Public ICS Disclosures – Week of 11-1-25 – Part 1
This week we bulk disclosures from QNAP (11). We also have nine additional vendor disclosures from ABB, Advantech, Eaton (2), Meinberg, Mitsubishi, Moxa, and Philips (2).
Bulk Disclosure – QNAP
Vulnerability in Malware Remover (PWN2OWN 2025),
Multiple Vulnerabilities in QTS and QuTS hero (PWN2OWN 2025),
Multiple Vulnerabilities in HBS 3 Hybrid Backup Sync (PWN2ONW 2025),
Vulnerability in Hyper Data Protector (PWN2OWN 2025)
ABB Advisory
ABB published an advisory that discusses a path traversal vulnerability in their PMC 600 protection and control IED manager. This is a third-party (SharpZipLib) vulnerability with a publicly available exploit. ABB has a new version that mitigates the vulnerability.
Advantech Advisory
Advantech published an advisory that describes 12 vulnerabilities in their WebAccess/VPN portal. The vulnerabilities were reported by Alex Williams of Pellera Technologies. Advantech has a new version that mitigates the vulnerabilities via VulnCheck.
Eaton Advisories
Eaton published an advisory that describes a missing authentication for critical function vulnerability in their Brightlayer Software Suite. Eaton has a patch that mitigates the vulnerability.
Eaton published an advisory that describes an unrestricted upload of file with dangerous type vulnerability in their Brightlayer Software Suite. The vulnerability was reported by Lang Khuong Duy of Viettel IDC. Eaton has a patch that mitigates the vulnerability.
Meinberg Advisory
Meinberg published an advisory that discusses 12 vulnerabilities in their Lantime product. These are third-party vulnerabilities. Meinberg has a new version that mitigates the vulnerabilities.
The following reported vulnerabilities have publicly available exploits:
Allocation of resources without limits or throttling - CVE-2025-59375 (exploit),
Web socket predictability - CVE-2025-10148 (exploit), and
Heap-buffer overflow - CVE-2025-9086 (exploit).
Mitsubishi Advisory
Mitsubishi published an advisory that describes an improper validation of specified quantity in input vulnerability in their MELSEC iQ-F Series CPU module. The vulnerability was reported by Qian Zou, Ke Xu, Xuewei Feng, Qi Li, Xueying Li, and Gang Jin from Zhongguancun Laboratory at Tsinghua University. Mitsubishi provides generic mitigation measures, no fix is planned.
Moxa Advisory
Moxa published an advisory that discusses an uncontrolled resource consumption vulnerability in multiple Moxa products. This is a third-party (Diffie-Hellman Key Agreement Protocol) vulnerability with publicly available exploit. Moxa has new versions that mitigate the vulnerability.
Philips Advisories
Philips published an advisory that discuses an ASP.NET core HTTP request/response smuggling vulnerability. Philips reports that none of their products are affected.
Philips published an advisory that discusses the Glassworm malware campaign. Philips is reviewing this situation and provides a list of currently not affected products.