Review – 4 Advisories Published – 4-16-26

 Today CISA’s NCCIC-ICS published four control systems security advisories for products from AVEVA, Anviz, Horner Automation, and Delta Electronics. 

Advisories  

AVEVA Advisory - This advisory describes a missing authorization vulnerability in the AVEVA Pipeline Simulation product. 

Anviz Advisory - This advisory describes 12 vulnerabilities in multiple Anviz time clock products. 

Horner Advisory - This advisory describes a weak password requirements vulnerability in the Horner Cscape, XL4, and XL7 PLCs. 

Delta Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Delta ASDA-Soft configuration software. 

For more information on these advisories, including a brief discussion about the missing Siemens advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-4-16-23 - subscription required. 

Review – 4 Advisories and 1 Update Published – 5-8-25

Today CISA’s NCCIC-ICS published three control system security advisories for products from Mitsubishi Electric, Hitachi Energy, and Horner Automation. They also published a medical device security advisory for products from Pixmeo. Finally, the updated an advisory for products from Hitachi Energy.

Advisories

Mitsubishi Advisory - This advisory describes an improper validation of quantity in input vulnerability in the Mitsubishi CC-Link IE TSN modules.

Hitachi Energy Advisory - This advisory discusses three vulnerabilities in the Hitachi Energy RTU500 series products.

Horner Advisory - This advisory describes an out-of-bounds read vulnerability in the Horner Cscape control system application programming software.

Pixmeo Advisory - This advisory describes three vulnerabilities in the Pixmeo OsiriX MD medical images viewer.

UPDATES

Hitachi Energy Update - This update provides additional information on the RTU500 Series advisory that was originally published on April 3^rd, 2025.

 

For more information on these advisories, including links to researcher reports as well as references to earlier discussions about the reported vulnerabilities, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-and-1-update-published-6e1 - subscription required.

Review – 6 Advisories and 1 Update Published – 12-10-24

Today CISA’s NCCIC-ICS published six control-system security advisories for products from Rockwell Automation, Horner Automation, National Instruments, Schneider Electric (2), and MOBATIME. They also updated an advisory for products from Ruijie.

Advisories

Rockwell Advisory - This advisory describes four vulnerabilities in the Rockwell Arena product.

Horner Advisory - This advisory describes two out-of-bounds read vulnerabilities in the Horner Cscape product.

National Instruments Advisory - This advisory describes three out-of-bounds read vulnerabilities in the National Instruments Lab View product.

Schneider Advisory #1 - This advisory describes a path traversal vulnerability in the Schneider FoxRTU Station.

Schneider Advisory #2 - This advisory describes three vulnerabilities in the Schneider EcoStruxure Foxboro DCS Core Control Services.

MOBATIME Advisory - This advisory describes a use of default credentials vulnerability in the MOBATIME Network Master Clock - DTS 4801.

Updates

Ruijie Update - This update provides additional information on the Reyee OS advisory that was originally published on December 3^rd, 2024.

 

For more information on these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/6-advisories-and-1-update-published-88e - subscription required. 

Review – 9 Advisories Published – 1-11-24

Today, CISA’s NCCIC-ICS published nine control system security advisories for products from Siemens (6), Schneider, Horner Automation, and Rapid Software. I also take a down-the-rabbit-hole look at ‘missing advisories’ from 2023.

NOTE: Siemens and Schneider published additional advisories and updates earlier this week. I will be covering them this weekend.

Advisories

Solid Edge Advisory - This advisory describes eleven vulnerabilities in the Siemens Solid Edge product.

SIMATIC Advisory #1 - This advisory describes an improper input validation vulnerability in the Siemens SIMATIC IPC series products.

SIMATIC Advisory #2 - This advisory describes three vulnerabilities in the Siemens SIMATIC CN 4100. The vulnerabilities are self-reported.

SICAM Advisory - This advisory describes a use of unitialized resource vulnerability in the Siemens SICAM A8000.

Spectrum Power 7 Advisory - This advisory describes an incorrect permission assignment for critical resource vulnerability in the Siemens Spectrum Power 7.

Teamcenter Advisory - This advisory that describes four vulnerabilities in the Siemens JT2Go and Teamcenter Visualization.

