2 Advisories Published – 7-31-25
Today CISA’s NCCIC-ICS published two control system security advisories for products from Rockwell Automation, and Güralp. I also include a look at the availability of advisories from Rockwell.
Rockwell Advisory
This advisory discusses four vulnerabilities in the Rockwell Lifecycle Services with VMware. These are third-party (VMware) vulnerabilities. Rockwell has mitigation measures that fix the vulnerabilities for customers that have Infrastructure Managed Service contracts, recommends following Broadcom advisory recommendations for all others.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to lead to code execution on the host or leakage of memory from processes communicating with vSockets.
NOTE: I briefly discussed these vulnerabilities on July 20th, 2025.
Güralp Advisory
This advisory describes a missing authentication for critical function vulnerability in the Güralp FMUS Series Seismic Monitoring Devices. The vulnerability was reported to CISA by Souvik Kandar of MicroSec. CISA notes that “Güralp did not respond to CISA's attempts at coordination.”
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to modify hardware configurations, manipulate data, or factory reset the device.
DTRH – Rockwell Advisories
The advisory for Rockwell vulnerabilities above provides the following information for the access to the Rockwell published advisory:
“For more information refer to Rockwell Automation's security advisory.”
That link took me to a Rockwell page that provides the following message:
“Login Required to View Full Answer Content”
While I am encountering more of these restrictions on the availability of advisories, I had seen the advisory just a couple of weeks ago, so I checked the link I have for the latest list of Rockwell advisories, and it still works without having to go through the registration process.
Now Rockwell used to restrict (barely, anyone could register, even me) advisory access to registered visitors, but that changed on January 30th, 2024. And recently Rockwell even started adding the publication dates for their advisories and updates. My only problem with the page is that you have to have JAVA enabled to get full access to the “MORE DETAILS” pull down to see:
CVSS (v3.1 and v4.0),
A KEV binary note (yes, no),
A Corrected binary note (yes, no), and
A Mitigation binary note (yes, no)
All of those data points are, of course, available in the advisory.