8 Advisories and 1 Update Published – 12-18-25
Today CISA’s NCCIC-ICS published eight control system security advisories for products from Axis Communications, Rockwell Automation, Advantech, Siemens, Mitsubishi Electric, National Instruments, Schneider Electric, and Inductive Automation. They also updated an advisory for products from Mitsubishi.
Axis Advisory
This advisory describes four vulnerabilities in multiple Axis surveillance products. The vulnerabilities were reported to CISA by Noam Moshe of Claroty Team82. Axis has new versions that mitigate the vulnerabilities.
The four reported vulnerabilities are (links to individual Axis advisories):
Deserialization of untrusted data (2) - CVE-2025-30023 and CVE-2025-30025,
Improper certificate validation - CVE-2025-30024, and
Authentication bypass using alternate path or channel - CVE-2025-30026.
NCCIC-ICS reports that successful exploitation of these vulnerabilities could result in an attacker executing arbitrary code, executing a man-in-middle style attack, or bypass authentication.
Rockwell Advisory
This advisory describes two vulnerabilities in the Rockwell Micro8xx PLCs. The vulnerabilities were self-reported. Rockwell has a new version that mitigates the vulnerability.
The two reported vulnerabilities are:
Dependency of vulnerable third-party component - CVE-2025-13823, and
Release of invalid pointer or reference:
NCCIC-ICS that successful exploitation of these vulnerabilities could result in a denial-of-service condition.
Advantech Advisory
This advisory describes five vulnerabilities in the Advantech WebAccess/SCADA product. The vulnerabilities were reported to CISA by Alex Wiliams of Pellera Technologies. Advantech has a new version that mitigates the vulnerabilities.
The five reported vulnerabilities are:
Path traversal (2) - CVE-2025-14850 and CVE-2025-67653,
Unrestricted upload of file with dangerous type - CVE-2025-14849
Absolute path traversal - CVE-2025-14848, and
SQL injection - CVE-2025-46268.
NCCIC-ICS reports that successful exploitation of these vulnerabilities could allow an authenticated attacker to read or modify a remote database.
Siemens Advisory
This advisory describes an improper verification of source of a communications channel vulnerability in the Siemens Interniche IP-Stack used in a wide range of Siemens products. The vulnerability was reported by Qian Zou, Xuewei Feng, Ke Xu, Qi Li, Xueying Li, and Gang Jin from Zhongguancun Laboratory. Siemens has new versions for some of the affected products, other product fixes are pending development, and some of the affected products have no fix planned.
NCCIC-ICS has not provided an exploit consequence statement on this advisory. Instead they copied the vulnerability summary from the Siemens advisory.
NOTE 1: I briefly mentioned this vulnerability on December 14th, 2025.
NOTE 2: Under this new CISA advisory format, they have removed the Siemens update caveat that had been a feature of CISA’s advisories for Siemens products since January 10th, 2023. I do not suspect that CISA has reversed that policy decision not to try to publish updates for their versions of Siemens advisories,
Mitsubishi Advisory
This advisory describes an OS command injection vulnerability in multiple Mitsubishi Electric Iconics Digital Solutions products. The vulnerability was self-reported. Mitsubishi has new versions that mitigate the vulnerability.
NCCIC-ICS reports that successful exploitation of this vulnerability could result in denial-of-service (DoS), information tampering, and information disclosure.
NI Advisory
This advisory describes nine vulnerabilities in the NI LabView product. The reports were reported by Michael Heinzl (see links below for individual reports). NI has new versions that mitigate the vulnerability. One of the affected products is end-of-life and has note been fixed.
The nine reported vulnerabilities are:
Out-of-bounds write - CVE-2025-64461,
Out-of-bounds read (6) - CVE-2025-64462, CVE-2025-64463, CVE-2025-64464, CVE-2025-64465, CVE-2025-64466, and CVE-2025-64467, and
Use after free - CVE-2025-64468, and
Stack-based buffer overflow - CVE-2025-64469.
NCCIC-ICS reports that successful exploitation of these vulnerabilities could allow an attacker to disclose information and execute arbitrary code.
Schneider Advisory
This advisory discusses a deserialization of untrusted data vulnerability in the Schneider EcoStruxure Foxboro DCS Advisor. This is a third-party (Microsoft) vulnerability that is listed in CISA’s Known Exploited Vulnerabilities catalog with a publicly available exploit. Schneider recommends applying the Microsoft update.
NCCIC-ICS has not provided an exploit consequence statement on this advisory. Instead they copied the vulnerability summary from the Schneider advisory.
NOTE: I briefly discussed this vulnerability on December 14th, 2025.
Inductive Advisory
This advisory describes an execution with unnecessary privileges vulnerability in the Inductive Ignition product. The vulnerability was reported to CISA by Momen Eldawakhly of Samurai Digital Security. Inductive provides setup instructions that mitigate the vulnerability.
NCCIC-ICS reports that successful exploitation of this vulnerability could allow an attacker to be granted direct SYSTEM-level code execution on the host operating system running the Ignition Gateway service on Windows systems.
Mitsubishi Update
This update provides additional information on the CNC Series advisory that was originally published on October 17th, 2024, and most recently updated on March 18th, 2025. The new information includes updating product list and mitigations.