Review – 6 Advisories and 3 Updates Published – 7-22-25

Today CISA’s NCCIC-ICS published six control system security advisories for products from Schneider (4), Lantronix, and DuraComm. They also published three control system advisory updates for products from Schneider.

Advisories

Schneider Advisory #1 - This advisory describes six vulnerabilities in the Schneider EcoStruxure IT Data Center Expert.

Schneider Advisory #2 - This advisory discusses a cross-site scripting vulnerability (listed in CISA’s Known Exploited Vulnerability catalog) in the Schneider System Monitor Application products.

Schneider Advisory #3 - This advisory discusses six vulnerabilities (three with publicly available exploits two of which are listed in the KEV catalog) in the Schneider EcoStruxure Power Operation products.

Schneider Advisory #4 - This advisory describes an exposure of resource to wrong sphere vulnerability in the Schneider EcoStruxure Power Monitoring Expert and Power Operation products.

Lantronix Advisory - This advisory describes an improper restriction of external XML entity reference vulnerability in the Lantronix Provisioning Manager.

DuraComm Advisory - This advisory describes three vulnerabilities in the DuraComm SPM-500 DP-10iN-100-MU, a power distribution panel.

Updates

Schneider Update #1 - This update provides additional information on the Vijeo Designer advisory that was originally published on January 14^th, 2025.

Schneider Update #2 - This update provides additional information on the EVLink WallBox advisory that was or published on June 24^th, 2025.

Schneider Update #3 - This update provides additional information on the Modicon Controllers advisory that was originally published on June 24^th, 2025.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-and-3-updates-published - subscription required.