4 Advisories and 1 Update Published –
Today CISA’s NCCIC-ICS published four control system security advisories for products from ABB, Schneider, and Siemens (2). They also updated an advisory for products from Schneider.
ABB Advisory
This advisory discusses 15 vulnerabilities in the ABB MV Drives products. These are third-party (CODESYS) vulnerabilities. ABB has a new firmware version that mitigates the vulnerabilities.
There are no downstream advisories or exploits reported by NVD.NIST.gov for these vulnerabilities.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to gain full access to the drive or cause a denial-of-service condition.
Schneider Advisory
This advisory describes an exposure of sensitive information to an unauthorized actor vulnerability in the Schneider Wiser Home Controller. The vulnerability was self-reported. The product is end-of-life and no fix is planned.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to disclose sensitive credentials.
NOTE: I briefly discussed this vulnerability on July 13th, 2024.
Siemens Advisory #1
This advisory describes an improper handling of length parameter inconsistency in the Siemens TeleControl Server Basic. The vulnerability was reported by Jin Huang from ADLab of Venustech. Siemens has a new version that mitigates the vulnerability.
NCCIC-ICS reports that an uncharacterized actor could remotely exploit the vulnerability to allow an attacker to cause the application to allocate exhaustive amounts of memory and subsequently create a denial-of-service condition.
NOTE: I briefly discussed this vulnerability on April 16th, 2025.
Siemens Advisory #2
This advisory describes 67 SQL injection vulnerabilities in the Siemens TeleControl Server Basic. 16 of the vulnerabilities were reported by the Zero Day Initiative. Siemens has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to read and write to the application's database, cause a denial-of-service condition, and execute code in an OS shell.
NOTE: I briefly discussed this vulnerability on April 16th, 2025.
Schneider Update
This update provides additional information on the Modicon M580 PLCs advisory that was originally published on February 4th, 2025. The new information includes updating affected vulnerability information and added mitigation information.
I briefly discussed this updated information on April 14th, 2025.