4 Advisories and 3 Updates Published – 12-16-25

Today CISA’s NCCIC-ICS published four control system security advisories for products from Mitsubishi Electric, Hitachi Energy, Johnson Controls, and Güralp Systems. They also updated advisories for products from Fuji Electric, Johnson Controls, and Mitsubishi Electric.

Format Revision

CISA has made a major revision in the format that they are using for their “ICS Advisory” reports. The most obvious change was the removal of the numbered paragraph formats and they have moved a lot of the detail to pull down entries. The pull-down details for each CVE number, for instance, includes affected products, remediation, vendor fixes and mitigation measures, as well as CWE information.

Another structural change is the move of the CISA “Recommended Practices” to a physically separated section from the vendor mitigation measures, this fixes a frequent issue in determining what is a vendor suggestion and which is a CISA input. The characterization of exploit results is still provided, but it looks like some changes in the verbiage is being explored (see the discussion on the Mitsubishi advisory), and it has been moved to the top of the “Summary” section of the report.

The following bits of information have been removed from these reports:

• Removal of the characterization that NCCIC-ICS had made about the complexities and access requirements for exploits, and

• Links to vendor reports.

The CISA updates are also being converted (as published) to this new format.

Commentary: If you save these advisories in .pdf format, you are going to have to make sure that each of the pull downs for the CVE are opened before saving or else the data will not be available in the saved file. This pull down does make the file look cleaner, but this could get absolutely crazy when there are a large number of 3^rd party vulnerabilities, especially with the duplication of most of the mitigation information. This may need to be rethought.

Mitsubishi Advisory

This advisory describes a cleartext storage of sensitive information vulnerability in the Mitsubishi GT Designer3 products. The vulnerability was reported by Hea-Eun Moon and Junbeom Gwak of Red Alert Lab at NSHC. Mitsubishi provides generic mitigation measures presumably pending development of a fix.

NCCIC-ICS reports that an exploit of this vulnerability could allow an attacker obtain plaintext credentials from the project file for GT Designer3, which could result in illegally (interesting choice of words here) operating GOT2000 and GOT1000 series devices.

Hitachi Energy Advisory

This advisory discusses the BlastRadius-Fail vulnerability. Hitachi Energy provides a list of affected products. Hitachi Energy provides setting adjustment information to mitigate the vulnerability.

NCCIC-ICS reports that an exploit of this vulnerability could compromise the integrity of the product data and disrupt its availability.

NOTE: I briefly discussed this vulnerability on November 1^st, 2025.

Johnson Controls Advisory

This advisory describes four vulnerabilities in the Johnson Controls PowerG, IQPanel and IQHub products. The vulnerabilities were reported to CISA by James Chambers and Sultan Qasim Khan of NCC Group. Johnson Controls has new versions that mitigate the vulnerabilities.

The four reported vulnerabilities are:

• Cleartext transmission of sensitive information - CVE-2025-61738,

• Reusing a nonce, key pair in encryption - CVE-2025-61739,

• Use of cryptographically weak PRNG - CVE-2025-26379, and

• Origin validation error - CVE-2025-61740

NCCIC-ICS reports that an exploit of these vulnerabilities could allow an attacker to read or write encrypted traffic or perform a replay attack.

Güralp Advisory

This advisory describes an allocation of resources without limit or throttling vulnerability in the Güralp Fortimus, Minimus, and Certimus product series. The vulnerability was reported to CISA by Souvik Kandar. Güralp provides generic mitigation measures.

NCCIC-ICS reports that an exploit of these vulnerabilities could allow an attacker to cause a denial-of-service condition.

Fuji Update

This update provides additional information on the Fuji Monitouch V-SFT-6 advisory that was originally published on November 4^th, 2025. The new information includes adding CVE-2025-53524, out-of-bounds write. The previously reported fix apparently applies to the new vulnerability.

Johnson Controls Update

This update provides additional information on the Johnson Controls iSTAR Ultra advisory that was originally published on August 12^th, 2025. The new information includes adding version 6.9.8 as a mitigation.

Mitsubishi Update

This update provides additional information on the Mitsubishi GENESIS advisory that was originally published on May 20^th, 2025, and most recently updated on August 28^th, 2025. The new information includes adding GENESIS32 as an affected product with mitigation measures.

I briefly discussed this update on August 9^th, 2025.