Review – Public ICS Disclosures – Week of 1-25-25 – Part 2

For Part 2 we have nine additional vendor disclosures from NI, Philips, Rockwell (2), QNAP, SEL, SMA Solar Technology (2), and VMware. There are eight vendor updates from FortiGuard (3), HP (4), and Palo Alto Networks. Finally, we have a researcher report for vulnerabilities in products from Wind River.

Advisories

NI Advisory - NI published an advisory that describes a dependency on vulnerable third-party component vulnerability in multiple NI products.

Philips Advisory - Philips published an advisory that discusses two recent 7-ZIP vulnerabilities (CVE-2024-11477 and CVE-2025-0411).

Rockwell Advisory #1 - Rockwell published an advisory that describes an improper handling of exceptional conditions vulnerability in their GuardLogix products.

Rockwell Advisory #2 - Rockwell published an advisory that describes a cleartext transmission of sensitive information vulnerability in their PowerFlex 755 product.

QNAP Advisory - QNAP published an advisory that discusses a ClamAV heap-based buffer overflow vulnerability.

SEL Advisory - SEL published a software update notice for their Blueframe Resource Communication Services that reports a cybersecurity enhancement.

SMA Advisory #1 - CERT-VDE published an advisory that describes a cross-site request forgery vulnerability in the SMA Cluster Controller.

SMA Advisory #2 - CERT-VDE published an advisory that describes an improper restriction of rendered UI layers or frames vulnerability in the SMA Sunny Webbox.

VMware Advisory - Broadcom published an advisory that describes five vulnerabilities in the VMware Aria Operations for Logs and VMware Aria Operations updates.

Updates

FortiGuard Update #1 - FortiGuard published an update for their unchecked boundary length advisory that was originally published on January 14^th, 2025, and most recently updated on January 22^nd.

FortiGuard Update #2 - FortiGuard published an update for their improper access control advisory that was originally published on February 22^nd, 2024.

FortiGuard Update #3 - FortiGuard published an update for their OS command injection advisory that was originally published on October 10^th, 2023.

HP Update #1 - HP published an update for their Plantronics Hub advisory that was originally published on December 20^th, 2023, and most recently updated on September 11^th, 2024.

HP Update #2 - HP published an update for their NVIDIA GPU Display Driver advisory that was originally published on September 6^th, 2024.

HP Update #3 - HP published an update for their NVIDIA GPU Display Driver advisory that was originally published on July 1^st, 2024.

HP Update #4 - HP published an update for their Intel 2024.3 IPU advisory that was originally published on October 17, 2024, and most recently updated on January 15^th, 2025.

Palo Alto Networks Update - Palo Alto Networks published an update for their PAN-OS BIOS and Bootloader advisory that was originally published on January 23^rd, 2025.

Researcher Reports

Wind River Report - SEC Consult published a report that describes two weak password hash algorithm vulnerabilities in the Wind River VxWorks products.

 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-1-964 - subscription required.