Review – Public ICS Disclosures – Week of 2-21-25 – Part 1

For Part 1 this week we have 19 vendor disclosures from Broadcom (5), Delta Electronics, Eaton (2), GE Vernova, Hitachi (2), Hitachi Energy (3), HPE (2), Moxa, Pepperl+Fuchs, and Philips.

Advisories

Broadcom Advisory #1 - Broadcom published an advisory that discusses an out-of-bounds read vulnerability in their Brocade ASCG.

Broadcom Advisory #2 - Broadcom published an advisory that describes an unprotected transport of credentials vulnerability in their Brocade ASCG 3.2.0 web interface.

Broadcom Advisory #3 - Broadcom published an advisory that discusses an interpretation conflict vulnerability in multiple Brocade products.

Broadcom Advisory #4 - Broadcom published an advisory that discusses a static-code injection vulnerability (with available exploit) in their Brocade SANnav and Brocade Support Link products.

Broadcom Advisory #5 - Broadcom published an advisory that announces the availability of a Rocky Linux Kernel update in their Brocade Support Link product.

Delta Advisory - Delta published an advisory that describes a heap-based buffer overflow vulnerability in their CNCSoft-G2 product.

Eaton Advisory #1 - Eaton published an advisory that describes three vulnerabilities in their Foreseer Reporting Software.

Eaton Advisory #2 - Eaton published an advisory that describes an improper input validation vulnerability in their Network-M2 card.

GE Vernova Advisory - GE published an advisory for a vulnerability in their S1 Agile Engineering Tool Suite.

Hitachi Advisory #1 - Hitachi published an advisory that discusses a NULL pointer dereference vulnerability in their Configuration Manager products.

Hitachi Advisory #2 - Hitachi published an advisory that discusses an incorrect authorization vulnerability in multiple Hitachi products.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisor that describes four vulnerabilities in their MACH gateway station product.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that discusses 16 vulnerabilities in their Service Suite product.

Hitachi Energy Advisory #3 - Hitachi Energy published an advisory that discusses an uncontrolled search path element vulnerability in their MACH PS700 v2 system.

HPE Advisory #1 - HPE published an advisory that discusses two vulnerabilities (one with available exploit) in their Telco Service Activator product.

HPE Advisory #2 - HPE published an advisory that discusses two vulnerabilities (both with available exploits) in their NonStop CLIM product.

Moxa Advisory - Moxa published an advisory that describes an out-of-bounds write vulnerability in their EN 50155 Switches.

Pepperl+Fuchs Advisory - CERT-VDE published an advisory that discusses an integer underflow or wrap around vulnerability in their Pepperl+Fuchs HMI devices.

Philips Advisory - Philips published an advisory that “reports that a known hacker group is distributing malware disguised as Philips medical imaging viewer software (also known as DICOM viewer) to unsuspecting users via unauthorized sites and methods, including phishing techniques.”

 

For more information on these disclosures, including links to 3rd party advisories and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-326 - subscription required.