7 Advisories and 2 Updates Published – 12-4-25
Today CISA’s NCCIC-ICS published seven control system security advisories for products from Advantech, Solis Cloud, Sunbird, Johnson Controls (2), MAXHIB, and Mitsubishi. They also updated advisories for products from Johnson Controls and Consilium.
Advantech Advisory
This advisory describes an SQL injection vulnerability in the Advantech iView product. The vulnerability was reported to CISA by m00nback. Advantech has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to disclose sensitive information, modify, or delete data.
SolisCloud Advisory
This advisory describes an authorization bypass through a user controlled key vulnerability in the SolisCloud Monitoring Platform. The vulnerability was reported to CISA by James Gallagher. CISA notes that: “SolisCloud has not responded to requests to work with CISA to mitigate this vulnerability.”.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to access sensitive information by manipulating API requests.
Sunbird Advisory
This advisory describes two vulnerabilities in the Sunbird DCIM dcTrack and Power IQ products. The vulnerability was reported to CISA by notnotnotveg. Sunbird has new versions that mitigate the vulnerability.
The two reported vulnerabilities are:
Authorization bypass using an alternate path or channel - CVE-2025-66238, and
Use of hard-coded credentials -n CVE-2025-66237
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to gain unauthorized access or steal credentials.
Johnson Controls Advisory #1
This advisory describes an improper validation of certificate expiration vulnerability in the Johnson Controls iStar products. The vulnerability is self-reported. Johnson Controls provides generic mitigation measures.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to result in the product failing to re-establish communication once the certificate expires.
Johnson Controls Advisory #2
This advisory describes a forced browsing vulnerability in the Johnson Controls OpenBlue Mobile Web Application for OpenBlue Workplace. The vulnerability is self-reported. Johnson Controls has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to gain unauthorized access to sensitive information.
MAXHUB Advisory
This advisory describes a weak password recovery mechanism for forgotten password vulnerability in the MAXHUB Pivot client. The vulnerability was reported by Malik MAKKES of Abicom Groupe. MAXHUB has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to request a password reset and gain unauthorized access to the account.
Mitsubishi Advisory
This advisory describes a cleartext storage of sensitive information vulnerability in the Mitsubishi GX Works2 product. The vulnerability was reported by Jiho Shin of Sungkyunkwan University. Mitsubishi provides generic mitigation measures pending development of a fix.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to open project files protected by user authentication using disclosed credential information, and obtain or modify project information.
NOTE: I briefly discussed this vulnerability on November 29th, 2025.
Johnson Control Update
This update provides additional information on the FX80 and FX90 advisory that was originally published on August 7th, 2025. The new information includes:
Adding FX Server to the title and title,
Adding FX Server affected versions, and
Adding prior versions for all affected products
Consilium Update
This update provides additional information on the CS5000 Fire Panel advisory that was originally published on May 29th, 2025. The new information includes:
Changing CVSS vectors from AV:N to AV:L and changed the scores to reflect this,
Updating the versions affected and additional mitigation details were added, and
Adding fixed version for the CS5000 Fire Panel.
NOTE: The original CISA advisory noted that no fix was planned for these vulnerabilities. See my May 29th, 2025, post for more information.