6 Advisories and 1 Update Published – 11-25-25
Today CISA’s NCCIC-ICS published five control system security advisories for products from SiRcom, Festo, Opto 22, Zenitel, Rockwell, and Ashlar-Vellum. They also updated an advisory for products from Mitsubishi.
SiRcom Advisory
This advisory describes a missing authentication for critical function vulnerability in the SiRcom SMART Alert (SiSA) central control system. The vulnerability was reported to CISA by Souvik Kandar of Microsec. CISA notes that: “SiRcom did not respond to CISA’s request for coordination.”
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to enable an attacker to remotely activate or manipulate emergency sirens.
Festo Advisory
This advisory discusses two vulnerabilities in the multiple Festo product lines. These are third-party (CODESYS) vulnerabilities. The vulnerabilities were reported by Rob Hulsebos and Daniel dos Santos of Forescout. Festo provides generic mitigation measures.
The two reported vulnerabilities are:
Exposure of resource to wrong sphere - CVE-2022-22515, and
Insecure default initialization of resource - CVE-2022-31806
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to result in an attacker accessing devices without authentication or modifying configuration files.
NOTE: I briefly discussed these vulnerabilities on December 3rd, 2022.
Opto 22 Advisory
This advisory describes an exposure of sensitive data through meta data vulnerability in the Opto 22 groov View product line. The vulnerability was reported to CISA by Nik Tsytsarkin, Ismail Aydemir, and Ryan Hall of Meta. Opto 22 has a new firmware version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to result in credential exposure, key exposure, and privilege escalation.
Zenitel Advisory
This advisory describes five vulnerabilities in the Zenitel TCIV-3+ IP video intercom. The vulnerability was reported to CISA by Nir Tepper and Noam Moshe of Claroty Team82. Zenitel has a new version that mitigates the vulnerabilities.
The five reported vulnerabilities are:
OS command injection (3) - CVE-2025-64126, CVE-2025-64127, and CVE-2025-64128,
Out-of-bounds write - CVE-2025-64129, and
Cross-site scripting - CVE-2025-64130.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to result in arbitrary code execution or cause a denial-of-service condition.
Rockwell Advisory
This advisory describes a stack-based buffer overflow vulnerability in the Rockwell Arena Simulation product. The vulnerability was reported to CISA by Michael Heinzl. Rockwell has a new version that mitigates the vulnerability.
NCCIC-ICS reports that an uncharacterized attacker on a local network could exploit the vulnerability to allow local attackers to execute arbitrary code on affected installations of Arena.
NOTE: I briefly discussed this vulnerability on November 16th, 2025.
Ashlar-Vellum Advisory
This advisory describes two vulnerabilities in multiple Ashlar-Vellum products. The vulnerabilities were reported to CISA by Michael Heinzl. Ashlar-Vellum has new versions that mitigate the vulnerability.
The two reported vulnerabilities are:
Out-of-bounds write - CVE-2025-65084, and
Heap-based buffer overflow - CVE-2025-65085
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to disclose information or execute arbitrary code.
Mitsubishi Update
This update provides additional information on the FA Engineering Software advisory that was originally published on December 5th, 2022, and most recently updated on June 29th, 2023. The new information includes adding MT Works2 to Affected Products and Mitigations.