5 Advisories Published – 5-29-25
Today CISA’s NCCIC-ICS published four control system security advisories for products from Instantel, Consilium Safety, and Siemens (2). They also published a medical device security advisory for products from Santsoft. I also take a down-the-rabbit-hole look at the Consilium vulnerability.
Instantel Advisory
This advisory describes a missing authentication for critical function vulnerability in the Instantel Micromate monitoring device. The vulnerability was reported to CISA by Souvik Kandar of MicroSec. Instantel provides generic mitigation measures pending development of a fix.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthenticated attacker to access the device's configuration port and execute commands.
Consilium Advisory
This advisory describes two vulnerabilities in the Consilium S5000 Fire Panel. The vulnerabilities were reported to CISA by Andrew Tierney of Pen Test Partners. Consilium reports that no fix is planned for this device (see DTRH section below).
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to gain high-level access to and remotely operate the device, potentially putting it into a non-functional state.
Siemens Advisory #1
This advisory describes an out-of-bounds read vulnerability in the Siemens SiPass integrated products. The vulnerability was reported by Airbus Security. Siemens has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an unauthenticated remote attacker to cause a denial-of-service condition.
NOTE: I briefly discussed this vulnerability on May 24th, 2025.
Siemens Advisory #2
This advisory describes an improper verification of cryptographic signature vulnerability in the Siemens SiPass integrated products. The vulnerability was self-reported. The Siemens advisory notes that the vulnerability was reported by Airbus Security. Siemens provides generic mitigation measures with no fix being planned.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to upload a maliciously modified firmware onto the device.
NOTE: I briefly discussed this vulnerability on May 24th, 2025.
Santesoft Advisory
This advisory describes an out-of-bounds read vulnerability in the Santesoft Sante DICOM Viewer Pro. The vulnerability was reported to CISA by Michael Heinzl. Santesoft has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to disclose information or execute arbitrary code.
DTRH – Security Is Not an Issue
The report from Pen Test Partners on the Consilium vulnerabilities has an interesting discussion about their coordination attempts with Consilium. It is well worth reading by anyone in the maritime domain. That discussion includes the following quote taken from a communication from the vendor:
“If an error is found that would be considered erroneous by nature causing the system to malfunction or producing intermittent failures on the system, then we would correct that with a SW update, because we are committed to provide a Fire Detection System that shall operate safely and reliably. However, the same cannot be said for cybersecurity threats that are found for a system that was delivered long before IACS UR E26/E27 [link added] was mandated, i.e., 1st of July 2024. Threats are a category of its own and the FDS was not designed to be secure for malicious intents, therefore we will not patch the system delivered for this vessel to secure it from the vulnerability that was discovered.”
This is a whole new level of caveat emptor.