4 Advisories Published – 1-27-25
Today CISA’s NCCIC-ICS published four control system security advisories for products from Johnson Controls, Schneider Electric, Festo, and iba Systems.
Johnson Controls Advisory
This advisory describes a command injection vulnerability in multiple Johnson Controls products. The vulnerability as self-reported. Johnson Controls has a Metasys patch that mitigates the vulnerability.
NCCIC-ICS reports that successful exploitation of this vulnerability could result in remote SQL execution, leading to alteration or loss of data.
Schneider Advisory
This advisory discusses five vulnerabilities in Schneider Zigbee products. These are third-party (Silicon Labs) vulnerabilities. Schneider provides generic mitigation measures.
The five reported vulnerabilities are:
Classic buffer overflow (4) - CVE-2024-6350, CVE-2024-6351, CVE-2024-6352, and CVE-2024-10106, and
Node ID change - CVE-2024-7322
The Schneider advisory reports that Failure to apply the mitigations provided may risk denial of service, which could result in products being unavailable.
NOTE: I briefly described these vulnerabilities on January 17th,2026.
Festo Advisory
This advisory discusses 140 vulnerabilities in the Festo Didactic SE MES PC. These are third-party vulnerabilities. Festo recommends replacing XAMPP with Festo Didactic’s Factory Control Panel application.
The 140 vulnerabilities include 20 vulnerabilities listed at ‘critical’ per their CVSS rating, including two with known exploits. These include:
Integer overflow and wrap around - CVE-2016-3078 (exploit),
FPM buffer overflow - CVE-2019-11043 (exploit)
I briefly discussed these vulnerabilities on February 26th, 2024.
Iba Advisory
This advisory describes an incorrect permissions assignment for critical resource vulnerability in the iba ibaPDA. The vulnerability as reported by Siemens. Iba has a ne version that mitigates the vulnerability.
NCCIC-ICS reports that successful exploitation of this vulnerability could allow an attacker to perform unauthorized actions on the file system.