Review – 17 Advisories and 1 Update Published – 11-13-25

Today CISA’s NCCIC-ICS published 17 control system security advisories for products from Siemens (7), General Industrial Controls, Rockwell (5), Brightpick AI, AVEVA (2), and Mitsubishi. They also updated an advisory for products from Festo.

Advisories

Solid Edge Advisory #1 - This advisory describes an uncontrolled search path element vulnerability in the Siemens Software Center and Solid Edge products.

Solid Edge Advisory #2 - This advisory describes an improper certificate validation vulnerability in the Siemens Solid Edge SE2025.

Altair Grid Advisory - This advisory describes two vulnerabilities in the Siemens Altair Grid Engine.

COMOS Advisory - This advisory discusses two vulnerabilities in the Siemens COMOS products.

LOGO! 8 Advisory - This advisory describes three vulnerabilities in the LOGO! 8 BM Devices.

Spectrum Power Advisory - This advisory describes five vulnerabilities in the Siemens Spectrum Power 4 products.

SICAM Advisory - This advisory describes two vulnerabilities in the Siemens SICAM P850 family and SICAM P855 family.

General Industrial Advisory - This advisory describes four vulnerabilities in the General Industrial Controls Lynx+ Gateway.

AADvance-Trusted SIS Advisory - This advisory discusses a path traversal vulnerability in the Rockwell AADvance-Trusted SIS Workstation.

FactoryTalk Advisory #1 - This advisory discusses an improper resource shutdown release vulnerability in the Rockwell FactoryTalk Policy Manager.

FactoryTalk Advisory #2 - This advisory describes two vulnerabilities in the Rockwell FactoryTalk DataMosaix Private Cloud.

Studio 5000 Advisory - This advisory describes two vulnerabilities in the Rockwell Studio 5000 Simulation Interface.

Verve Asset Manager Advisory - This advisory describes an incorrect authorization vulnerability in the Rockwell Verve Asset Manager OT cybersecurity platform.

Brightpick Advisory - This advisory describes three vulnerabilities in the Brightpick AI warehouse automation platform.

Edge Advisory - This advisory describes the use of a broken or risky cryptographic algorithm vulnerability in the AVEVA Edge HMI/SCADA software.

Application Server Advisory - This advisory describes a basic cross-site scripting vulnerability in the AVEVA Application Server.

Mitsubishi Advisory - This advisory describes an improper validation of specified quantity in input vulnerability in the Mitsubishi MELSEC iQ-F Series products.

Note: I briefly discussed this vulnerability on November 9^th, 2025.

Updates

Festo Update - This update provides additional information on the Controller CECC-S,-LK,-D Family advisory that was originally published on September 30^th, 2025.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/17-advisories-and-1-update-published - subscription required.