Review – Public ICS Disclosures – Week of 5-31-25 – Part 1

This is a moderately busy disclosure week. For Part 1 we have 19 vendor disclosures from ABB, Dassault Systems, Delta Electronics, HP (2), HPE (2), Moxa, Philips, and QNAP (10).

Advisories

ABB Advisory - ABB published an advisory that describes a session fixation vulnerability in their EIBPORT Session Management product.

Dassault Advisory - Dassault published an advisory (only available to registered owners) that describes a deserialization of untrusted data vulnerability in their DELMIA Apriso product.

Delta Advisory - Delta published an advisory that describes an out-of-bounds write vulnerability in their CNCSoft-G2 product.

HP Advisory #1 - HP published an advisory that describes an improper preservation of permissions vulnerability in their Support Assistant product.

HP Advisory #2 - HP published an advisory that discusses 300+ (I frankly gave up counting not even half-way through, so a much higher number) vulnerabilities in their ThinPro product.

HPE Advisory #1 - HPE published an advisory that discusses two vulnerabilities in their Telco Service Orchestrator software.

HPE Advisory #2 - HPE published an advisory that describes three vulnerabilities (two with publicly available exploit code) in their Insight Remote Support product.

Moxa Advisory - Moxa published an advisory that discusses an uncontrolled resource consumption vulnerability (with publicly available exploit) in their ICS-G7848A, ICS-G7850A, and ICS-G7852A series products.

Philips Advisory #1 - Philips published an advisory that discusses an out-of-bounds read vulnerability (listed in CISA’s Known Exploited Vulnerabilities catalog) in their Capsule Surveillance product.

Philips Advisory #2 - Philips published an advisory that discusses an undescribed Commvault Web Server vulnerability (listed in CISA’s KEV catalog).

QNAP Advisory #1 - QNAP published an advisory that discusses two vulnerabilities (one with publicly available exploit code) in their QTS and QTS Hero products.

QNAP Advisory #2 - QNAP published an advisory that describes four improper certificate validation vulnerabilities in their File Station 5 product.

QNAP Advisory #3 - QNAP published an advisory that describes two vulnerabilities in their Qsync Central product.

QNAP Advisory #4 - QNAP published an advisory that describes a cross-site scripting vulnerability in their License Center product.

QNAP Adviosry #5 - QNAP published an advisory that describes two vulnerabilities in their QTS and QuTS hero products.

QNAP Advisory #6 - QNAP published an advisory that discusses a race condition vulnerability (with publicly available exploit) in their QES product.

QNAP Advisory #7 - QNAP published an advisory that describes two vulnerabilities in their QuRouter product.

QNAP Advisory #8 - QNAP published an advisory that describes ten vulnerabilities in their File Station 5 product.

QNAP Advisory #9 - QNAP published an advisory that discusses an open redirect vulnerability in their QES products.

QNAP Advisory #10 - QNAP published an advisory that discusses an untrusted search path vulnerability.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-5-12b - subscription required.