6 Advisories and 1 Update Published – 4-24-25

Today CISA’s NCCIC-ICS published six control system security advisories for products from Planet Technology, Johnson Controls, Nice, Vestel, ALBEDO Telecom, and Schneider Electric. They also updated an advisory for products from Fuji Electric.

Planet Advisory

This advisory describes five vulnerabilities in multiple Planet network products. The vulnerabilities were reported by Kev Breen of Immersive. Planet has patches that mitigate the vulnerabilities.

The five reported vulnerabilities are:

• OS command injection (2) - CVE-2025-46271 and CVE-2025-46272,

• Use of hard-coded credentials (2) - CVE-2025-46273 and CVE-2025-46274, and

• Missing authentication for critical function - CVE-2025-46275

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to read or manipulate device data, gain administrative privileges, or alter database entries.

NOTE: This probably should have been two separate advisories. Vulnerabilities -46271, -46273, and -46274 are listed in the description as uniquely affecting the UNI-NMS-Lite product while the other two uniquely affect the WGS-80HPT-V2 and WGS-4215-8T2S products. None of the descriptions mention the other two products (NMS-500 and NMS-1000V) listed as affected in Section 3.1 of the advisory. NVD.NIST.gov list all five vulnerabilities as “CVE ID Not Found”, so no help there.

Johnson Controls Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Johnson Controls ICU tool. The vulnerability was reported by Reid Wightman of Dragos. Johnson Controls has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to may allow an attacker to execute arbitrary code.

Nice Advisory

This advisory describes an OS command injection vulnerability (with publicly available exploit) in the Nice Linear eMerge e3-Series access control platform. This vulnerability was reported by Noam Rathaus of SSD Secure Disclosure, the report includes exploit code. CISA reports that “Nice did not indicate if/when a patch would be developed.”

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to execute arbitrary OS commands..

NOTE: I briefly discussed this vulnerability on September 28^th, 2024.

Vestel Advisory

This advisory describes an exposure of sensitive information to an unauthorized control sphere vulnerability in the Vestel AC Charger EVC04. The vulnerability was reported to CISA by Cumhur Kizilari. Vestel has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker access to sensitive information, such as credentials which could subsequently enable them to cause a denial of service or partial loss of integrity of the charger.

NOTE: Reading the Vestel advisory, it is fairly clear that there are some translation issues in producing this English language advisory. That probably explains the disconnect between the CISA description of the vulnerability from the Vestel version that appears to describe a cleartext storage of credentials vulnerability.

ALBEDO Advisory

This advisory describes an insufficient session expiration vulnerability in the ALBEDO Net.Time - PTP/NTP clock. The vulnerability was reported to CISA by Khalid Markar, Parul Sindhwad & Dr. Faruk Kazi from CoE-CNDS Lab. ALBEDO has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to transmit passwords over unencrypted connections, resulting in the product becoming vulnerable to interception.

Schneider Advisory

This advisory describes 22 vulnerabilities (16 with publicly available exploits) in the Schneider Modicon Controllers. The vulnerabilities were reported by Jared Rittle of Cisco Talos, Pavel Nesterov, Artem Zinenko of Kaspersky, Gao Jian of ns focus, and Dong Yang of Dingxiang Dongjian Security Lab; the CISCO Talos reports (16) included proof-of-concept code. Schneider has new versions that mitigate most of the vulnerabilities.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to risk execution of unsolicited command on the PLC, which could result in a loss of availability of the controller.

NOTE: Schneider originally published their advisory on May 14^th, 2019, and has updated it 15 times since then, most recently on February 11^th, 2025 (v12.0). It is apparently that update (that I briefly discussed on February 19^th, 2025) that has formed the basis for this advisory. CISA’s ‘problem’ here is that it relies on information submitted to the agency by vendors or researchers to form the basis for their advisories. I have no idea why it took Schneider so long to report these vulnerabilities to CISA, especially since they had already been doing the mitigation work.

Fuji Update

This update provides additional information on the Monitouch V-SFT advisory that was originally published on December 3^rd, 2024. The new information includes adding the release of Version 6.2.6.0 to Mitigation section.