Review – 17 Advisories and 1 Update Published – 11-13-25

Today CISA’s NCCIC-ICS published 17 control system security advisories for products from Siemens (7), General Industrial Controls, Rockwell (5), Brightpick AI, AVEVA (2), and Mitsubishi. They also updated an advisory for products from Festo.

Advisories

Solid Edge Advisory #1 - This advisory describes an uncontrolled search path element vulnerability in the Siemens Software Center and Solid Edge products.

Solid Edge Advisory #2 - This advisory describes an improper certificate validation vulnerability in the Siemens Solid Edge SE2025.

Altair Grid Advisory - This advisory describes two vulnerabilities in the Siemens Altair Grid Engine.

COMOS Advisory - This advisory discusses two vulnerabilities in the Siemens COMOS products.

LOGO! 8 Advisory - This advisory describes three vulnerabilities in the LOGO! 8 BM Devices.

Spectrum Power Advisory - This advisory describes five vulnerabilities in the Siemens Spectrum Power 4 products.

SICAM Advisory - This advisory describes two vulnerabilities in the Siemens SICAM P850 family and SICAM P855 family.

General Industrial Advisory - This advisory describes four vulnerabilities in the General Industrial Controls Lynx+ Gateway.

AADvance-Trusted SIS Advisory - This advisory discusses a path traversal vulnerability in the Rockwell AADvance-Trusted SIS Workstation.

FactoryTalk Advisory #1 - This advisory discusses an improper resource shutdown release vulnerability in the Rockwell FactoryTalk Policy Manager.

FactoryTalk Advisory #2 - This advisory describes two vulnerabilities in the Rockwell FactoryTalk DataMosaix Private Cloud.

Studio 5000 Advisory - This advisory describes two vulnerabilities in the Rockwell Studio 5000 Simulation Interface.

Verve Asset Manager Advisory - This advisory describes an incorrect authorization vulnerability in the Rockwell Verve Asset Manager OT cybersecurity platform.

Brightpick Advisory - This advisory describes three vulnerabilities in the Brightpick AI warehouse automation platform.

Edge Advisory - This advisory describes the use of a broken or risky cryptographic algorithm vulnerability in the AVEVA Edge HMI/SCADA software.

Application Server Advisory - This advisory describes a basic cross-site scripting vulnerability in the AVEVA Application Server.

Mitsubishi Advisory - This advisory describes an improper validation of specified quantity in input vulnerability in the Mitsubishi MELSEC iQ-F Series products.

Note: I briefly discussed this vulnerability on November 9^th, 2025.

Updates

Festo Update - This update provides additional information on the Controller CECC-S,-LK,-D Family advisory that was originally published on September 30^th, 2025.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/17-advisories-and-1-update-published - subscription required.

Short Takes – 11-13-25 – Federal Register Edition

Octamethylcyclotetrasiloxane (Cyclotetrasiloxane, 2,2,4,4,6,6,8,8-octamethyl-)(D4); Draft Risk Evaluation Under the Toxic Substances Control Act (TSCA); Extension of the Comment Period. Federal Register EPA comment extension notice. Summary: “In the Federal Register of September 17, 2025, Environmental Protection Agency (EPA) announced the availability of and sought public comment on a draft risk evaluation under the Toxic Substances Control Act (TSCA) for Octamethylcyclotetrasiloxane (Cyclotetrasiloxane, 2,2,4,4,6,6,8,8-octamethyl-) (D4) (CASRN 556-67-2). The purpose of risk evaluations under TSCA is to determine whether a chemical substance presents an unreasonable risk of injury to health or the environment under the conditions of use (COUs), including unreasonable risk to potentially exposed or susceptible subpopulations identified as relevant to the risk evaluation by EPA, and without consideration of costs or non-risk factors. EPA used the best available science to prepare this draft risk evaluation and to preliminarily determine, based on the weight of scientific evidence, that D4 poses unreasonable risk to health and the environment driven primarily by COUs analyzed in the draft risk evaluation. This document extends the comment period, which was scheduled to end on November 17, 2025, for 15 days.”

Perfluoroalkyl and Polyfluoroalkyl Substances (PFAS) Data Reporting and Recordkeeping Under the Toxic Substances Control Act (TSCA); Revision to Regulation. Federal Register EPA notice of proposed rulemaking. Summary: “The U.S. Environmental Protection Agency (EPA or Agency) is proposing amendments to the Toxic Substances Control Act (TSCA) regulation for reporting and recordkeeping requirements for perfluoroalkyl and polyfluoroalkyl substances (PFAS). As promulgated in October 2023, the regulation requires manufacturers (including importers) of PFAS in any year between 2011-2022 to report certain data to EPA related to exposure and environmental and health effects. EPA is proposing to incorporate certain exemptions and other modifications to the scope of the reporting regulation. These exemptions would maintain important reporting on PFAS, consistent with statutory requirements, while exempting reporting on activities about which manufacturers are least likely to know or reasonably ascertain.”

