Review – 12 Advisories Published – 12-11-25

Today CISA’s NCCIC-ICS published ten control system security advisories for products from OpenPLC, Siemens (6), AzeoTech, and Johnson Controls (2). They also published two medical device security advisories for products from Varex and Grassroots.

Siemens published an additional eight advisories on Tuesday that were not covered here by CISA. I will address those this weekend.

Advisories

OpenPLC Advisory - This advisory describes a cross-site scripting vulnerability in the OpenPLC_V3.

Gridscale Advisory - This advisory describes two vulnerabilities in the Siemens Gridscale X Prepay energy management product.

Energy Services Advisory - This advisory discusses an authentication bypass using an alternate path or channel vulnerability in the Siemens Energy Services product.

Building X Advisory - This advisory describes an improper verification of cryptographic signature vulnerability in the Siemens Building X - Security Manager Edge Controller.

SINEMA Advisory - This advisory describes two vulnerabilities in the Siemens SINEMA Remote Connect Server.

SALT Advisory - This advisory describes an improper certificate validation vulnerability in the Siemens Advanced Licensing (SALT) Toolkit.

IAM Advisory - This advisory describes an improper certificate validation vulnerability in the Siemens IAM Client.

AzeoTech Advisory - This advisory describes seven vulnerabilities in the AzeoTech DAQFactory.

iSTAR Ultra Advisory - This advisory describes two OS command injection vulnerabilities in the Johnson Controls iSTAR Ultra and iSTAR Edge products.

iSTAR Advisory - This advisory describes two improper neutralization of special elements used in an OS command vulnerability iSTAR Ultra and iSTAR Edge products.

Varex Advisory - This advisory discusses an uncontrolled search path element vulnerability (with publicly available exploit) in their Panoramic Dental Imaging Software.

Grassroots Advisory - This advisory describes an out-of-bounds write vulnerability in the Grassroots DICOM viewer.

NOTE: CISA reports that DICOM viewers from SimpleITK and medInria are also affected by this vulnerability.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/12-advisories-published-12-11-25 - subscription required.