1 Advisory Published – 1-6-26

Today CISA’s NCCIC-ICS published one control system security advisory for products from Columbia Weather Systems. I also take a brief look at a website issue with CISA’s advisories.

Columbia Weather System Advisory

This advisory describes three vulnerabilities in the Columbia Weather MicroServer. The vulnerabilities were self-reported. Columbia has a new version that mitigates the vulnerabilities.

The three reported vulnerabilities are:

• Improper restriction of communications channel to intended endpoints - CVE-2025-61939,

• Cleartext storage in a file or on a disk - CVE-2025-64305, and

• Command shell in externally accessible directory - CVE-2025-66620

NCCIC-ICS reports that successful exploitation of these vulnerabilities could allow an attacker to redirect connections to an attacker controlled device, gain admin access to the web portal, or gain limited shell access.

New Year Errors

New calendar years can bring problems with data reporting. One such problem arose today on CISA’s website where these advisories are reported. Typically, when I start to write this posts I go to CISA’s Cybersecurity-Advisories page. I went there this afternoon, and the latest announcement was for the two advisories published on December 30^th, 2025. I knew that I had seen an email announcement of a new advisory today on my phone, so I went to my email program and sure enough there was an email from CISA about this advisory. I clicked on the link that would normally take me to the announcement about the advisory, but instead it took me directly to the advisory.

After I wrote the above report about the advisory I went back to figure out why the behavior of the web site had changed. I went back to the ‘Cybersecurity-Advisories’ page. I started playing with the various filter selections on the left side of the screen. When I got down to the ‘Release Year’ it had selection boxes for the years 2004 through 2025. The important missing year was ‘2026’. Since none of the boxes were checked and the page showed the latest results from 2025, the missing ‘2026’ block is probably not the proximate cause of the missing advisory notice. It would seem to indicate, however, that someone had not updated the backend system to reflect the arrival of 2026.

This is not a major problem, today’s advisory was on CISA’s website, and it was relatively easy to get to. So no major disruption occurred. It is an example of the type of software issue that crops up from time to time, original assumptions do not keep up with future changes.