Methylene Chloride; Regulation Under the Toxic Substances Control Act (TSCA); Compliance Date Extension. Federal Register EPA compliance date extension notice. Summary: “The Environmental Protection Agency (EPA or Agency) is finalizing an extension to the compliance dates applicable to certain entities subject to the regulation of methylene chloride promulgated under the Toxic Substances Control Act (TSCA). Specifically, EPA is finalizing an 18-month extension of the Workplace Chemical Protection Program (WCPP) and associated recordkeeping compliance dates for industrial or commercial laboratories that are not owned or operated by Federal agencies or contractors acting on behalf of the Federal government. Under this final rule, all non-Federal laboratories will share the same compliance dates with Federal and Federally contracted laboratories. EPA is finalizing an extension of the compliance dates for associated laboratory activities detailed in this final rule to avoid disruption of important functions of non-Federal laboratories such as the use of environmental monitoring methods needed for cleanup sites and wastewater treatment, as well as activities associated with university laboratories or law enforcement laboratories.”

Review – Bills Introduced – 11-12-25

Yesterday, with the House in Washington for the day, there were 28 bills introduced. One of those bills will receive additional coverage in this blog:

HR 6042 To create mechanisms by which State law enforcement can coordinate with the Federal Government to detect and stop drones involved in unlawful activities, and for other purposes. Smith, Christopher H. [Rep.-R-NJ-4]

 

For more information on these bills, including legislative history for similar bills in the 118^th Congress, including a brief mention in passing about a bill calling for a veterans’ suicide flag, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/bills-introduced-11-12-25 - subscription required.

CISA Adds WatchGuard Vulnerability to KEV Catalog – 11-12-25

Yesterday CISA announced that it had added an out-of-bounds write vulnerability in the WatchGuard Fireware OS to their Known Exploited Vulnerabilities (KEV) catalog. The vulnerability was previously disclosed by WatchGuard on September 17^th, 2025. That advisory was updated on November 7^th, 2025 to include indicators of compromise. On November 8^th, 2025 watchTower Labs published a report on the vulnerability that included proof-of-concept code, after having previously published a ‘Detection Artifact Generator for WatchGuard CVE-2025-9242’.

NOTE: This is not related to the WatchGuard exploit notice that I briefly discussed on Sunday.

CISA has directed federal agencies utilizing the affected WatchGuard products to apply “mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.” Agencies have been given a deadline of December 3^rd, 2025 to complete these actions.

HR 5371 Back in the House – FY 2026 CR and Spending Bills

Early this morning the House Rules Committee completed their consideration of the Senate Amendments to HR 5371, the Continuing Appropriations, Agriculture, Legislative Branch, Military Construction and Veterans Affairs, and Extensions Act, 2026. After rejecting 10 Democratic amendments to the Senate Amendments (all by the expected party-line 4 to 8 votes), the Committee voted to approve the Rule for the consideration of the bill on the floor of the House later today, again by an 8 to 4 vote.

According to the Committee’s website the rule:

• Provides for consideration of the Senate amendment to H.R. 5371.

• Makes in order a motion offered by the chair of the Committee on Appropriations or his designee that the House concur in the Senate amendment to H.R. 5371.

• Waives all points of order against consideration of the motion and the Senate amendment.

Provides that the Senate amendment and the motion shall be considered as read.

• Provides one hour of debate on the motion equally divided and controlled by the chair and ranking minority member of the Committee on Appropriations or their respective designees.

The House is scheduled to meet at noon today with votes starting at 5:10 pm EST. All three of the fringe Republicans on the Rules Committee voted for the rule, so I expect that the rule and the bill will have sufficient votes to pass this evening, even if all the Democrats vote against them.

Review - HR 5371 Amended and Passed in Senate – FY 2026 CR

Yesterday the Senate finally completed action on HR 5371, the Continuing Appropriations and Extensions Act, 2026. By votes of 60 to 40, the Senate adopted the substitute language from the Senate Appropriations Committee and then passed the amended bill. The revised language would extend the current spending through January 30^th, 2026 and would pass the three spending bills earlier adopted by the Senate when it passed HR 3944, the FY 2026 MilCon spending bill in August. The revised bill gets a new title of the “Continuing Appropriations, Agriculture, Legislative Branch, Military Construction and Veterans Affairs, and Extensions Act, 2026”.

Moving Forward

Reportedly, the House will be in session tomorrow (still not on the Majority Leader’s calendar) to vote on this bill, violating a whole bunch of promises not to force members to vote on spending bills without adequate time to review the provisions. It appears that the Democratic leadership in the House is trying to convince members to not vote for this bill while their requested ACA subsidies are still not included. This may be important because there could be a number of Republican holdouts that will not want to vote for this bill because of the bipartisan language (and spending allocations) in the three spending bills. It is possible that this Senate deal will not be acceptable to a majority in the House, depending on how well their conference can  hold the Democrats together in opposition.

BTW: The Senate has left town for their Veterans Day Recess. They are scheduled to return to Washington on Tuesday, November 18^th, 2025.

 

For more information on the provisions of this bill, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/hr-5371-amended-and-passed-in-senate - subscription required.

Siemens Updates Advisory Format Information – 11-7-25

Last week Siemens published a news item on their website describing changes that have been made to their advisory formats on their CERT Services page. Earlier this year they discontinued providing .TXT versions of their advisories and this month they stopped providing .PDF versions. This leaves just .HTML and .CSAF versions of their advisories being available on their website.

The picture below shows the far right cell on the listing of each advisory listed on the CERT Services page. Both the HTML and CSAF portions of the cell are live links to their respective advisory. The former links under the PDF and TXT portions of the cell are no longer live.

The next expected change will be the adoption of CSAF 2.0, but that will only be an interim measure pending development of a unique Siemens Application Programming Interface (API).