Review – Public ICS Disclosures – Week of 4-19-25 – Part 1

This week we have 18 vendor disclosures from Bosch, Broadcom, CODESYS, Hitachi (3), HPE (6), Milestone, Mitsubishi, Philips (2), and SEL (2).

Advisories

Bosch Advisory - Bosch published an advisory that describes 15 vulnerabilities in their ctrlX OS product.

Broadcom Advisory - Broadcom published an advisory that discusses an improper isolation or compartmentalization vulnerability in multiple Broadcom products.

CODESYS Advisory - CODESYS published an advisory that describes a forced browsing vulnerability in multiple CODESYS products.

Hitachi Advisory #1 - Hitachi published an advisory that discusses three vulnerabilities (one with publicly available exploit) in their JP1/Automatic Operation products.

Hitachi Advisory #2 - Hitachi published an advisory that describes an insertion of sensitive information into a log file vulnerability in their Ops Center Common Services within Hitachi Ops Center OVA.

Hitachi Advisory #3 - Hitachi published an advisory that describes a use of default credentials vulnerability in Ops Center Common Services within Hitachi Ops Center Analyzer viewpoint OVF.

HP Advisory - HP published an advisory that discusses two vulnerabilities in multiple HP products.

HPE Advisory #1 - HPE published an advisory that discusses five vulnerabilities (3 with publicly available exploits, one listed in CISA’s KEV catalog) in their Telco Unified OSS Console.

HPE Advisory #2 - HPE published an advisory that discusses four vulnerabilities (one with publicly available exploit) in their Superdome Flex 280 and Compute Scale-up Server 3200 platforms.

HPE Advisory #3 - HPE published an advisory that discusses an OS command injection vulnerability in their SAN Switches with Brocade Fabric OS.

HPE Advisory #4 - HPE published an advisory that discusses 13 vulnerabilities in their Telco Network Function Virtualization Orchestrator Software.

HPE Advisory #5 - HPE published an advisory that discusses a deserialization of untrusted data vulnerabilities (listed in CISA’s KEV catalog) vulnerability in their Telco Service Orchestrator.

HPE Advisory #6 - HPE published an advisory that discusses three vulnerabilities in their Telco Service Activator.

Milestone Advisory - Milestone published an advisory that describes a missing encryption of sensitive data vulnerability in their XProtect installer.

Mitsubishi Advisory - Mitsubishi published an advisory that describes an improper validation of specified quantity in input vulnerability in multiple FA products.

Philips Advisory #1 - Philips published an advisory that discusses five Apple vulnerabilities.

Philips Advisory #2 - Philips published an advisory that discusses two Google Chrome vulnerabilities.

SEL Advisory #1 - SEL published a software update notice that includes cybersecurity enhancements for their SEL-5702 Synchrowave Operations product.

SEL Advisory #2 - SEL published a software update notice that includes cybersecurity enhancements for their Blueframe OS.

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-4-83e - subscription required.