Public ICS Disclosures – Week of 10-11-25 – Part 1

This week is a relatively light disclosure week for cyber week. For Part 1 we have 35 bulk disclosures from Broadcom (8), Dassault Systems (5), FortiGuard (17), and HPE (5). We have additional 10 vendor disclosures from Bosch (2), Delta Electronics, Eaton, HP (3), Moxa, Murrelektronik, and Philips.

Broadcom Advisories

• Brocade ASCG Vulnerability Disclosures,

• jwt-go allows excessive memory allocation during header parsing,

• Rocky Linux Updates in ASCG 3.3.0a (OVA),

• eventlet before 0.35.2 as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution,

• Libexpat: expat: improper restriction of xml entity expansion depth in libexpat,

• A flaw was found in GnuTLS, which relies on libtasn1 for ASN.1 data processing,

• Certifi Vulnerable to Insufficient Verification of Data Authenticity via GlobalTrust Root Certificate, and

• Kernel OVA security updates in ASCG 3.3.0a

Dassault Advisories

• Stored Cross-site Scripting (XSS) vulnerability affecting 3DSwym in 3DSwymer,

• OS Command Injection vulnerability affecting Station Launcher App in 3DEXPERIENCE platform,

• Stored Cross-site Scripting (XSS) vulnerability affecting 3DSearch in 3DSwymer,

• Stored Cross-site Scripting (XSS) vulnerability affecting Issue Management in ENOVIA Collaborative Industry Innovator, and

• Stored Cross-site Scripting (XSS) vulnerability affecting Specification Management in ENOVIA Specification Manager

FortiGuard Advisories

• Authenticated Heap Overflow in SSL-VPN bookmarks,

• Domain fronting protection bypass in explicit web proxy,

• FGFM protocol allows unauthenticated reset of the connection,

• Heap Overflow in fgfmsd,

• Heap buffer overflow in websocket,

• Improper autorization over static files,

• Insertion of Sensitive 2FA Information in logs and debug command,

• Insertion of Sensitive Information Into Sent Data Vulnerability in csfd daemon,

• Insufficient Session Expiration in SSLVPN using SAML authentication,

• Missing authentication check in OFTP service,

• Multiple Unchecked Return Value leading to Null Pointer Dereference,

• Open Redirect and XSS in Web Filter warning page,

• Race condion in FortiCloud SSO SAML authentication,

• Restricted CLI command bypass,

• Stack-based buffer overflow on fortitoken import feature,

• Weak authentication in WAD/GUI, and

• ZTNA Server Improper Certificate Validation

HPE Advisories

• HPESBNW04958 rev.1 - HPE Aruba Networking AOS-8 Instant AP and AOS-10 AP, Multiple Vulnerabilities,

• HPESBNW04957 rev.1 - HPE Aruba Networking AOS-10 and AOS-8 Mobility Conductor, Controllers, and Gateways, Multiple Vulnerabilities,

• HPESBHF04956 rev.1 - Certain HPE ProLiant AMD Servers Using Certain AMD EPYC Processors, AMD-SB-3020: SEV-SNP RMP Initialization Vulnerability, Local Unauthorized Access Vulnerability,

• HPESBHF04952 rev.1 - HPE ProLiant RL300 Gen11 Server, Out-of-Bound Reads Vulnerability, and

• HPESBHF04954 rev.1 - HPE Compute Scale-up Server 3200 Platform and Superdome Flex 280 servers, Security Bypass Vulnerability

Bosch Advisories

Bosch published an advisory that describes three vulnerabilities in their ctrlX OS Setup application. The vulnerabilities were reported by Michael Messner and Benedikt Kuehne from Siemens Energy. Bosch has new versions that mitigate the vulnerability.

The three reported vulnerabilities are:

• Improper access control (2) - CVE-2025-48860 and CVE-2025-48861, and

• Missing encryption of sensitive information - CVE-2025-48862

Bosch published an advisory that discusses an allocation of resources without limits or throttling vulnerability in their Rexroth Fieldbus Couplers. This is a third-party (Phoenix Contact) vulnerability. Bosch has a new firmware version for one of the affected products that mitigates the vulnerability. More fixes are pending.

Delta Advisory

Delta published an advisory that describes two stack-based buffer overflow vulnerabilities in their ASDA-Soft product. The vulnerabilities were reported by an unnamed third-party. Delta has a new version that mitigates the vulnerabilities.

Eaton Advisory

Eaton published an advisory that describes an uncontrolled search path vulnerability in their Intelligent Power Protector (IPP) software. The vulnerability was reported by Kazuma Matsumoto. Eaton has a new version that mitigates the vulnerability.

HP Advisories

HP published an advisory that discusses three vulnerabilities in multiple HP product lines. These are third-party (Intel) vulnerabilities. HP has SoftPaqs that mitigate the vulnerabilities.

The three reported vulnerabilities are:

• TOCTOU race condition - CVE-2025-20037,

• Observable timing discrepancy - CVE-2025-20067, and

• Out-of-bounds read - CVE-2025-22392

HP published an advisory that discusses two incorrect privilege assignment vulnerabilities in multiple product lines using Sound Research SECOMN64 driver. These are third-party (Sonitude) vulnerabilities (HP is the reporting CNA). The vulnerabilities were reported to HP by Sascha Meyer with GAI NetConsult GmbH. HP has SoftPaqs that mitigate the vulnerabilities.

HP published an advisory that discusses an improper access control for register interface vulnerability in multiple HP product lines. This is a third-party (AMD) vulnerability. HP has SoftPaqs that mitigate the vulnerability.

Moxa Advisory

Moxa published an advisory that describes five vulnerabilities in their Network Security Appliances and Routers. Moxa has new firmware versions that mitigate the vulnerabilities.

The five reported vulnerabilities are:

• Incorrect authorization - CVE-2025-6892,

• Execution with unnecessary privileges (3) - CVE-2025-6893, CVE-2025-6894, and CVE-2025-6949, and

• Use of hard-coded credentials - CVE-2025-6950

Murrelektronik Advisory

CERT-VDE published an advisory that describes a clear-text transmission of sensitive information vulnerability in the Murrelektronik IMPACT67 Pro products. The vulnerability was reported by Abhishek Pandey from Payatu Security Consulting. Murrelektronik has new versions that mitigate the vulnerability.

Philips Advisory

Philips published an advisory that discusses CISA Emergency Directive 26-01. Philips reports that two of their products (837507 – IntelliSpace PACS and 839001 – Vue PACS) are affected. Philips is in the process of developing fixes.