1 Advisory and 1 Update Published – 10-7-25

Today CISA’s NCCIC-ICS published a control system security advisory for products from Delta Electronics. They also updated an advisory for products from Rockwell Automation. I also take a down-the-rabbit-hole look at discrepancies in the Rockwell update.

Delta Advisory

This advisory describes four out-of-bounds write vulnerabilities in the Delta DIAScreen product. The vulnerabilities were reported by Natnael Samson via the Zero Day Initiative. Delta has a new version that mitigates the vulnerability.

NCCIC-ICS reports that relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to write data outside of the allocated memory buffer.

Rockwell Update

This update provides additional information on the 1756-EN4TR advisory that was originally published on August 14^th, 2025, and most recently updated on September 9^th, 2025. The new information includes removing affected product and amended title.

DTRH Rockwell Advisory

Looking at today’s update for the Rockwell Advisory, I went back and reviewed my blog post for the previous update published on September 9^th, 2025. In that post I reported, implying that CISA was correcting a mistake in their original advisory, that:

“NOTE: Rockwell has not updated their advisory and the affected versions in that advisory match this CISA update.”

I went back to that Rockwell advisory and it still notes (see figure below) that the version on their website is still the initial version published on August 13^th, 2025.

Looking down that advisory, it lists two affected products: 1756-EN4TR, and 1756-EN4TRXT. Those are the same two products listed in today’s revised CISA advisory. Looking back at the earlier version of the CISA advisory (from my records) it appears that CISA removed 1756-ENT2R from the list of affected products.

This seemed odd to me that CISA made two separate sets of mistakes on their original advisory and took two updates to correct the mistake. So, I went back and reviewed the entirety of the Rockwell Advisory. And there, about ¾ of the way down the web page is the revision history.

That history is not correct, the initial publication date should have been August 13^th, 2025, with the first revision being dated September 9^th, 2025; changing version numbers. The last revision listed should have been listed as Revision 3.0.

In any case the problem looks to be with the management of change documentation in the Rockwell advisory not a mistake in the original CISA advisory.