Review – Public ICS Disclosures – Week of 8-30-25

This week we have eight vendor disclosures from Copeland, Dell, Delta Electronics, Endress+Hauser, Hitachi, HPE, Meinberg, and NI. There are also four vendor updates for products from ABB, CODESYS (2), and Mitsubishi. Finally, we have two researcher reports for products from Ilevia and Sunway.

Advisories

Copeland Advisory - Copeland published an advisory that describes 10 vulnerabilities in the E2 and E3 supervisory control products.

Dell Advisory - Dell published an advisory that discusses 147 vulnerabilities in their ThinOS product.

Delta Advisory - Delta published an advisory that describes a missing authentication for critical function vulnerability in their DIAView product.

Endress+Hauser Advisory - CERT-VDE published an advisory that describes an insertion of sensitive information into a log file vulnerability in the Endress+Hauser Promag 10 and Promass 10 products.

Hitachi Advisory - Hitachi published an advisory that discusses 73 vulnerabilities in their Disk Array products.

HPE Advisory - HPE published an advisory that discusses an inclusion of functionality from an untrusted control sphere vulnerability (with publicly available exploits) in their M-Series Switches.

Meinberg Advisory - Meinberg published an advisory that discusses 11 vulnerabilities (four with publicly available exploits) in their Lantime product.

NI Advisory - NI published an advisory that describes seven vulnerabilities in their Digilent DASYLab product.

Updates

ABB Update - ABB published an update for their ELSB/BLBA ASPECT advisory that was originally published on August 8^th, 2025, and most recently updated on August 27^th, 2025.

CODESYS Update #1 - CODEYSYS published an update for their Exposed PKI folder advisory that was originally published on August 4^th, 2025.

CODESYS Update #2 - CODEYSYS published an update for their NULL Pointer Dereference advisory that was originally published on August 4^th, 2025.

Mitsubishi Update - Mitsubishi published an update for their GENESIS64 advisory that was originally published on October 22^nd, 2024.

Researcher Reports

Ilevia Report - Zero Science Lab published a report about an authorization bypass via alternate path vulnerability in the Ilevia EVE X1/X5 Server.

Sunway Report - VulnCheck published a report describing a stack-based buffer overflow vulnerability in the Sunway Forcecontrol product.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-8-8a1 - subscription required.