4 Advisories and 1 Update Published – 6-17-25

Today CISA’s NCCIC-ICS published four controls system security advisories for products from Dover Fueling Solutions, Fuji Electric, LS Electric, and Siemens. They also updated an advisory for products from Siemens. I also take a down-the-rabbit-hole look at the significance of the Siemens update.

Dover Fueling Advisory

This advisory describes a missing authentication for critical function vulnerability in the Dover ProGauge MagLink LX fuel and water tank monitor. The vulnerability was reported to CISA by Souvik Kandar of Microsec. Dover has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to result in an attacker gaining control of the monitoring device, manipulating fueling operations, deleting system configurations, or deploying malware.

Fuji Advisory

This advisory describes three vulnerabilities in the Fuji Smart Editor. The vulnerability was reported to CISA by kimiya via the Zero Day Initiative. Fuji has a new version that mitigates the vulnerability.

The three reported vulnerabilities are:

• Out-of-bounds read - CVE-2025-32412,

• Out-of-bounds write - CVE-2025-41413, and

• Stack-based buffer overflow - CVE-2025-41388

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to execute arbitrary code.

NOTE: Kimiya has 10 vulnerabilities pending with ZDI for vulnerabilities in products from Fuji Electric. These three are almost certainly part of that list.

LS Electric Advisory

This advisory describes three vulnerabilities in the LS Electric GMWin 4 programming software tool. The vulnerability was reported by Michael Heinzl. GMWin is end-of-life and no fix is planned.

The three reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2025-49850,

• Out-of-bounds read - CVE-2025-49849, and

• Out-of-bounds write - CVE-2025-49848

NCCIC-ICS reports that relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to disclose information or execute arbitrary code.

Siemens Advisory

This advisory describes a zip path traversal vulnerability in the Siemens Mendix Studio Pro integrated development environment. The vulnerability is self-reported. Siemens has new versions that mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow an attacker to write or modify arbitrary files in directories outside a developer's project directory.

NOTE #: I briefly discussed this vulnerability on Sunday.

NOTE: #2: The Siemens advisory reports that:

“CVE-2025-40592 was fixed in the latest software versions of Mendix Studio Pro. However, if you've installed modules before updating to those fix versions, please check your installed modules. Review the list carefully. If you notice any suspicious module, there might've been malicious activity on your system.”

Siemens Update

This update provides additional information on the SENTRON Powercenter 1000 advisory that was originally published on December 12^th, 2024. The new information includes updating risk evaluation, affected products, and mitigations to clarify that no vulnerabilities are present, contrary to the initial reporting. Updated CVSS vector string and score to match CVE record as the vulnerability is no longer being evaluated for this specific Siemens product.

DTRH – Siemens Update

Since January of 2023 NCCIC-ICS has been including the following statement on the top of all ICS Advisories for products from Siemens:

“As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).”

CISA took this step after Siemens shifted to the policy of publishing their all of their new advisories and updates on the 2^nd Tuesday of every month, in conjunction with the Microsoft and Adobe disclosures on that day. The workload from dropping all of these updates in addition to everything else was just too much and CISA stopped reporting on Siemens updates.

Today’s Siemens Mendix Studio Pro advisory did not include that update statement. And then there was today’s update for the Siemens SENTRON Powercenter 1000 advisory. Does this mark a change in CISA policy? I do not think so, since there were 18 other Siemens updates published the same day as their SENTRON advisory. If the policy were changed those other 18 updates would also have called for a CISA update.

So why this advisory? Well Siemens did report that they had discovered that their product was not affected by this third-party (Silicon Labs) blue tooth vulnerability. Siemens original advisory (for those of us with saved copies) had announced that no fix was planned for the vulnerability in the SENTRON products (no reason was given), but a workaround for disabling the Bluetooth capability was provided.

Apparently, Siemens was notified of the vulnerability by Silicon Labs. They noted in their initial advisory that: “Siemens is preparing fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.” During that development process, it looks like Siemens determined that their products were not affected.

Restoring that Bluetooth functionality to the product line would be of some importance to Siemens. So, I suspect that they approached CISA to make a one-time change to their no Siemens Updates policy to help get the word out to their widely distributed customer base.