Today CISA’s NCCIC-ICS published three control system security advisories for products from LITEON, ABB, and Hitachi Energy. They also updated three previously published advisories for products from Schneider.
LITEON Advisory
This advisory describes a cleartext storage of a password vulnerability in the LITEON IC48A and IC80A EV chargers. The vulnerability was reported to CISA by Murat Sagdullaev of Electrada. LITEON has new versions that mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to access sensitive information when accessing the Liteon EV chargers.
ABB Advisory
This advisory describes four vulnerabilities in the ABB web UI REST Interface. The vulnerabilities were reported by Vera Mens of Claroty Team82. ABB recommends disabling the interface when not being used.
The four reported vulnerabilities are:
Use of hardcoded cryptographic key (2) - CVE-2025-6074 and CVE-2025-6071, and
Stack-based buffer overflow (2) - CVE-2025-6073 and CVE-2025-6072, and
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to gain unauthenticated access to the MQTT configuration data, cause a denial-of-service condition on the MQTT configuration web server (REST interface), or decrypt encrypted MQTT broker credentials.
Note: I briefly discussed these vulnerabilities on July 5th, 2025.
Hitachi Energy Advisory
This advisory describes the six vulnerabilities in the Hitachi Energy Asset Suite products. Two of these are Hitachi Energy vulnerabilities, the other four are third-party (Android) vulnerabilities. Hitachi Energy provides generic mitigation measures pending development of a fix.
The six reported vulnerabilities are:
Incomplete list of disallowed inputs - CVE-2025-1484,
Plaintext storage of password - CVE-2025-2500,
Out-of-bounds write (3) - CVE-2019-9429, CVE-2019-9256, and CVE-2019-9290, and
Release of invalid pointer or reference - CVE-2019-9290
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to gain unauthorized access to the target equipment, perform remote code executions, or escalate privileges.
Note: I briefly discussed these vulnerabilities on May 31st, 2025.
Schneider Update #1
This update provides additional information on the Uni-Telway Driver advisory that was originally published on March 11th, 2025. The new information includes updating mitigations for Schneider Electric CPCER.
NOTE: Schneider updated their advisory on July 8th, 2025.
Schneider Update #2
This update provides additional information on the Modicon Controllers advisory that was originally published on May 20th, 2025. The new information includes updating remediations.
NOTE: Schneider updated their advisory on July 8th, 2025.
Schneider Update #3
This update provides additional information on the EcoStruxure advisory that was originally published on February 6th, 2025, and most recently updated on March 6th, 2025. The new information includes:
Adding Pro-face BLUE to "Affected Products" section,
Adding remediations for EcoStruxure Control Expert, EcoStruxure Operator Terminal Expert and Pro-face BLUE offers,
Updating link to the fix of EcoStruxure Control Expert Asset Link offer.