Review – 6 Advisories and 1 Update Published – 4-23-26

 Today CISA’s NCCIC-ICS published six control system security advisories for products from Intrado, Hangzhou Xiongmai Technology Co, SpiceJet, Milesight, Carlson Software, and YADEA. There is also an update for an advisory for products from Schneider Electric. I also take a down-the-rabbit-hole look at a second Hangzhou vulnerability. 

Advisories  

Intrado Advisory - This advisory describes a path traversal vulnerability in the Intrado 911 Emergency Gateway. 

Hangzhou Advisory - This advisory describes a missing authentication for critical function vulnerability in the Hangzhou Xiongmai Technology Co., Ltd XM530 IP Camera. 

SpiceJet Advisory - This advisory describes two vulnerabilities in the SpiceJet Online Booking System. 

Milesight Advisory - This advisory describes five vulnerabilities in multiple Milesight Cameras. 

Carlson Advisory - This advisory describes a missing authentication for critical function vulnerability in the Carlson Software VASCO-B GNSS Receiver. 

Yadea Advisory - This advisory describes a weak authentication vulnerability in the Yadea T5 Electric Bicycle. 

Updates  

Schneider Update - This update provides additional information on the Modicon Controllers advisory that was originally published on April 23rd, 2026. 

For more information on these advisories, including a down-the-rabbit-hole look at an additional Hangzhou vulnerability, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-and-1-update-published-6ff - subscription required. 

Public ICS Disclosures – Week of 10-06-18

This week there was a vendor vulnerability disclosure from Siemens. There were also four exploits published for products from Delta Industrial, WAGO, and Phoenix Contact (2). I am also going to take a quick look at some additional information on an NCCIC-ICS advisory for the Hangzhou XMeye P2P Cloud Server published this week.

Siemens Advisory

Siemens published an advisory on Foreshadow and L1 Terminal Fault (L1TF) in their industrial product line. These are another pair of speculative execution attack vulnerabilities based on processors used in the affected devices. More details on the generic vulnerabilities can be found here. Siemens has some bios updates available to mitigate the vulnerabilities (three separate CVE’s involved) and has provided workarounds for other products.

This advisory was published in the same batch that was covered extensively by NCCIC-ICS on Tuesday. I have no idea why this was not included unless NCCIC-ICS is lumping these new vulnerabilities in with the Spectre and Meltdown problem. Even if that is the case, this would then have deserved an update to their alert on those issues.

Delta Industrial Exploit

A Metasploit module was published for a previously identified stack-based buffer overflow vulnerability in the Delta Industrial COMMGR software.

WAGO Exploit

SecuNinja published an exploit for a cross-site scripting vulnerability in the WAGO 750-881 ethernet controller. There is no CVE number provided so it is possible that this is a 0-day vulnerability being exploited.

Phoenix Contact Exploit

Photubias published two exploits for previously identified vulnerabilities in the Phoenix Contact ILC PLC vis their WebVisit HMI page.

The three reported vulnerabilities covered in these exploits are:

• Cleartext storage of sensitive information - CVE-2016-8366;

• Authentication bypass issues - CVE-2016-8371; and

• Access to critical private variable via public method - CVE-2016-8380.

Hangzhou Advisory

Earlier this week NCCIC-ICS published their advisory for three vulnerabilities in the Hangzhou XMeye P2P Cloud Server. As is typical for these advisories NCCIC-ICS provided summary data on the issue. Since Hangzhou effectively did not respond to the coordination efforts of NCCIC-ICS there was no vendor information provided in the advisory. While NCCIC-ICS did acknowledge the vulnerability reporting effort of SEC Consult, they did not (as is their apparent policy) provide any link to the reporting agency’s information on the vulnerabilities.

Generally speaking this policy of not linking to supporting documentation from researchers is a mistake and, in this instance, it does a gross disservice to the affected community by severely understating the potential problems associated with the affected devices. In particular, it fails to explain that the vulnerabilities affect a large number of vendors that rebrand and sell the affected Hangzhou DVR products.

SEC Consult published an advisory on the vulnerabilities as well as a lengthy blog post. Brian Krebs also did a lengthy blog post on the topic.

7 Advisories and 7 Updates Published

Yesterday the DHS NCCIC-ICS published seven control system security advisories for products from Fuji Electric, Hangzhou Xiongmai Technology Co, Siemens (4) and GE. They also updated seven previously issued advisories for products from Siemens.

Fuji Advisory

This advisory describes an uncontrolled search path element advisory in the Fuji Electric Energy Savings Estimator. The vulnerability was reported by Karn Ganeshen. Fuji has released an update that mitigates the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to allow an attacker to load a malicious DLL and execute code on the affected system with the same privileges as the application that loaded the malicious DLL.

