Review – 5 Advisories and 2 Updates Published – 8-12-25

Today CISA’s NCCIC-ICS published four control system security advisories for products from Aveva, Schneider Electric, Johnson Controls, and Ashlar-Vellum. The also published a medical device security advisory for products from Santesoft. Finally, they updated two control system advisories for products from End-of-Train and Megasys.

Schneider published four additional advisories and five updates today. Unless covered by CISA on Thursday, I will address them in my Public ICS Disclosure posts this weekend.

Advisories

AVEVA Advisory - This advisory describes two vulnerabilities in the AVEVA PI Integrator.

Schneider Advisory - This advisory describes five vulnerabilities in the Schneider EcoStruxure Power Monitoring Expert.

Johnson Controls Advisory - This advisory describes six vulnerabilities in multiple iStar products from Johnson Controls.

Ashlar-Vellum Advisory - This advisory describes four vulnerabilities in multiple products from Ashlar-Vellum.

Santesoft Advisory - This advisory describes five vulnerabilities in the Santesoft Sante PACS Server.

Updates

End-of-Train Update - This update provides additional information on the remote linking protocol advisory that was originally published on July 10^th 2025.

MegaSys Update - This update provides additional information on the Telenium Online Web Application advisory that was originally published on September 19^th, 2024.

 

For more information on these advisories, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-2-updates-published-2b9 - subscription required.