Yesterday CISA announced that it had added an unrestricted upload of files with dangerous type vulnerability in the “OpenPLC ScadaBR” product. The vulnerability was previously disclosed by ScadaBR along with a cross-site scripting vulnerability that CISA had already added to the KEV catalog. The vulnerability has been fixed in Scada-LTS, a successor product to ScadaBR. On May 13th, 2025, Fellipe Oliveira published an exploit for this vulnerability.
CISA has
directed all federal agencies that use the affected products to apply “mitigations
per vendor instructions, follow applicable BOD 22-01 guidance for cloud
services, or discontinue use of the product if mitigations are unavailable.”
They have provided a deadline of December 24th, 2025, to accomplish
those actions.
No comments:
Post a Comment