Review – 5 Advisories and 1 Update Published – 11-18-25

Today CISA’s NCCIC-ICS published five control system security advisories for products from METZ CONNECT, Schneider Electric (2), and Shelly (2). They also published an updated advisory for products from Schneider.

Advisories

METZ Advisory - This advisory describes five vulnerabilities in the METZ EWIO2 product line.

Schneider Advisory #1 - This advisory describes three vulnerabilities in the Schneider PowerChute Serial Shutdown product.

NOTE: I briefly discussed these vulnerabilities on Sunday.

Schneider Advisory #2 - This advisory discusses a use of risky or broken cryptographic algorithm vulnerability in the Schneider EcoStruxure Machine SCADA Expert and Pro-face BLUE Open Studio products.

NOTE: I briefly discussed this vulnerability on Sunday.

Shelly Advisory #1 - This advisory describes an out-of-bounds read vulnerability in the Shelly Pro 3EM smart DIN rail switch.

Shelly Advisory #2 - This advisory describes an allocation of resources without limit or throttling vulnerability (with publicly available exploit) in the Shelly Pro 4PM smart DIN rail switch.

Updates

Schneider Update - This update provides additional information on the EcoStruxure advisory that was originally published on August 12^th, 2025, and most recently updated on October 16^th, 2025.

NOTE: I briefly discussed this update on Sunday.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-1-update-published-bce - subscription required.