Review – Public ICS Disclosures – Week of 12-13-25

This week we have 11 vendor disclosures from Broadcom, HP, HPE (3), Inaba Denki Sangyo, Moxa, Phoenix Contact, and Western Digital (3). There are three vendor updates from Cisco, HPE, and Mitsubishi. There are also four researcher reports about vulnerabilities in products from Grassroot (3) and Sante. Finally, we have an exploit for products from Ilevia.

Advisories

Broadcom Advisory - Broadcom published an advisory that discusses the Meta RSC vulnerability that is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog.

HP Advisory - HP published an advisory that describes an insertion of sensitive information into a log file vulnerability in the their Poly Video product line.

HPE Advisory #1 - HPE published an advisory that discusses two vulnerabilities (one with publicly available exploits) in their Unified OSS Console Assurance Monitoring product.

HPE Advisory #2 - HPE published an advisory that discusses three vulnerabilities (one with publicly available exploits) in their Telco Service Activator products.

HPE Advisory #3 - HPE published an advisory that describes a code injection vulnerability in their OneView software.

Inaba Advisory - JP-CERT published an advisory that describes three vulnerabilities in the Inaba CHOCO TEI WATCHER mini.

Moxa Advisory - Moxa published an advisory that describes a weak SSH algorithms supported vulnerability in their EDS-510E Series products

Phoenix Contact Advisory - Phoenix Contact published an advisory that describes 15 vulnerabilities in their FL SWITCH 2xxx family.

Western Digital Advisory #1 - Western Digital published an advisory that discusses a detection of error condition without action vulnerability in their My Cloud OS 5 product.

Western Digital Advisory #2 - Western Digital published an advisory that describes a DLL hijacking vulnerability in their WD Discovery product.

Western Digital Advisory #3 - Western Digital published an advisory that discusses a detection of error condition without action vulnerability in their My Cloud Home and My Cloud Home Duo products.

Updates

Cisco Update - Cisco published an update for their REACT server advisory that was originally published on December 4^th, 2025, and most recently updated on December 11^th, 2025.

HPE Update - HPE published an update for their Compute Scale-up Server 3200 Platform advisory that was originally published on October 13, 2025.

Mitsubishi Update - Mitsubishi published an update for their MELSOFT Update Manager advisory that was originally published on July 3^rd, 2025.

Researcher Reports

Grassroot Reports - Cisco Talos published three reports describing four vulnerabilities in the Grassroots DICOM product.

Sante Report - The Zero Day Initiative published a report describing a NULL pointer dereference vulnerability in the Sante PACS server.

Exploits

Ilevia Exploit - Indoushka published an exploit for an OS command injection vulnerability in the Ilevia EVE X1 Server.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-12-d12 - subscription required.