Schneider Advisory - This advisory describes a deserialization of untrusted data vulnerability in the Schneider Easergy Studio.

Horner Advisory - This advisory describes a stack-based buffer overflow vulnerability in the Horner Cscape product.

Rapid Software Advisory - This advisory describes seven vulnerabilities in the Rapid Software Rapid SCADA open-source industrial automation platform.

 

For more information on these advisories, including links to researcher reports, as well as a look at missing advisories from 2023, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/9-advisories-published-1-11-24 - subscription required.

Review – 4 Advisories Published – 5-23-23

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Horner Automation, Mitsubishi Electric, and Hitachi Energy (2).

Advisories

Horner Advisory - This advisory describes ten vulnerabilities in the Horner Cscape product.

Mitsubishi Advisory - This advisory describes a classic buffer overflow vulnerability in the Mitsubishi MELSEC Series CPU module.

Hitachi Energy Advisory #1 - This advisory discusses six vulnerabilities in the Hitachi Energy RTU500 Series.

Hitachi Energy Advisory #2 - This advisory discusses two use after free vulnerabilities in the Hitachi Energy AFS65x, AFS67x, AFR67x and AFF66x series products.

 

For more information on these advisories, including links to 3^rd party advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-published-5-23-23 - subscription required.

Review – 4 Advisories and 2 Updates – 2-9-23

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Horner Automation, Johnson Controls, LS ELECTRIC, and Control By Web. They also update two advisories for products from ARC and Omron.

Advisories

Horner Advisory - This advisory describes three vulnerabilities in the Horner Cscape Envision RV, a control system remote access management software.

Johnson Control Advisory - This advisory describes two vulnerabilities in the Johnson Controls Metasys System Configuration Tool.

LS ELECTRIC Advisory - This advisory describes seven vulnerabilities in the LS ELECTRIC XBC-DN32U PLC performance module.

Control By Web Advisory - This advisory describes two vulnerabilities in the Control By Web X-400 and X-600M, web enabled I/O Controllers.

Updates

ARC Update - This update provides additional information on an advisory that was originally published on December 20^th, 2022.

NOTE: I briefly discussed ARC’s update on January 28^th, 2023.

Omron Update - This update provides additional information on an advisory that was originally published on June 28^th, 2022.

 

For more information on these advisories, including links to researcher reports, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/4-advisories-and-2-updates-2-9-23 - subscription required.

Review – 3 Advisories Published – 12-1-22

Today, CISA’s NCCIC-ICS published two control system security advisories for products from Horner Automation and Mitsubishi Electric. They also published a medical device security advisory for products from BD.

Horner Advisory - This advisory describes three vulnerabilities in the Horner Remote Compact Controller (RCC) 972.

Mitsubishi Advisory - This advisory describes an improper input validation vulnerability in the Mitsubishi MELSEC iQ-R Series products.

BD Advisory - This advisory describes a missing protection mechanism for alternate hardware interface vulnerability in the BD BodyGuard Pumps.

 

For more details about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/3-advisories-published-12-1-22 - subscription required.

Review – 5 Advisories Published – 10-4-22

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Johnson Controls, Hitachi Energy, Horner Automation, and Omron. They also published a medical device advisory for products from BD.

Johnson Control Advisory - This advisory describes an improper authentication vulnerability in the Johnson Controls Metasys ADX Server.

Hitachi Energy Advisory - This advisory describes two vulnerabilities in the Hitachi Energy Modular Switchgear Monitoring product.

NOTE: I briefly discussed these vulnerabilities on July 16^th, 2022.

Horner Advisory - This advisory describes two vulnerabilities in the Horner Cscape PLC control software.

Omron Advisory - This advisory describes three separate out-of-bounds write vulnerabilities in the Omron CX-Programmer.

BD Advisory - This advisory describes a use of hard-coded credentials vulnerability in the BD Totalys MultiProcessor.

NOTE: The BD advisory notes that they have reported this vulnerability to the FDA, but there is nothing on the FDA cybersecurity web site about the vulnerability, probably because the vulnerability only affects patient information.

 

For more details about these advisories, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-published-10-4-22 - subscription required.

