Today CISA’s NCCIC-ICS published six control system security advisories for products from Schneider (4), Lantronix, and DuraComm. They also published three control system advisory updates for products from Schneider.
All of the Schneider documents are based upon advisories from that organization published on July 8th, 2025. I cannot remember the last time that CISA covered a complete months’ worth of Schneider advisories in a single go, and in the same month.
Schneider Advisory #1
This advisory describes six vulnerabilities in the Schneider EcoStruxure IT Data Center Expert. The vulnerabilities were reported by Jaggar Henry and Jim Becher of KoreLogic. Schneider has a new version that mitigates the vulnerabilities.
The six reported vulnerabilities are
OS command injection - CVE-2025-50121,
Insufficient entropy - CVE-2025-50122,
Code injection - CVE-2025-50123,
Server-side request forgery - CVE-2025-50125,
Improper privilege management - CVE-2025-50124, and
Improper restriction of XML external entity reference - CVE-2025-6438
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to disrupt operations and access system data.
Schneider Advisory #2
This advisory discusses a cross-site scripting vulnerability (listed in CISA’s Known Exploited Vulnerability catalog) in the Schneider System Monitor Application products. This is a third-party (jQuery) vulnerability with a publicly available exploit. Schneider has provided instructions for uninstalling the System Monitor Application.
NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow an attacker to execute untrusted code.
Schneider Advisory #3
This advisory discusses six vulnerabilities (three with publicly available exploits two of which are listed in the KEV catalog) in the Schneider EcoStruxure Power Operation products. These are third-party vulnerabilities. Schneider has a new version that mitigates the vulnerabilities.
The six reported vulnerabilities are;
Eval injection - CVE-2023-50447 (exploit),
Integer overflow to buffer overflow - CVE-2024-28219,
Data amplification - CVE-2022-45198,
Out-of-bounds write - CVE-2023-5217 (exploit, listed in KEV catalog),
Incomplete cleanup - CVE-2023-35945, and
Uncontrolled resource consumption - CVE-2023-44487 (exploit, listed in KEV catalog)
NCCIC-ICS reports that a relatively low-skilled attacker could remotely use publicly available exploits to result in the loss of system functionality or unauthorized access to system functions.
Schneider Advisory #4
This advisory describes an exposure of resource to wrong sphere vulnerability in the Schneider EcoStruxure Power Monitoring Expert and Power Operation products. The vulnerability was self-reported. Schneider has hotfixes that mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to provide other authenticated users with potentially inappropriate access to TGML diagrams.
Lantronix Advisory
This advisory describes an improper restriction of external XML entity reference vulnerability in the Lantronix Provisioning Manager. The vulnerability was reported to CISA by Robert McLellan. Lantronix has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized attacker could exploit the vulnerability to allow an attacker to perform a cross-site scripting attack, which could result in remote code execution.
DuraComm Advisory
This advisory describes three vulnerabilities in the DuraComm SPM-500 DP-10iN-100-MU, a power distribution panel. The vulnerabilities were reported to CISA by Brandon Vincent of Arizona Public Service. DuraComm has a new version that mitigates the vulnerabilities.
The three reported vulnerabilities are:
Cross-site scripting - CVE-2025-41425,
Missing authentication for critical function - CVE-2025-48733, and
Cleartext transmission of sensitive information - CVE-2025-53703
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to disclose sensitive information or cause a denial-of-service condition.
Schneider Update #1
This update provides additional information on the Vijeo Designer advisory that was originally published on January 14th, 2025. The new information includes adding EcoStruxure™ Machine Expert to the product section, mitigation section, title and edited the researcher section.
Schneider Update #2
This update provides additional information on the EVLink WallBox advisory that was originally published on June 24th, 2025. The new information includes updating vulnerability details for CVE-2025-5740 as the vulnerability requires the attacker to be authenticated.
Schneider Update #3
This update provides additional information on the Modicon Controllers advisory that was originally published on June 24th, 2025. The new information includes reporting that remediation is now available within EcoStruxure Machine Expert v2.3 used to update the M241/M251 firmware.