7 Advisories and 1 Update Published – 9-16-25

Today CISA’s NCCIC-ICS published seven control system security advisories for products from Delta Electronics, Siemens (4), Hitachi Energy, and Schneider Electric. They also published an update for an advisory for products from Schneider.

Delta Advisory

This advisory describes two path traversal vulnerabilities in the Delta DIALink product. The vulnerability was reported to CISA by an anonymous researcher via the Zero Day Initiative. Delta has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to bypass authentication.

NOTE: I briefly discussed these vulnerabilities on September 13^th, 2025.

Siemens Advisory #1

This advisory discusses an infinite loop vulnerability in multiple Siemens products. This is a third-party (OpenSSL) vulnerability. Siemens has new versions that mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to create a denial-of-service condition.

NOTE: Siemens originally published their advisory for this vulnerability on June 14^th, 2022, and most recently updated it on September 9^th, 2025. As is typical for Siemens vulnerability, CISA published an advisory on the same vulnerability on June 16^th, 2022. CISA stopped publishing updates for Siemens advisories on June 13^th, 2023, but not until they had published five updates on this advisory, while Siemens has published 22 updates on their version. It looks like CISA is using this new advisory to catch up with the Siemens updates.

Siemens Advisory #2

This advisory discusses an out-of-bounds read vulnerability in Siemens Industrial Products. This is a third-party (OpenSSL) vulnerability. Siemens has a new versions that mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerability to allow an unauthenticated remote attacker to execute arbitrary code or to cause a denial-of-service condition.

NOTE: Siemens originally published their advisory for this vulnerability on February 8^th, 2022, and most recently updated it on April 11^th, 2023.

Siemens Advisory #3

This advisory discusses three vulnerabilities in the Siemens RUGGEDCOM, SINEC NMS, and SINEMA products. These are third-party (Apache) vulnerabilities. Siemens has new versions that mitigates the vulnerability.

The three reported vulnerabilities are:

• NULL pointer dereference - CVE-2021-34798,

• Out-of-bounds write - CVE-2021-39275, and

• Server-side request forgery - CVE-2021-40438 (listed on CISA’s KEV catalog)

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to cause a denial-of-service, crash the product, or perform remote code execution.

NOTE: Siemens originally published their advisory for these vulnerabilities on June 14^th, 2022, and most recently updated it on October 11^th, 2022.

Siemens Advisory #4

This advisory discusses two integer overflow or wraparound vulnerabilities in the Siemens SIMATIC NET CP, SINEMA, and SCALANCE products. These are third-party (strongSwan) vulnerabilities. Siemens has new versions that mitigate the vulnerabilities.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to cause a denial-of-service (DoS) condition in the affected devices by exploiting integer overflow bugs.

NOTE: Siemens originally published their advisory for these vulnerabilities on February 8^th, 2022, and most recently updated it on March 14^th, 2023.

Hitachi Energy Advisory

This advisory discusses seven vulnerabilities in Hitachi Energy RTU500 series products. Six of these are third-party vulnerabilities. Hitachi Energy has a new version that mitigates the vulnerabilities.

The seven reported vulnerabilities are:

• NULL pointer dereference - CVE-2023-2953,

• Improper validation of integrity check value - CVE-2025-39203,

• Improper restriction of XML external entity reference - CVE-2024-45490,

• Integer overflow or wraparound (2) - CVE-2024-45491, CVE-2024-45492,

• XML entity expansion - CVE-2024-28757 (includes POC code), and

• Stack-based buffer overflow - CVE-2025-6021

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to cause a Denial-of-Service condition in RTU500 devices.

Schneider Advisory

This advisory describes a cross-site scripting vulnerability in multiple Schneider products. The vulnerability was reported by Thomas Weber, David Blagojevic of CyberDanube, the report includes proof-of-concept code. Schneider has a new version for one of the affected products that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to read or modify data.

NOTE: I briefly discussed this vulnerability September 14^th, 2025.

Schneider Update

This update provides additional information on the Galaxy VS advisory that was originally published on May 20^th, 2025. The new information includes updating affected products and mitigations.