and EcoStruxure products.
Honeywell has published six advisories focusing on building management products, including several advisories that inform customers about Windows patches for Maxpro and Pro-Watch NVR and VMS products. The company has also released advisories covering PW-series access controller patches and security enhancements.
Aveva has published an advisory for two issues in its PI Integrator for Business Analytics. Two vulnerabilities have been patched: one arbitrary file upload issue that could lead to code execution, and a sensitive data exposure weakness.
ABB told customers on Tuesday about several vulnerabilities affecting its Aspect, Nexus and Matrix products. Some of the flaws can be exploited without authentication for remote code execution, obtaining credentials, and to manipulate files and various components.
Phoenix Contact has informed customers about a privilege escalation vulnerability in Device and Update Management. The company has described it as a misconfiguration that allows a low-privileged local user to execute arbitrary code with admin privileges. Germany’s CERT@VDE has also published a copy of the Phoenix Contact advisory.
The US cybersecurity agency CISA has published three new advisories describing vulnerabilities in Santesoft Sante PACS Server, Johnson Controls iSTAR, and Ashlar-Vellum products. CISA has also distributed the Aveva advisory and one of the Schneider Electric advisories.
A few days prior to Patch Tuesday, Rockwell Automation published an advisory informing customers about several high-severity code execution vulnerabilities affecting its Arena Simulation product.
Also prior to Patch Tuesday, Mitsubishi Electric released an advisory describing an information tampering flaw in Genesis and MC Works64 products.
Industrial solutions providers Siemens, Schneider Electric and Aveva have released June 2025 Patch Tuesday ICS security advisories.
While most of the vulnerabilities described in the advisories have been patched, only mitigations and workarounds are currently available for some of the flaws.
Siemens published six new advisories this Patch Tuesday. The most important describes CVE-2025-40585, a critical default credentials issue impacting Siemens Energy Services solutions that use the Elspec G5 Digital Fault Recorder (G5DFR).
According to Siemens, this component has default credentials with admin privileges and “a client configuration with remote access could allow an attacker to gain remote control of the G5DFR component and tamper outputs from the device”. Users can mitigate this issue by changing the default credentials from the G5DFR interface.
Critical issues are also described in an advisory for Simatic S7-1500 CPUs. Siemens is working on updates for the product to address dozens of vulnerabilities affecting the GNU/Linux subsystem.
Two advisories cover medium-severity issues in industrial communication devices that use the Sinec OS. The flaws allow an attacker to “perform actions that exceed the permissions of the ‘guest’ role”.
The industrial giant has also informed customers about a Tecnomatix Plant Simulation vulnerability that can lead to arbitrary code execution by tricking a user to open malicious files. The issue was reported by researcher Michael Heinzl, who is often credited by vendors for reporting vulnerabilities whose exploitation involves opening specially crafted files.
Siemens also informed customers about an XSS vulnerability in the Palo Alto Networks virtual firewall present in some Ruggedcom devices. Patches are being prepared by Siemens.
Schneider Electric has published three new advisories this Patch Tuesday. One of them describes XSS and DoS vulnerabilities affecting some Modicon controllers.
Four vulnerabilities have been patched in the EVLink WallBox electric vehicle charging station, including ones that can be exploited for reading or writing arbitrary files, launching XSS attacks, and taking remote control over the charging station.
Schneider has also informed customers about vulnerabilities in the third-party real-time operating system powering Insight Home and Insight Facility products. The products have reached end of life and cannot be updated, but users can implement mitigations to reduce the risk of exploitation.
Aveva has published three new advisories. One of them describes two high-severity DoS vulnerabilities in the PI Data Archive product. The other two advisories cover medium-severity XSS flaws in PI Connector for CygNet and PI Web API.
CISA also published three new advisories on Tuesday. One of them describes high-severity SinoTrack GPS receiver vulnerabilities that can allow an attacker to track vehicles and disconnect power to the fuel pump.
The other advisories describe the impact of a 2022 OpenSSL vulnerability on Hitachi Energy Relion products, and a remote code execution flaw discovered by Heinzl in MicroDicom DICOM Viewer.
ABB published advisories a few days before Patch Tuesday. The company informed customers about a critical EIBPORT vulnerability that leads to information disclosure, as well as flaws in third-party components used by its Welcome IP-Gateway product.
Also on Tuesday, Kaspersky published its ICS threat landscape report for Q1 2025, which shows that the security firm’s products blocked threats on nearly 22% of protected ICS devices.
The report looks at threat sources, regional trends, and the prevalence of various types of malware.
In April 2024, FrostyGoop, an ICS malware, was discovered in a publicly available malware scanning repository. FrostyGoop can target devices communicating over Modbus TCP to manipulate control, modify parameters, and send unauthorized command messages. Modbus is a commonly used protocol across all industrial sectors. The Cyber Security Situation Center (CSSC), a part of the Security
This ICS/OT attack represents the latest evolution in Russia's cyber physical attack capability.
Mandiant identified novel operational technology (OT) / industrial control system (ICS)-oriented malware, which we track as COSMICENERGY, uploaded to a public malware scanning utility in December 2021 by a submitter in Russia. The malware is designed to cause electric power disruption by interacting with IEC 60870-5-104 (IEC-104) devices, such as remote terminal units (RTUs), that are commonly leveraged in electric transmission and distribution operations in Europe, the Middle East, and Asia.
A ransomware group has hit at least one water company in the United Kingdom, but there is some confusion over whose systems were actually breached.
Learn more about Dragos's discovery of an exploit introduced through password "cracking" software that targets industrial engineers and operators.
The attack was the first in five years to use Sandworm's Industroyer malware.
ESET researchers have responded to a cyber-incident that affected an energy provider in Ukraine and involved ICS-capable malware called Industroyer2.