Hangzhou Advisory

This advisory describes three vulnerabilities in the Hangzhou XMeye P2P Cloud Server. The vulnerabilities were reported by Stefan Viehböck of SEC Consult Vulnerability Lab. Hangzhou has not provided mitigations for these vulnerabilities.

The three reported vulnerabilities are:

• Predictable from observable state - CVE-2018-17917;

• Hidden functionality - CVE-2018-17919; and

• Missing encryption of sensitive data - CVE-2018-17915

NCCIC-ICS reports that a relatively low-skilled attacker with remote access could use a publicly available exploit to exploit these vulnerabilities to allow unauthorized access to video feeds with the potential to modify settings, replace firmware, and/or execute code.

SIMATIC S7-1500 Advisory

This advisory describes an improper input validation vulnerability in the Siemens SIMATIC S7-1500, SIMATIC S7-1500 Software Controller and SIMATIC ET 200SP Open Controller. The vulnerability was reported by Marcin Dudek, Jacek Gajewski, Kinga Staszkiewicz, Jakub Suchorab, and Joanna Walkiewicz from National Centre for Nuclear Research Poland. Siemens has updates to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition on the network stack.

SIMATIC S7-1200 Advisory

This advisory describes a cross-site request forgery vulnerability in the Siemens SIMATIC S7-1200 CPU Family Version 4. The vulnerability was reported by Lisa Fournet and Marl Joos from P3 communications GmbH. Siemens has a firmware update that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow a CSRF attack if an unsuspecting user is tricked into accessing a malicious link.

ROX II Advisory

This advisory describes two improper privilege management vulnerabilities in the Siemens ROX II. The vulnerabilities were reported by Gerard Harney from NCC Group (reported in Siemens advisory not NCCIC-ICS). Siemens has a new version that mitigates the vulnerabilities. There is no indication that Harney has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow valid users to escalate their privileges and execute arbitrary commands.

SCALANCE Advisory

This advisory describes a cryptographic issues vulnerability in the Siemens SCALANCE W1750D. The vulnerability is fully described on the Return of Bleichenbacher's Oracle Threat (ROBOT) web site. Siemens is self-reporting the vulnerability. Siemens has a firmware update that mitigates the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit this vulnerability using publicly available exploits to allow an attacker to decrypt TLS traffic.

NOTE: I suspect that other ICS devices using TLS services could face similar TLS ROBOT problems. Too bad NCCIC-ICS has not done an alert on this issue. Then again, does NCCIC-ICS do alerts?

GE Advisory

This advisory describes an unsafe ActiveX control marked safe for scripting vulnerability in the GE Gigasoft component of iFix. The vulnerability was reported by LiMingzheng of 360 aegis security team. Recent versions of iFIX mitigate the vulnerability. There is no indication that LiMingzheg has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a buffer overflow condition.

Industrial Products Update

This update provides additional information on an advisory that was that originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, on November 14^th, November 28^th, February 27^th, 2018, May 3^rd, 2018 May 15^th, 2018, , and most recently on September 11^th, 2018. The new information includes revised affected versions data and mitigation measures for SIMATIC S7-1200 CPU.

SIMATIC Update

This update provides additional information on an advisory that was originally published on March 20^th, 2018. The new information includes revised affected versions data and mitigation measures for SINUMERIK 828D.

SIMATIC PCS7 Update

This update provides additional information on an advisory that was This update provides new information on an advisory that was originally published on November 2^nd, 2018 and updated on June 12^th, 2018. The new information includes revised affected versions data and mitigation measures for:

• OpenPCS 7 V8.1; and

• SIMATIC WinCC Runtime Professional V13

SIMATIC WinCC Update

This update provides additional information on an advisory that was originally published on April 19^th, 2018. The new information includes revised affected versions data and mitigation measures for WinCC OA Operatopr App.

SINAMICS Update

This update provides additional information on an advisory that was originally published on May 8^th, 2018. The new information includes revised affected versions data and mitigation measures for SINAMICS GM150 V4.7 w. PROFINET.

SIMATIC Step7 Update

This update provides additional information on an advisory that was originally published on August 14^th, 2018. The new information includes revised affected versions data and mitigation measures for:

• SIMATIC STEP 7 (TIA Portal); and

• WinCC (TIA Portal) V13

OpenSSL Update

This update provides additional information on an advisory that was originally published on August 14^th, 2018 and updated on September 11^th, 2018. The new information includes revised affected versions data and mitigation measures for:

• SIMATIC S7-1200 CPU;

• SIMATIC STEP 7 (TIA Portal) V13; and

• SIMATIC WinCC (TIA Portal) V13