Review – 8 Advisories and 4 Updates Published 1-16-25

Today CISA’s NCCIC-ICS published eight control system security advisories for product from Schneider Electric, Hitachi Energy (2), Fuji Electric, and Siemens (4). They also updated advisories for products from Mitsubishi (2), Johnson Controls, and Delta Electronics.

Advisories

Schneider Advisory - This advisory describes two vulnerabilities in the Schneider Data Center Expert.

Hitachi Energy Advisory #1 - This advisory describes a relative path traversal advisory in the Hitachi Energy FOX61x Products.

Hitachi Energy Advisory #2 - This advisory describes an improper validation of certificate with host mismatch vulnerability in the Hitachi Energy FOX61x, FOXCST, and FOXMAN-UN products.

Fuji Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Fuji Alpha5 SMART servo drive system.

Siemens Advisory #1 - This advisory describes a files or directories accessible to external parties vulnerability in the Siemens SIPROTEC 5 products.

Siemens Advisory #2 - This advisory discusses an insertion of sensitive information into a log file vulnerability in the Siemens Siveillance Video Device Pack.

Siemens Advisory #3 - This advisory describes a cross-site scripting vulnerability in the Siemens Industrial Edge Management.

Siemens Advisory #4 - This advisory describes an LDAP injection vulnerability in the Siemens Mendix LDAP. The vulnerability was self-reported.

Updates

Mitsubishi Update #1 - This update provides additional information on the FA Engineering Software products advisory that was originally published on January 30^th, 2024 and most recently updated on October 31^st, 2024.

Mitsubishi Update #2 - This update provides additional information on the Multiple Factory Automation products advisory that was originally published on February 27^th, 2024.

Johnson Controls Update - This update provides additional information on the Software House C●CURE 9000 advisory that was originally published on July 9^th, 2024.

Delta Update - This update provides additional information on the DRASimuCAD advisory that was originally published on January 9^th, 2025.

 

For more information on these advisories , including a link to a third-party advisory and a description of duplicate CISA advisory, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/8-advisories-and-4-updates-published  [link added 11:30 pm EDT 1-16-15] - subscription required.