Today CISA’s NCCIC-ICS published eight control system
security advisories for product from Schneider Electric, Hitachi Energy (2), Fuji
Electric, and Siemens (4). They also updated advisories for products from Mitsubishi
(2), Johnson Controls, and Delta Electronics.
Advisories
Schneider Advisory -
This advisory
describes two vulnerabilities in the Schneider Data Center Expert.
Hitachi Energy
Advisory #1 - This advisory
describes a relative path traversal advisory in the Hitachi Energy FOX61x
Products.
Hitachi Energy
Advisory #2 - This advisory
describes an improper validation of certificate with host mismatch vulnerability
in the Hitachi Energy FOX61x, FOXCST, and FOXMAN-UN products.
Fuji Advisory - This
advisory
describes a stack-based buffer overflow vulnerability in the Fuji Alpha5 SMART
servo drive system.
Siemens Advisory #1 -
This advisory
describes a files or directories accessible to external parties vulnerability
in the Siemens SIPROTEC 5 products.
Siemens Advisory #2 -
This advisory
discusses an insertion of sensitive information into a log file vulnerability
in the Siemens Siveillance Video Device Pack.
Siemens Advisory #3 -
This advisory
describes a cross-site scripting vulnerability in the Siemens Industrial Edge
Management.
Siemens Advisory #4 -
This advisory
describes an LDAP injection vulnerability in the Siemens Mendix LDAP. The vulnerability
was self-reported.
Updates
Mitsubishi Update #1 -
This update
provides additional information on the FA Engineering Software products
advisory that was originally published on January 30th, 2024 and
most recently updated on October 31st, 2024.
Mitsubishi Update #2 -
This update
provides additional information on the Multiple Factory Automation products advisory
that was originally published on February 27th, 2024.
Johnson Controls
Update - This update
provides additional information on the Software House C●CURE 9000 advisory that
was originally published on July 9th, 2024.
Delta Update - This
update
provides additional information on the DRASimuCAD advisory that was originally
published on January 9th, 2025.
For more information on these advisories , including a link
to a third-party advisory and a description of duplicate CISA advisory, see my
article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/8-advisories-and-4-updates-published [link added 11:30 pm EDT 1-16-15] - subscription required.