Review – Public ICS Disclosures – Week of 10-4-25 – Part 1

This week we have bulk disclosures from QNAP (6). We also have 13 other vendor disclosures from ABB (2), Belden (2), B&R (2), HP, HPE (2), Moxa, and Palo Alto Networks (3).

Bulk Disclosures – QNAP

Vulnerability in QNAP Authenticator,

Vulnerability in Video Station,

Multiple Vulnerabilities in Qsync Central,

Multiple Vulnerabilities in Qsync Central,  

Multiple Vulnerabilities in QTS and QuTS hero, and

Vulnerability in NetBak Replicator

Advisories

ABB Advisory #1 - ABB published an advisory that describes a cleartext storage of sensitive information in memory vulnerability in their LVS MConfig product.

ABB Advisory #2 - ABB published an advisory that describes a cross-site scripting vulnerability in their EIBPORT LAN gateways.

Belden Advisory #1 - Belden published an advisory that describes a GET request vulnerability in their HiOS Switch Platform.

Belden Advisory #2 - Belden published an advisory that discusses a heap overflow vulnerability (with publicly available exploit) in their Hirschmann HiLCOS product line.

B&R Advisory #1 - B&R published an advisory that describes two vulnerabilities in their System Diagnostic Manager.

B&R Advisory #2 - B&R published an advisory that describes an improper resource locking vulnerability in their System Diagnostics Manager.

HP Advisory - HP published an advisory that describes a missing authentication for critical function vulnerability in their Sure Start IFD Protection for multiple product lines.

HPE Advisory #1 - HPE published an advisory that describes an improper locking vulnerability in their HPE SimpliVity Servers.

HPE Advisory #2 - HPE published an advisory that discusses three vulnerabilities (all with publicly available exploits) in their Telco Intelligent Assurance product.

Moxa Advisory #1 - Moxa published an advisory that discusses a use of hard-coded private keys vulnerability (with publicly available exploit) in their TRC-2190 Series products.

Moxa Advisory #2 - Moxa published an advisory that discusses an exposure of sensitive information to an unauthorized actor vulnerability in their TRC-2190 Series products.

PAN Advisory #1 - PAN published an advisory that discusses 20 vulnerabilities in their Prisma Browser.

PAN Advisory #2 - PAN published an advisory that describes an improper neutralization of script in attributes in a web page vulnerability in their PAN-OS product.

PAN Advisory #3 - PAN published an advisory that describes an exposure of sensitive information to an unauthorized control sphere vulnerability in their PAN-OS product.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-10-fcb - subscription required.