Today CISA’s NCCIC-ICS published six control system security advisories for products from Schneider Electric (2), Rockwell Automation (3), and B&R. They also updated a medical device advisory for products from BD.
Three additional Rockwell advisories were published today. If they are not covered in CISA advisories on Thursday, I will discuss them this weekend in my Public ICS Disclosures post.
Schneider Advisory #1
This advisory describes a deserialization of untrusted data vulnerability in the Schneider Electric RemoteConnect and SCADAPack x70 Utilities. The vulnerability is self-reported. Schneider is providing generic mitigation measures pending development of a fix.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to lead to loss of confidentiality, integrity, and potential remote code execution on workstation when a non-admin authenticated user opens a malicious project file.
NOTE: I briefly discussed this vulnerability on January 20th, 2025.
Schneider Advisory #2
This advisory describes two vulnerabilities in the Schneider PowerLogic HDPM6000 High-Density Metering System. The vulnerabilities are self-reported. Schneider has a new version that mitigates the vulnerabilities.
The two reported vulnerabilities are:
Authorization bypass through user controlled key - CVE-2024-10497, and
Improper restriction of operations within the bounds of a memory buffer - CVE-2024-10498
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to modify data or cause a denial-of-service condition on web interface functionality.
NOTE: I briefly discussed this vulnerability on January 20th, 2025.
Rockwell Advisory #1
This advisory describes two vulnerabilities in the Rockwell DataMosaix Private Cloud. The vulnerabilities were self-reported. Rockwell has a new version that mitigates the vulnerability.
The two reported vulnerabilities are:
Exposure of sensitive information to an unauthorized actor - CVE-2024-11932, and
Dependency on vulnerable third-party component - CVE-2024-11932.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to overwrite reports, including user projects.
NOTE: From the description of the SQLite vulnerability in the advisory, it looks like the third-party component vulnerability may actually be an ‘insufficient information’ vulnerability - CVE-2020-13631.
Rockwell Advisory #2
This advisory describes two vulnerabilities in the Rockwell FactoryTalk product. The vulnerabilities are self-reported. Rockwell has new versions that mitigate the vulnerabilities.
The two reported vulnerabilities are:
Incorrect permission assignment for critical resource - CVE-2025-24481,
Code injection - CVE-2025-24482
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to gain unauthenticated access to system configuration files and execute DLLs with elevated privileges.
Rockwell Advisory #3
This advisory describes two vulnerabilities in the Rockwell FactoryTalk View ME product. The vulnerabilities are self-reported. Rockwell has a new version that mitigates the vulnerability.
The two reported vulnerabilities are:
Incorrect authorization - CVE-2025-24479, and
OS command injunction - CVE-2025-24480
B&R Advisory
This advisory describes the use of a broken or risky cryptographic algorithm vulnerability in the B&R Automation Runtime and mapp View products. The vulnerabilities are self-reported. B&R has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to masquerade as legitimate services on impacted devices.
NOTE: I briefly discussed this vulnerability on January 18th, 2025.
BD Update
This update provides additional information on the BD Diagnostic Solutions Products advisory that was originally published on December 17th, 2024. The new information includes adding details to the Mitigation section.