Chemical Facility Security News: Review – Public ICS Disclosures – Week of 11-1-25

Sunday, November 9, 2025

Review – Public ICS Disclosures – Week of 11-1-25 – Part 1

This week we bulk disclosures from QNAP (11). We also have nine additional vendor disclosures from ABB, Advantech, Eaton (2), Meinberg, Mitsubishi, Moxa, and Philips (2).

Bulk Disclosure – QNAP

• Vulnerability in QuMagie,

• Multiple Vulnerabilities in Download Station,

• Multiple Vulnerabilities in File Station 5,

• Vulnerability in Notification Center,

• Vulnerability in Qsync Central,

• Multiple Vulnerabilities in QuLog Center,

• Vulnerability in QuMagie,

• Vulnerability in Malware Remover (PWN2OWN 2025),

• Multiple Vulnerabilities in QTS and QuTS hero (PWN2OWN 2025),

• Multiple Vulnerabilities in HBS 3 Hybrid Backup Sync (PWN2ONW 2025),

• Vulnerability in Hyper Data Protector (PWN2OWN 2025)

Advisories

ABB Advisory - ABB published an advisory that discusses a path traversal vulnerability (with publicly available exploit) in their PMC 600 protection and control IED manager.

Advantech Advisory - Advantech published an advisory that describes 12 vulnerabilities in their WebAccess/VPN portal.

Eaton Advisory #1 - Eaton published an advisory that describes a missing authentication for critical function vulnerability in their Brightlayer Software Suite.

Eaton Advisory #2 - Eaton published an advisory that describes an unrestricted upload of file with dangerous type vulnerability in their Brightlayer Software Suite.

Meinberg Advisory - Meinberg published an advisory that discusses 12 vulnerabilities (3 with publicly available exploits) in their Lantime product. These are third-party vulnerabilities.

Mitsubishi Advisory - Mitsubishi published an advisory that describes an improper validation of specified quantity in input vulnerability in their MELSEC iQ-F Series CPU module.

Moxa Advisory - Moxa published an advisory that discusses an uncontrolled resource consumption vulnerability (with publicly available exploit) in multiple Moxa products.

Philips Advisory #1 - Philips published an advisory that discuses an ASP.NET core HTTP request/response smuggling vulnerability.

Philips Advisory #2 - Philips published an advisory that discusses the Glassworm malware campaign.

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-11-ab7 - subscription required.

Chemical Facility Security News

Pages

Sunday, November 9, 2025

Review – Public ICS Disclosures – Week of 11-1-25 – Part 1

Bulk Disclosure – QNAP

Advisories

No comments:

CFSN Detailed Analysis

The Wife's Page

Support Chemical Facility Security News

About Me

Blog Archive

Chemical Facility Security News

Pages

Sunday, November 9, 2025

Review – Public ICS Disclosures – Week of 11-1-25 – Part 1

Bulk Disclosure – QNAP

Advisories

No comments:

CFSN Detailed Analysis

The Wife's Page

Support Chemical Facility Security News

Subscribe To

About Me

Blog Archive