Today CISA’s NCCIC-ICS published eight control system security advisories for products from Edimax, GMOD, Delta Electronics, Hitachi Energy (3), Keysight, and Carrier.
Edimax Advisory
This advisory describes an OS command injection vulnerability in the Edimax IC-7100 IP Camera. The vulnerability was reported to CISA by Akamai SIRT. CISA reports that “Edimax has not responded to CISA requests to coordinate the vulnerability.”
NCCIC-ICS reports that a relatively low-skilled attacker using publicly available code could remotely exploit the vulnerability to allow an attacker to send specially crafted requests to achieve remote code execution on the device.
GMOD Advisory
This advisory describes four vulnerabilities in the GMOD Apollo genome annotation editor. CISA reported the vulnerabilities to GMOD. GMOD has a new version that mitigates the vulnerabilities.
The four reported vulnerabilities are:
Incorrect privilege assignment - CVE-2025-21092,
Relative path traversal - CVE-2025-23410,
Missing authentication for critical function - CVE-2025-24924, and
Generation of error message with containing sensitive information - CVE-2025-20002
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to escalate privileges, bypass authentication, upload malicious files, or disclose sensitive information.
Delta Advisory
This advisory describes a heap-based buffer overflow vulnerability in the Delta CNCSoft-G2 human-machine interface. The Zero Day Initiative reported the vulnerability to CISA. Delta has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to execute code remotely.
NOTE: Two weeks ago CISA added a nearly identical vulnerability (CVE-2025-22880) to an earlier Delta CNCSoft-G2 advisory (ICSA-24-191-01) with the same affected and fixed version numbers. Even if this is a separate vulnerability, one wonders why this advisory was necessary.
Hitachi Energy Advisory #1
This advisory describes an improper validation of certificate with host mismatch vulnerability in the Hitachi Energy XMC20, ECST, and UNEM products. The vulnerability was reported by Darius Pavelescu and Bernhard Rader from Limes Security. Hitachi has new versions that mitigate the vulnerability in all but the two end-of-life products.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow attackers to intercept or falsify data exchanges between the client and the server.
NOTE: I briefly discussed this vulnerability on June 15th, 2024.
Hitachi Energy Advisory #2
This advisory describes relative path traversal vulnerability in the Hitachi Energy XMC20 multiservice communication platform. The vulnerability was reported by Darius Pavelescu and Bernhard Rader from Limes Security. Hitachi has new versions that mitigate the vulnerability in all of the affected products except for the one end-of-life products.
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to access files or directories outside the authorized scope.
NOTE: I briefly discussed this vulnerability on June 15th, 2024.
Hitachi Energy Advisory #3
This advisory discusses an uncontrolled search path element vulnerability in the Hitachi Energy MACH PS700 control system. This is a third-party (Intel) vulnerability. Hitachi has a patch available to mitigate the vulnerability.
NCCIC-ICS reports that an uncharacterized actor with uncharacterized access could exploit the vulnerability to allow an attacker to escalate privileges and gain control over the software.
NOTE: I briefly discussed this vulnerability on Saturday.
Keysight Advisory
This advisory describes four vulnerabilities in the Keysight Ixia Vision Product Family. The vulnerabilities were reported by NATO Cyber Security Centre (NCSC). Keysight has a newer version that mitigates the vulnerabilities.
The four reported vulnerabilities are:
Improper limitation of a path name to a restricted directory (3) - CVE-2025-24494, CVE-2025-21095, and CVE-2025-23416, and
Improper restriction of XML external entity reference - CVE-2025-24521,
NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to crash the device being accessed; a buffer overflow condition may allow remote code execution.
Carrier Advisory
This advisory describes an uncontrolled search path element vulnerability in the Carrier Block Load HVAC load calculation program. The vulnerability was reported by Sahil Shah and Shuvrosayar Das. Carrier has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow a malicious actor to execute arbitrary code with escalated privileges.
NOTE: The same vulnerability (CVE-2025-2452) was reported by CISA last Thursday in the same Carrier product. The affected product description was narrower in the earlier advisory, affecting just version 4.16, while this advisory shows the vulnerability affecting versions 4.00, and v4.10 to 4.16. The link to that earlier advisory is currently returning a ‘file not found’ error message. The Carrier advisory (published today) references today’s CISA advisory not last week’s.