Review – Public ICS Disclosures – Week of 3-15-25

This week we have 24 vendor disclosures from CODESYS (3), Dassault Systèmes (13), Fuji Soft, Helmholtz, HPE (2), MB Connect, Phillips (2), and QNAP. There are also six vendor updates from Dell, FortiGuard (3), HP, and HPE. Finally, there are three researcher reports for vulnerabilities in products from Luxion and National Instruments (2).

Advisories

CODESYS Advisory #1 - CODESYS published an advisory that describes an observable discrepancy vulnerability in their  CODESYS Runtime Toolkit.

CODESYS Advisory #2 - CODESYS published an advisory that describes a path traversal vulnerability in multiple CODESYS products.

CODESYS Advisory #3 - CODESYS published an advisory that describes an insecure initialization of resource vulnerability in Edge Gateway for Windows and Gateway for Windows products.

Dassault Advisories - Dassault Systèmes published 13 advisories stored cross-site scripting vulnerabilities in multiple products. These advisories are only available to registered customers.

Fuji Soft Advisory - JP-CERT published an advisory that describes two command OS injection vulnerabilities in the Fuji F FS010M router.

Helmholtz Advisory - CERT-VDE published an advisory that describes two vulnerabilities in the Helmholtz  myREX24 and myREX24.virtual products.

HPE Advisory #1 - HPE published an advisory that describes three vulnerabilities in the HPE Aruba Networking AOS-CX product.

HPE Advisory #2 - HPE published an advisory that discusses six vulnerabilities (two with publicly available exploits) in their Telco Service Activator.

MB Connect Advisory - CERT-VDE published an advisory that describes two vulnerabilities in multiple MB Connect products.

Philips Advisory #1 - Philips published an advisory that discusses an Apache Tomcat vulnerability.

Philips Advisory #2 - Philips published an advisory that discusses three VMware vulnerabilities.

QNAP Advisory - QNAP published an advisory that discusses an absolute path traversal vulnerability (listed in CISA’s KEV catalog) in the NAKIVO Backup & Replication application.

Updates

Dell Update - Dell published an update for their ThinOS advisory that was originally published on March 4^th, 2025.

FortiGuard Update #1 - FortiGuard published an update for their csfd daemon advisory that was originally published on January 14^th, 2025, and most recently updated on January 16^th, 2025.

FortiGuard Update #2 - FortiGuard published an update for their RADIUS Protocol advisory that was originally published on August 13^th, 2024, and most recently updated on March 6^th, 2025.

FortiGuard Update #3 - FortiGuard published an update for their permission escalation advisory that was originally published on February 11^th, 2025.

HP Update - HP published an update for their LaserJet Pro advisory that was originally published on February 14^th, 2025, and most recently updated on March 14^th, 2025.

HPE Update - HPE published an update for their Cray XD670 Server advisory that was originally published on March 11^th, 2025.

Researcher Reports

Luxion Reports - ZDI published three reports about vulnerabilities in the Luxion KeyShot product.

National Instruments Report #1 - ZDI published a report that describes a path traversal vulnerability in the NI FlexLogger.

National Instruments Report #2 - ZDI published a report that describes a product UI does not warn user of unsafe actions vulnerability in the NI Vision Builder AI.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-daf - subscription required.

Review – Public ICS Disclosures – Week of 3-8-25 – Part 1

This week we have 26 vendor disclosures from ABB, FortiGuard (9) HP (3), HPE (5), KeyShot, Palo Alto Networks (6), and Schneider. More in Part 2, but no Part 3 this month.

Advisories

ABB Advisory - ABB published an advisory that discusses a prototype pollution vulnerability (with publicly available exploit) in their RMC-100 with REST interface.

FortiGuard Advisory #1 - FortiGuard published an advisory that describes an SQL injection vulnerability in their FortiAnalyzer, FortiManager, and FortiAnalyzer-BigData products.

FortiGuard Advisory #2 - FortiGuard published an advisory that describes a client-side enforcement of server-side security vulnerability in their FortiSandbox product.

FortiGuard Advisory #3 - FortiGuard published an advisory that describes an incorrect authorization vulnerability in their FortiSandbox product.

FortiGuard Advisory #4 - FortiGuard published an advisory that describes a use of externally-controlled format string vulnerability (with publicly available exploit) in multiple FortiGuard products.

FortiGuard Advisory #5 - FortiGuard published an advisory that describes an OS command injection vulnerability in their FortiSandbox product.

FortiGuard Advisory #6 - FortiGuard published an advisory that describes an OS command injection vulnerability in their FortiManager CLI.