Review – 2 Advisories Published – 5-26-22

Today, CISA’s NCCIC-ICS published two control system security advisories for products from Horner Automation and Keysight Technologies.

Horner Advisory - This advisory describes four vulnerabilities in the Horner Cscape PLC management software.

Keysight Advisory - This advisory describes two vulnerabilities in the Keysight N6854A Geolocation server and N6841A RF Sensor software.

 

For more details on these advisories, including a new ‘Down the Rabbit Hole’ feature looking at the cybersecurity support on the Keysight website, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-published-5-26-22 - subscription required.

 

Review - 5 Advisories and 1 Update Published – 12-21-21

Today, CISA’s NCCIC-ICS published four control system security advisories for products from Emerson, WECON, Horner Automation, and mySCADA. They published one medical device security advisory for products from Fresenius Kabi. They also updated a control system security advisory from Schneider.

Emerson Advisory - This advisory describes two vulnerabilities in the Emerson DeltaV distributed control system.

WECON Advisory - This advisory describes two vulnerabilities in the WECON LeviStudioU HMI programming software.

Horner Advisory - This advisory describes an improper input validation vulnerability in the Horner Cscape EnvisionRV remote viewing software.

mySCADA Advisory - This advisory describes eight vulnerabilities in the mySCADA myPRO HMI/SCADA.

Fresenius Advisory -  This medical device advisory describes thirteen vulnerabilities in the Fresenius Kabi Agilia Connect Infusion System.

Schneider Update - This update provides additional information on an advisory that was originally published on December 14^th, 2021.

For more details about these advisories, including an exploit link, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/5-advisories-and-1-update-published - subscription required.

Review - 2 Advisories and 1 Update Published – 8-12-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Horner Automation and Cognex. They also updated an advisory for products from Sensormatic Electronics (Johnson Controls).

Horner Advisory - This advisory describes three vulnerabilities in the Horner Cscape control system application programming software.

Cognex Advisory - This advisory describes a deserialization of untrusted data vulnerability in the Cognex In-Sight OPC Server.

Sensormatic Update - This update provides additional information on an advisory that was originally reported on July 1^st, 2021.

For more details on the advisories, including links to reporting researchers, see CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/2-advisories-and-1-update-published-1ae - subscription required.

2 Advisories Published – 4-22-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Mitsubishi Electric and Horner Automation.

Mitsubishi Advisory

This advisory describes an improper authentication vulnerability in the Mitsubishi GOT products. The vulnerability is self-reported. Mitsubishi provides generic mitigation measures pending development of an updated version.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow an attacker to gain unauthorized access.

Horner Advisory

This advisory describes two vulnerabilities in the Horner Automation Cscape control system application programming software. The vulnerabilities were reported by Sharon Brizinov of Claroty. Horner has a new version that mitigates the vulnerability. There is no indication that Brizinov has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper input validation - CVE-2021-22678, and

• Improper access control - CVE-2021-22682

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to allow code execution in the context of the current process or locally escalate privileges.

2 Advisories and 1 Update Published – 2-4-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Horner Automation and Luxion. They also updated an advisory for products from WAGO.

Horner Advisory

This advisory describes an out-of-bounds read vulnerability in the Horner Cscape control system application programming software. The vulnerability was reported by Francis Provencher via the Zero Day Initiative. Horner has a new version that mitigates the vulnerability. There is no indication that Provencher has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow code execution in the context of the current process.

Luxion Advisory

This advisory describes five vulnerabilities in the Luxion KeyShot 3D rendering and animation software. The vulnerabilities were reported by rgod via ZDI. Luxion has an update that mitigates the vulnerabilities. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Out-of-bounds write - CVE-2021-22647,

• Out-of-bounds read - CVE-2021-22643,

• Insufficient UI warning of dangerous operation - CVE-2021-22645,

• Untrusted pointer dereference - CVE-2021-22649, and

• Path traversal - CVE-2021-22651

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow arbitrary code execution, the storing of arbitrary scripts into automatic startup folders, and the attacking of products without sufficient UI warning.

WAGO Update

This update provides additional information for an advisory that was originally published on January 21^st, 2011. The new information includes:

• Adding Weidmüller as an affected vendor,

• Re-writes vulnerability description to expand affect beyond just RTIS products, and

• Added links to Emerson and Weidmüller advisories.

