Review – Public ICS Disclosures – Week of 2-14-26 – Part 1

This was a moderately busy disclosure week. For Part 1 we have bulk vendor disclosures from HPE (6). We have 12 additional vendor disclosures from Arista, Broadcom (2), B&R Automation, Dassault Systems (4), Hitachi, HP, Philips, and Sick.

Bulk Vendor Disclosures – HPE

• HPESBHF04864 rev.1 - Certain HPE SimpiVity Servers Using Certain Intel Processors, INTEL-SA-01244, 2025.2 IPU, Intel Processor Advisory, Local Denial of Service Vulnerability,

• HPESBNW04983 rev.1 - HPE Telco Service Orchestrator software, Prototype Pollution Vulnerability,

• HPESBHF04967 rev.1 - Certain HPE SimpliVity Servers Using Certain Intel Processor BIOS, INTEL-SA-01234, 2025.3 IPU, UEFI Reference Firmware Advisory., Multiple Vulnerabilities,

• HPESBNW05011 rev.1 - Telco Service Activator, Improper Input Validation,

• HPESBNW05012 rev.1 - Local Privilege Escalation Vulnerability in HPE Aruba Networking ClearPass Policy Manager (CPPM) OnGuard Software for Linux,

• HPESBNW04998 rev.1 - Prototype Pollution Vulnerability in HPE Telco Network Function Virtualization Orchestrator

Advisories

Arista Advisory - Arista published an advisory that describes an operation on a resource after expiration or release vulnerability on multiple platforms running their EOS software.

Broadcom Advisory #1 - Broadcom published an advisory that discusses an improper neutralization of a NULL byte or NUL character vulnerability in their Brocade SANnav base OS.

Broadcom Advisory #2 - Broadcom published an advisory that discusses an out-of-bounds write vulnerability in their Brocade SANnav OVA products.

B&R Advisory - B&R published an advisory that discusses 25 vulnerabilities in their Automation Studio product.

Dassault Advisory #1 - Dassault published an advisory that describes a cross-site scripting vulnerability in their ENOVIAvpm Web Access product.

Dassault Advisory #2 - Dassault published an advisory that describes an out-of-bounds write vulnerability in their EPRT file reading procedure in SOLIDWORKS eDrawings.

Dassault Advisory #3 - Dassault published an advisory that describes an out-of-bounds read vulnerability in their EPRT file reading procedure in SOLIDWORKS eDrawings.

Dassault Advisory #4 - Dassault published an advisory that describes a use of uninitialized variable in their EPRT file reading procedure in SOLIDWORKS eDrawings.

Hitachi Advisory - Hitachi published an advisory that discusses 72 vulnerabilities in their Disk Array Systems. These are third-party (Microsoft) vulnerabilities.

HP Advisory - HP published an advisory that describes an exposure of sensitive information to an unauthorized actor vulnerability in their Samsung MultiXpress Multifunction Printers.

Philips Advisory - Philips published an advisory that discusses a Google Chrome use after free vulnerability.

Sick Advisory - Sick published an advisory that discusses two Eclipse Cyclone DDS vulnerabilities.

 

For more information on these disclosures, including links to 3^rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-2-fb5 - subscription required.