FortiGuard Advisory #7 - FortiGuard published an advisory that describes an OS command injection vulnerability in their FortiSandbox product.

FortiGuard Advisory #8 - FortiGuard published an advisory that describes the use of a hard-coded cryptographic key vulnerability in their FortiSandbox product.

FortiGuard Advisory #9 - FortiGuard published an advisory that describes an SQL injection vulnerability in their FortiSandbox product.

HP Advisory #1 - HP published an advisory that discusses seven vulnerabilities in multiple HP products.

HP Advisory #2 - HP published an advisory that discusses eleven vulnerabilities in multiple HP products.

HP Advisory #3 - HP published an advisory that discusses three vulnerabilities in multiple HP products.

HPE Advisory #1 - HPE published an advisory that discusses two vulnerabilities (one with publicly available exploit) in their ProLiant DL/XL Servers.

HPE Advisory #2 - HPE published an advisory that discusses two vulnerabilities in their ProLiant DX Servers.

HPE Advisory #3 - HPE published an advisory that describes an authentication bypass vulnerability in their Cray XD670 Server.

HPE Advisory #4 - HPE published an advisory that discusses two vulnerabilities (one with publicly available exploits) in their Cray Servers.

HPE Advisory #5 - HPE published an advisory that discusses an improper input validation vulnerability in their Cray Servers.

KeyShot Advisory - KeyShot published an advisory that describes three vulnerabilities in their Studio product.

Palo Alto Networks Advisory #1 - Palo Alto Networks published an advisory that describes an exposed unsafe ActiveX method vulnerability in their GlobalProtect App.

Palo Alto Networks Advisory #2 - Palo Alto Networks published an advisory that describes a reliance on untrusted inputs in a security decision vulnerability in their GlobalProtect App.

Palo Alto Networks Advisory #3 - Palo Alto Networks published an advisory that describes an improper check for unusual or exceptional conditions vulnerability in their PAN-OS product.

Palo Alto Networks Advisory #4 - Palo Alto Networks published an advisory that describes an improper resolution of path equivalence vulnerability in their PAN-OS product.

Palo Alto Networks Advisory #5 - Palo Alto Networks published an advisory that describes an uncontrolled resource consumption vulnerability in their PAN-OS product.

Palo Alto Networks Advisory #6 - Palo Alto Networks published an advisory that discusses 16 vulnerabilities in their Prisma Access Browser.

Schneider Advisory #1 - Schneider published an advisory that describes an insertion of sensitive information into a log file vulnerability in their EcoStruxure Panel Server.

Schneider Advisory #2 - Schneider published an advisory that describes an improper authentication vulnerability in their EcoStruxure™ Power Automation System User Interface products.

Schneider Advisory #3 - Schneider published an advisory that describes an insecure default initialization of a resource vulnerability in their EcoStruxure Power Automation System User Interface and EcoStruxure Microgrid Operation Large products.

 

For more information on these disclosures, including links to 3^rd party advisories, researcher reports, and exploits, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/public-ics-disclosures-week-of-3-90e - subscription required.

2 Advisories Published – 5-25-21

Today CISA’s NCCIC-ICS published two control system security advisories for products from Rockwell Automation and Datakit Libraries.

Rockwell Advisory

This advisory describes a channel accessible by non-endpoint vulnerability in the Rockwell Micro800, MicroLogix 1400 controllers. The vulnerability was reported by Hyunguk Yoo from The University of New Orleans, as well as Adeen Ayub and Irfan Ahmed from Virginia Commonwealth University. Rockwell provides generic work arounds for the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker can remotely exploit the vulnerability to may result in denial-of-service conditions, which may require a firmware flash to recover.

NOTE: The Rockwell advisory recommends blocking or restricting access to TCP and UDP Port# 44818 and Port# 2222  using proper network infrastructure controls, such as firewalls, UTM devices, or other security appliances. This is not mentioned in the NCCIC-ICS guidance.

DataKit Advisories

This advisory describes five vulnerabilities in the DataKit Software libraries embedded in Luxion KeyShot software. The vulnerabilities were reported by rgod via the Zero Day Initiative. DataKit has a new version that mitigates the vulnerabilities and Luxion has a new version that contains the new DataKit version.

The five reported vulnerabilities are:

• Out-of-bounds write - CVE-2021-27488,

• Improper restrictions on XML external entity reference - CVE-2021-27492,

• Stack-based buffer overflow - CVE-2021-27494,

• Untrusted pointer dereference - CVE-2021-27496, and

• Out-of-bounds read - CVE-2021-27490

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to lead to execution of arbitrary code and disclosure of arbitrary files to unauthorized actors.