This morning the DHS ICS-CERT published two industrial control system security advisories for products from Siemens and Moxa.
This advisory describes a privilege escalation vulnerability in the Siemens SINEMA Server. The vulnerability was reported by rgod via the Zero Day Initiative. Siemens has developed a temporary fix for the vulnerability while a new version is being developed. There is no indication that rgod has been provided an opportunity to verify the efficacy of the temporary fix.
ICS-CERT reports that a relatively low skilled attacker with local access could exploit the vulnerability with a social engineering attack to escalate their privileges.
This advisory describes an SQL injection vulnerability in the Moxa SoftCMS. The vulnerability was reported by Zhou Yu of Acorn Network Security via the Zero Day Initiative. Moxa has produced an update to mitigate the vulnerability, but there is no indication that Yu has been provided the opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to execute arbitrary commands on the target system.