Public ICS Disclosures – Week of 12-6-25 – Part 1

This week we have bulk disclosures from FortiGuard (8), There are also 12 additional vendor disclosures from Cisco, Dell, Dassault Systems, Elecom, Endress+Hauser, Hitachi Energy (2), HP, HPE, Moxa, and NI (2).

Bulk Disclosures – FortiGuard

• Insertion of sensitive information into REST API logs,

• Insufficient Session Expiration in SSLVPN,

• Multiple Fortinet Products’ FortiCloud SSO Login Authentication Bypass,

• Multiple authenticated OS Command Injections via API,

• OS command injection in GUI backup options,

• OS command injection in multiple endpoints,

• Private key readable by admin, and

• Reflected XSS in HA cluster.

Cisco Advisory

Cisco published an advisory that discusses the React Server Components deserialization of untrusted data vulnerability that is listed in CISA’s Known Exploited Vulnerabilities catalog. Cisco provides lists of products that are not affected.

Dell Advisory

Dell published an advisory that discusses 30 vulnerabilities. All but three of these are third-party vulnerabilities. One of the Dell vulnerabilities was reported by Brandon Schreiber. Dell has new versions that mitigate the vulnerabilities.

Dassault Advisory

Dassault published an advisory that describes a cross-site scripting vulnerability in their ENOVIA Collaborative Industry Innovator. Mitigation measures are only available to registered owners.

Elecom Advisory

JP CERT published an advisory that describes an unquoted search path vulnerability in the Elecom Clone for Windows. The vulnerability was reported by Kazuma Matsumoto of GMO Cybersecurity. Elecom has a new version that mitigates the vulnerability.

Endress+Hauser Advisory

CERT-VDE published an advisory that discusses an out-of-bounds write vulnerability in multiple Endress+Hauser products. This is a third-party (Wibu) vulnerability. Endress+Hauser has new versions that mitigate the vulnerability.

Hitachi Energy Advisories

Hitachi Energy published an advisory that discusses a deserialization of untrusted data vulnerability in their Asset Suite product. This is a third-party (Jasper Report) vulnerability. Hitachi Energy has a new version that mitigates the vulnerability.

Hitachi Energy published an advisory that discusses the React Server Component deserialization of untrusted data vulnerability that is listed in CISA’s KEV catalog. Hitachi Energy reports that they are currently assessing the potential impact of the vulnerability CVE-2025-55182 on their products.

HP Advisory

HP published an advisory that describes a path traversal vulnerability in their Event Utility and Omen Gaming Hub products. HP has new versions that mitigate the vulnerability.

HPE Advisory

HPE published an advisory that discusses ten vulnerabilities in their ProLiant DL/ML/XD Alletra and Synergy Servers. These are third-party (Intel) vulnerabilities. HPE recommends updating the Intel QuickAssist Technology driver.

Moxa Advisory

Moxa published an advisory that describes two vulnerabilities in their MXsecurity Series products. One of the vulnerabilities is a third-party (Intel) vulnerability. The Moxa vulnerability was reported by Leo Lin. Moxa has a new version that mitigates the vulnerabilities.

The two reported vulnerabilities are:

• Improperly controlled modification of dynamically-determined object attributes - CVE-2023-9315, and

• Improper checks for unusual or exceptional conditions - CVE-2023-39983

NOTE: While both vulnerabilities are listed in the advisory, only the first one is described in any detail.

National Instruments Advisories

NI published an advisory that describes nine vulnerabilities in their LabVIEW product. These vulnerabilities were reported by Michael Heinzl. NI has new versions that mitigate the vulnerabilities. One of the affected products is end-of-life and no fix is planned.

The nine reported vulnerabilities are:

• Out-of-bounds write - CVE-2025-64461,

• Out-of-bounds read (6) - CVE-2025-64462, CVE-2025-64463, CVE-2025-64464, CVE-2025-64465, CVE-2025-64466, and CVE-2025-64467, and

• Use after free - CVE-2025-64468, and

• Stack-based buffer overflow - CVE-2025-64469.

NI published an advisory that describes a relative path traversal vulnerability in their System Web Server. NI has a new version for one of the affected products.

NOTE: The advisory only describes the affected products as “The NI System Web Server is a component installed with several NI products, including LabVIEW.” It does note, however, that the vulnerability was fixed in 2013.