Review – Public ICS Disclosures – Week of 3-15-25

This week we have 24 vendor disclosures from CODESYS (3), Dassault Systèmes (13), Fuji Soft, Helmholtz, HPE (2), MB Connect, Phillips (2), and QNAP. There are also six vendor updates from Dell, FortiGuard (3), HP, and HPE. Finally, there are three researcher reports for vulnerabilities in products from Luxion and National Instruments (2).

Advisories

CODESYS Advisory #1 - CODESYS published an advisory that describes an observable discrepancy vulnerability in their  CODESYS Runtime Toolkit.

CODESYS Advisory #2 - CODESYS published an advisory that describes a path traversal vulnerability in multiple CODESYS products.

CODESYS Advisory #3 - CODESYS published an advisory that describes an insecure initialization of resource vulnerability in Edge Gateway for Windows and Gateway for Windows products.

Dassault Advisories - Dassault Systèmes published 13 advisories stored cross-site scripting vulnerabilities in multiple products. These advisories are only available to registered customers.

Fuji Soft Advisory - JP-CERT published an advisory that describes two command OS injection vulnerabilities in the Fuji F FS010M router.

Helmholtz Advisory - CERT-VDE published an advisory that describes two vulnerabilities in the Helmholtz  myREX24 and myREX24.virtual products.

HPE Advisory #1 - HPE published an advisory that describes three vulnerabilities in the HPE Aruba Networking AOS-CX product.

HPE Advisory #2 - HPE published an advisory that discusses six vulnerabilities (two with publicly available exploits) in their Telco Service Activator.

MB Connect Advisory - CERT-VDE published an advisory that describes two vulnerabilities in multiple MB Connect products.

Philips Advisory #1 - Philips published an advisory that discusses an Apache Tomcat vulnerability.

Philips Advisory #2 - Philips published an advisory that discusses three VMware vulnerabilities.

QNAP Advisory - QNAP published an advisory that discusses an absolute path traversal vulnerability (listed in CISA’s KEV catalog) in the NAKIVO Backup & Replication application.

Updates

Dell Update - Dell published an update for their ThinOS advisory that was originally published on March 4^th, 2025.

FortiGuard Update #1 - FortiGuard published an update for their csfd daemon advisory that was originally published on January 14^th, 2025, and most recently updated on January 16^th, 2025.

FortiGuard Update #2 - FortiGuard published an update for their RADIUS Protocol advisory that was originally published on August 13^th, 2024, and most recently updated on March 6^th, 2025.

FortiGuard Update #3 - FortiGuard published an update for their permission escalation advisory that was originally published on February 11^th, 2025.

HP Update - HP published an update for their LaserJet Pro advisory that was originally published on February 14^th, 2025, and most recently updated on March 14^th, 2025.

HPE Update - HPE published an update for their Cray XD670 Server advisory that was originally published on March 11^th, 2025.

Researcher Reports

Luxion Reports - ZDI published three reports about vulnerabilities in the Luxion KeyShot product.

National Instruments Report #1 - ZDI published a report that describes a path traversal vulnerability in the NI FlexLogger.

National Instruments Report #2 - ZDI published a report that describes a product UI does not warn user of unsafe actions vulnerability in the NI Vision Builder AI.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-daf - subscription required.