Review – Public ICS Disclosures – Week of 12-6-25 – Part 1

This week we have bulk disclosures from FortiGuard (8), There are also 12 additional vendor disclosures from Cisco, Dell, Dassault Systems, Elecom, Endress+Hauser, Hitachi Energy (2), HP, HPE, Moxa, and NI (2).

Bulk Disclosures – FortiGuard

• Insertion of sensitive information into REST API logs,

• Insufficient Session Expiration in SSLVPN,

• Multiple Fortinet Products' FortiCloud SSO Login Authentication Bypass,

• Multiple authenticated OS Command Injections via API,

• OS command injection in GUI backup options,

• OS command injection in multiple endpoints,

• Private key readable by admin, and

• Reflected XSS in HA cluster.

Advisories

Cisco Advisory - Cisco published an advisory that discusses the React Server Components deserialization of untrusted data vulnerability that is listed in CISA’s Known Exploited Vulnerabilities catalog.

Dell Advisory - Dell published an advisory that discusses 30 vulnerabilities. All but three of these are third-party vulnerabilities.

Dassault Advisory - Dassault published an advisory that describes a cross-site scripting vulnerability in their ENOVIA Collaborative Industry Innovator.

Elecom Advisory - JP CERT published an advisory that describes an unquoted search path vulnerability in the Elecom Clone for Windows.

Endress+Hauser Advisory - CERT-VDE published an advisory that discusses an out-of-bounds write vulnerability in multiple Endress+Hauser products.

Hitachi Energy Advisory #1 - Hitachi Energy published an advisory that discusses a deserialization of untrusted data vulnerability in their Asset Suite product.

Hitachi Energy Advisory #2 - Hitachi Energy published an advisory that discusses the React Server Component deserialization of untrusted data vulnerability that is listed in CISA’s KEV catalog.

HP Advisory - HP published an advisory that describes a path traversal vulnerability in their  Event Utility and Omen Gaming Hub products.

HPE Advisory - HPE published an advisory that discusses ten vulnerabilities in their ProLiant DL/ML/XD Alletra and Synergy Servers.

Moxa Advisory - Moxa published an advisory that describes two vulnerabilities in their MXsecurity Series products.

NI Advisory #1 - NI published an advisory that describes nine vulnerabilities in their LabVIEW product.

NI Advisory #2 - NI published an advisory that describes a relative path traversal vulnerability in their System Web Server.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-c5d - subscription required.