ICS-CERT Advisories – 8-14-25 – Part 2

For Part 2 we have control system security advisories for products from Siemens (5), Rockwell (9). We also have an advisory update for products from Güralp.

There were two additional Siemens advisories (and 25 Siemens updates) published this week that were not covered by NCCIC-ICS. I will address these this weekend in my Public ICS Disclosures blog post.

Opcenter Advisory

This advisory describes seven vulnerabilities in the Siemens Opcenter Quality products. The vulnerabilities are self-reported. Siemens has a new version that mitigates the vulnerabilities.

The seven reported vulnerabilities are:

• Incorrect authorization - CVE-2024-41979,

• Missing encryption of sensitive data - CVE-2024-41980, CVE-2024-41982,

• Generation of error message containing sensitive data (2) - CVE-2024-41983 and CVE-2024-41984,

• Insufficient session expiration -n CVE-2024-41985, and

• Use of broken or risky cryptographic algorithm - CVE-2024-41986

NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit the vulnerability to allow an attacker to gain complete access of the application, access to sensitive information, access to session information, or execute a Machine-In-The-Middle attack and compromise confidentiality and integrity of data.

Wibu Advisory

This advisory discusses a least privilege violation in the Siemens SIMATIC products. This is a third-party (Wibu) vulnerability. Siemens has new versions for three of the affected products that mitigate the vulnerability. The Siemens advisory reports that there is no fix planned for three of the affected products.

NCCIC-ICS reports that a relatively low-skilled attacker with local access could exploit the vulnerability to allow a local user to navigate from Import License to a privileged instance of Windows Explorer.

Simcenter Advisory

This advisory describes two vulnerabilities in the Siemens Simcenter Femap product. The vulnerabilities were reported separately by Michael Heinzl and ZDI. Siemens has new versions that mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Out-of-bounds write - CVE-2025-40762, and

• Out-of-bounds read - CVE-2025-40764

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to allow an attacker to execute code in the context of the current process.

Engineering Platforms Advisory

This advisory describes a deserialization of untrusted data vulnerability in the Siemens Engineering Platforms. The vulnerability is self-reported. Siemens has new versions for four of the affected products, and reports that no fix is planned for an additional two.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow a local authenticated attacker to cause a type confusion and execute arbitrary code within the affected application and its privileges.

COMOS Advisory

This advisory discusses an out-of-bounds write vulnerability in the Siemens COMOS product. This is a third-party (Open Design Alliance) vulnerability. Siemens has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to cause a crash, potentially enabling a denial-of-service attack (Crash, Exit, or Restart) or possible code execution.

1756-ENXX Advisory

This advisory describes two vulnerabilities in the Rockwell 1756-ENXX products. These vulnerabilities are self-reported. Rockwell has new versions that mitigate the vulnerabilities.

The two reported vulnerabilities are:

• Improper input validation - CVE-2025-8007, and

• Improper handling of exceptional conditions - CVE-2025-8008

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to result in an attacker causing a denial of service condition.

NOTE: These vulnerabilities are not currently listed on the Rockwell Security Advisories website.

FactoryTalk Advisory #1

This advisory describes an exposure of sensitive information to unauthorized actor vulnerability in the Rockwell FactoryTalk Action Manager product. The vulnerability is self-reported. Rockwell has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow a local unauthenticated attacker to listen to communications and manipulate the device.

Note: The CVE number provided in this advisory is incorrect, it should be CVE-2025-9036. Somehow Rockwell has both CVE numbers on their advisory and NCCIC-ICS just copied the wrong one. It will be interesting to see how long it takes to correct this problem.

FactoryTalk Advisory #2

This advisory describes an improper access control vulnerability in the Rockwell FactoryTalk Linx product. The vulnerability is self-reported. Rockwell has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to to create, update, and delete FTLinx drivers.

FactoryTalk Advisory #3

This advisory describes an execution with unnecessary privileges vulnerability in the Rockwell FactoryTalk Viewpoint product. The vulnerability is self-reported. Rockwell has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to result in full privilege escalation.

Studio 5000 Advisory

This advisory describes in improper input validation vulnerability in the Rockwell Studio 5000 Logix Designer product. The vulnerability was self-reported. Rockwell has a new version that mitigates the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker on a local network could exploit the vulnerability to allow an attacker to crash the device or execute malicious code.

ControlLogic Advisory

This advisory describes an insecure default initialization of a resource vulnerability in the Rockwell ControlLogix Ethernet Modules. The vulnerability is self-reported. Rockwell has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow remote attackers to perform memory dumps, modify memory, and control execution flow.

ArmorBlock Advisory

This advisory describes two vulnerabilities in the Rockwell ArmorBlock 5000 I/O product. The vulnerabilities are self-reported. Rockwell has a new version that mitigates the vulnerabilities.

The two reported vulnerabilities are:

• Incorrect authorization - CVE-2025-7773, and

• Improper authentication - CVE-2025-7774

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to predict session numbers or perform privileged actions.

FLEX 5000 Advisory

This advisory describes two improper input validation vulnerabilities in the Rockwell FLEX 5000 I/O products. These vulnerabilities are self-reported. Rockwell has a new version that mitigates the vulnerabilities.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to create a denial-of-service condition.

Note: The CVE numbers provided in this advisory are incorrect; they should be CVE-2025-9041 and CVE-2025-9042. I have no idea where NCCIC-ICS got these Church Donation System CVE numbers from.

Micro800 Advisory

This advisory discusses four vulnerabilities in the Rockwell Micro800 series PLCs. Three of these are third-party vulnerabilities. Rockwell has new versions (two be released next month) that mitigate the vulnerabilities.

The four reported vulnerabilities are:

• Out-of-bounds write (2) - CVE-2023-48691, CVE-2023-48692,

• Improper input validation (2) - CVE-2023-48693 and CVE-2025-7693.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to result in remote code execution or may lead to privilege escalation.

NOTE: NCCIC-ICS reports the first three of these vulnerabilities as being “DEPENDENCY ON VULNERABLE THIRD-PARTY COMPONENT”. I frequently see this used when there are multiple vulnerabilities in a 3^rd party component and the reporting agency does not want to be bothered listing each of the vulnerabilities. In this case only a single vulnerability is covered by the designation, so I am reporting the vulnerability description from NVD.NIST.gov as I believe that that is more useful.

Güralp Update

This update provides additional information on the FMUS Series advisory that was originally published on July 31^st, 2025. The new information includes adding an additional product (MIN Series Digitizing Devices), edited the executive summary, edited the title, and revised the researcher section.