Review – Public ICS Disclosures – Week of 11-15-25 – Part 2

For Part 2 we have five additional vendor disclosures from Siemens (2), Supermicro, Wireshark (2), and Zyxel. There is one vendor update from Siemens. There is one researcher report on a vulnerability in products from FortiGuard. Finally, we have three separate exploits published for the same FortiGuard vulnerability.

Advisories

Siemens Advisory #1 - Siemens published an advisory that describes an out-of-bounds read vulnerability in their PS/IGES Parasolid Translator Component.

Siemens Advisory #2 - Siemens published an advisory that describes a cross-site scripting vulnerability in their Mendix RichText editor.

Supermicro Advisory - Supermicro published an advisory that discusses four stack-based buffer overflow vulnerabilities in their BMC Firmware.

Wireshark Advisory #1 - Wireshark published an advisory that describes a Kafka dissector crash vulnerability.

Wireshark Advisory #2 - Wireshark published an advisory that describes a BPv7 dissector crash vulnerability.

Zyxel Advisory - Zyxel published an advisory that describes two vulnerabilities in multiple Zyxel product lines.

Updates

Siemens Update - Siemens published an update for their Nozomi Guardian/CMC advisory that was originally published on August 12, 2025, and most recently updated on October 14^th, 2025.

Researcher Reports

FortiGuard Report - Bishop Fox published a report about an exploit for a relative path traversal vulnerability in the FortiGuard FortiWeb product.

Exploits

NOTE: These exploits are all for the same FortiWeb vulnerability discussed above. This is a real popular vulnerability this week.

Nu11secur1ty published an exploit for the path traversal vulnerability in the FortiWeb product.

Verylazytech published an exploit for the path traversal vulnerability in the FortiWeb product.

SensePost published an exploit for the path traversal vulnerability in the FortiWeb product.

 

For more information on these disclosures, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-f90 - subscription required.