NOTE 1: I reported on the Weidmüller advisory on January 23^rd.

NOTE 2: The Rockwell advisory about which I reported on January 30^th is still missing from the list of affected vendors.

Four advisories Published – 02-19-19

Today the DHS NCCIC published four control system security advisories for products from Rockwell Automation, Horner Automation, Delta Industrial and Intel.

Rockwell Advisory

This advisory describes two vulnerabilities in the Rockwell Allen-Bradley PowerMonitor 1000. This vulnerability was reported by Luca Chiou of ACSI. Rockwell is working on mitigation measures. CheckPoint Software Technologies has released IPS rules to detect attempts to exploit CVE-2019-19615.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2019-19615; and

• Authentication bypass using alternate path or channel - CVE-2019-19616

NCCIC-ICS reports that a relatively low-skilled attacker could use a publicly available exploits (here and here) to remotely exploit these vulnerabilities to allow a remote attacker to affect the confidentiality, integrity, and availability of the device.

NOTE: I discussed these vulnerabilities last Saturday.

Horner Advisory

This advisory describes an improper input validation vulnerability in the Horner Cscape control system application programming software. The vulnerability was reported by ‘anonymous’ via the Zero Day Initiative (ZDI). Horner has a new version that mitigates the vulnerability. There is no indication that anonymous has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to crash the device being accessed, which may allow the attacker to read confidential information and remotely execute arbitrary code.

Delta Advisory

This advisory describes an out-of-bounds read vulnerability in the Delta Industrial Automation CNCSoft. The vulnerability was reported by Natnael Samson (@NattiSamson) via ZDI. Delta has an updated version that mitigates the vulnerability. There is no indication that Samson was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to cause a buffer overflow condition that may allow information disclosure or crash the application.

Intel Advisory

This advisory describes eleven vulnerabilities in the Intel Data Center Manager SDK. The vulnerability was reported by Intel’s Product Security Incident Response Team. Intel has a new version that mitigates the vulnerability.

The eleven reported vulnerabilities are:

• Improper authentication - CVE-2019-0102;

• Protection mechanism failure (4) - CVE-2019-0103, CVE-2019-0104, CVE-2019-0106, and CVE-2019-0107,

• Permission issues (4) - CVE-2019-0105, CVE-2019-0108, CVE-2019-0109, and CVE-2019-0111;

• Key management issues - CVE-2019-0110;

• Insufficient control flow management - CVE-2019-0112

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow escalation of privilege, denial of service, or information disclosure.

Three Advisories and One Update Published – 12-20-18

Yesterday the DHS NCCIC-ICS published three control system security advisories for products from Rockwell Automation, Schneider Electric and Horner Automation. The also published an update for a previously published advisory for products from OMRON. The Rockwell advisory was originally posted to the HSIN ICS-CERT library on November 27, 2018.

Rockwell Advisory

This advisory describes an heap-based buffer overflow vulnerability on the Rockwell FactoryTalk Services Platform. The vulnerability was reported by Andrey Zhukov. Rockwell has a new version that mitigates the vulnerability. There is no indication that Zhukov has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to diminish communications or cause a complete denial of service to the device.

Schneider Advisory

This advisory describes an open redirect vulnerability in the Schneider EcoStruxure. The vulnerability was reported by Donato Onofri of Business Integration Partners S.p.A. Schneider has new versions that mitigate the vulnerability. There is no indication that Onofri has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability  allow an attacker to use this device as a platform to conduct a phishing attack.

Horner Advisory

This advisory describes an improper input validation vulnerability in the Horner Cscape programming software. The vulnerability was reported by rgod and mdm of 9SG Security Team via the Zero Day Initiative. Horner has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to crash the device being accessed, allow the attacker to read confidential information, and may allow an attacker to remotely execute arbitrary code.

OMRON Update

This update provides new information on an advisory that was originally published on March 13^th, 2018. The new information includes:

• Revision of advisory format;

• Added Esteban Ruiz (mr_me) of Source Incite as an additional vulnerability reporting source; and

• Added new affected versions.