Today CISA’s NCCIC-ICS published four control system security advisories for products from Yokogawa and Schneider (3). They also updated two previously published Schneider advisories.
Yokogawa Advisory
This advisory describes a missing authentication for critical function vulnerability in the Yokogawa recorder products. The vulnerability was reported to CISA by Souvik Kandar of MicroSec. Yokogawa provides generic mitigation measures.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to manipulate information on the affected products.
NOTE: Yokogawa’s version of this advisory is not yet available on their website.
Schneider Advisory #1
This advisory describes two vulnerabilities in the Schneider ConneXium Network Manager. The vulnerabilities are self-reported. The product is end-of-life, but Schneider provides generic mitigation measures.
The two reported vulnerabilities are:
Files or directories accessible to external parties - CVE-2025-2222, and
Improper input validation - CVE-2025-2223
NOTE: I briefly discussed these vulnerabilities on April 13th, 2025.
Schneider Advisory #2
This advisory describes six vulnerabilities in the Schneider Electric Sage Series RTU’s. The vulnerabilities were reported by Marlon Schumacher and Alex Armstrong from LLNL and Vishal Madipadga from SNL. Schneider has a new firmware version that mitigates the vulnerability.
The six reported vulnerabilities are:
Out-of-bounds write - CVE-2024-37036,
Path traversal - CVE-2024-37037,
Incorrect default permissions - CVE-2024-37038,
Unchecked return value - CVE-2024-37039,
Classic buffer overflow - CVE-2024-37040, and
Out-of-bounds read - CVE-2024-5560
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to compromise the impacted device, leading to loss of data, loss of operation, or impacts to the performance of the device.
Note: I briefly discussed these vulnerabilities on June 15th, 2024.
Schneider Advisory #3
This advisory describes three vulnerabilities in the Schneider Trio Q Licensed Data Radios. The vulnerabilities are self-reported. Schneider has a new version that mitigates the vulnerabilities.
The three reported vulnerabilities are:
Insecure storage of sensitive information - CVE-2025-2440, and
Insecure default initialization of resource (2) - CVE-2025-2441 and CVE-2025-2442
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow an attacker to access confidential information, compromise the integrity, or affect the availability of the affected product.
NOTE: I briefly discussed these vulnerabilities on April 13th, 2025.
Schneider Update #1
This update provides additional information on the Modicon M580 and Quantum Controllers advisory that was originally published on February 27th, 2025. The new information includes announcing that remediation is now available for BMECRA31210, BMXCRA31200, and BMXCRA31210.
I briefly discussed the Schneider update that underlies this information on April 14th, 2025.
Schneider Update #2
This update provides additional information on the M340, MC80, and Momentum Unity M1E advisory that was originally published on November 21st, 2024. The new information includes announcing that remediation is now available for Modicon Momentum Unity M1E Processor.
I briefly discussed the Schneider update that underlies this information on April 14th, 2025.