Review – Public ICS Disclosures – Week of 2-15-25

It was a relatively light disclosure week, I needed that after last week. We have 12 vendor disclosures from HPE (2), Moxa (5), Philips (2), Omron, Sick (2), and Wireshark. We have 4 vendor updates from Broadcom (2) and HPE (2).

Advisories

HPE Advisory #1 - HPE published an advisory that discusses four vulnerabilities (one with publicly available exploit) in their Telco Service Orchestrator.

HPE Advisory #2 - HPE published an advisory that discusses three vulnerabilities in their Telco Service Orchestrator.

Moxa Advisory #1 - Moxa published an advisory that describes an improper validation of specified type of input vulnerability in their EDS, ICS, IKS, and SDS Switches.

Moxa Advisory #2 - Moxa published an advisory that describes an out-of-bounds write vulnerability in their EDS, ICS, IKS, and SDS Switches.

Moxa Advisory #3 - Moxa published an advisory that describes a missing authentication for critical function vulnerability in their ethernet switches.

Moxa Advisory #4 - Moxa published an advisory that describes an improper validation of specified type of input vulnerability in their PT Switches.

Moxa Advisory #5 - Moxa published an advisory that describes an out-of-bounds write vulnerability in their PT Switches.

Philips Advisory #1 - Philips published an advisory that discusses four Ivanti Endpoint Manager vulnerabilities.

Philips Advisory #2 - Philips published an advisory that discusses a cross-site scripting vulnerability that is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Omron Advisory - Omron published an advisory that describes an out-of-bounds read vulnerability in their CX-Programmer product.

Sick Advisories - The Sick PSIRT page lists two recent advisories for Sick products. Unfortunately, both the .pdf and JSON files are currently returning a 503, Service Unavailable, error message.

Wireshark Advisory - Wireshark published an advisory that describes an uncontrolled recursion vulnerability in their Bundle Protocol and CBOR dissector crash products.

Updates

Broadcom Update #1 - Broadcom published an update for their OpenSSH advisory that was originally published on December 9^th, 2024, and most recently updated on February 13^th, 2025.

Broadcom Update #2 - Broadcom published an update for their embedded switch SNMP commands advisory that was originally published on July 30^th, 2024.

HPE Update #1 - HPE published an update for their Telco Service Orchestrator advisory that was originally published on January 20^th, 2025.

HPE Update #2 - HPE published an update for their Telco Service Orchestrator SO, Apache Log4j advisory that was originally published on December 17^th, 2021.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-7a6 - subscription required.