2 Updates Published – 2-11-25

Today CISA’s NCCIC-ICS published updates for two control system security advisories for products from Trimble and 2N. I also take a down-the-rabbit hole look at the Trimble vulnerability.

Trimble Update

This update provides additional information on the Cityworks advisory that was originally published on February 6^th, 2025. The new information includes updating the critical infrastructure sectors.

2N Update

This update provides additional information on the Access Commander advisory that was originally published on November 14^th, 2024. The new information includes adding new vulnerability {use of hard-coded cryptographic key - CVE-2024-47256 (2N advisory link)}, affected products, and updating mitigations.

NOTE: The link to the original 2N advisory (https://www.2n.com/pl-PL/download/Access-Commander-Security-Advisory-2024-11) is no longer working, returning a 404 error message

DTRH – Trimble Advisory

Both the CISA update and the original Trimble advisory make the following comment:

“Trimble will be releasing updated versions to both 15.x (15.8.9 available January 28, 2025) and Cityworks 23.x software releases (23.10 available January 29, 2025).”

It is unclear if the new versions have been made available since both documents were published eight days after the refenced ‘available’ date. The data on the currently available version is held behind a registered user login.

On Friday, February 7^th, CISA added this vulnerability to KEV catalog, this is not mentioned in today’s update. They also published a separate ‘Alert’ on the Trimble vulnerability. That alert and the original version of this advisory reference the Trimble advisory. That advisory is in an odd format, and it is hard to see that it consists of four separate pages, including two pages of indicators of compromise. It can be downloaded as a .pdf document.