Today CISA’s NCCIC-ICS published seven control system security advisories for products from Advantech, Solis Cloud, Sunbird, Johnson Controls (2), MAXHIB, and Mitsubishi. They also updated advisories for products from Johnson Controls and Consilium.
Advisories
Advantech Advisory -
This advisory
describes an SQL injection vulnerability in the Advantech iView product.
SolisCloud Advisory -
This advisory
describes an authorization bypass through a user controlled key vulnerability
in the SolisCloud Monitoring Platform.
Sunbird Advisory -
This advisory
describes two vulnerabilities in the Sunbird DCIM dcTrack and Power IQ
products.
Johnson Controls
Advisory #1 - This advisory
describes an improper validation of certificate expiration vulnerability in the
Johnson Controls iStar products.
Johnson Controls
Advisory #2 - This advisory
describes a forced browsing vulnerability in the Johnson Controls OpenBlue
Mobile Web Application for OpenBlue Workplace.
MAXHUB Advisory -
This advisory
describes a weak password recovery mechanism for forgotten password
vulnerability in the MAXHUB Pivot client.
Mitsubishi Advisory -
This advisory
describes a cleartext storage of sensitive information vulnerability in the
Mitsubishi GX Works2 product.
NOTE: I briefly discussed this vulnerability on November 29th, 2025.
Updates
Johnson Control
Update - This update
provides additional information on the FX80 and FX90 advisory that was
originally published on August 7th, 2025.
Consilium Update -
This update
provides additional information on the CS5000 Fire Panel advisory that was
originally published on May 29th, 2025.
NOTE: The original CISA advisory noted that no fix was
planned for these vulnerabilities. See my May 29th,
2025, post for more information.
For more information on these advisories, see my article at
CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/7-advisories-and-2-updates-published-67d
- subscription required.
No comments:
Post a Comment