Public ICS Disclosures – Week of 12-13-25
This week we have 11 vendor disclosures from Broadcom, HP, HPE (3), Inaba Denki Sangyo, Moxa, Phoenix Contact, and Western Digital (3). There are three vendor updates from Cisco, HPE, and Mitsubishi. There are also four researcher reports about vulnerabilities in products from Grassroot (3) and Sante. Finally, we have an exploit for products from Ilevia.
Broadcom Advisory
Broadcom published an advisory that discusses the Meta RSC vulnerability that is listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog. Broadcom reports that none of their products are affected by this vulnerability.
HP Advisory
HP published an advisory that describes an insertion of sensitive information into a log file vulnerability in the their Poly Video product line. HP has a new version of the PolyOS that mitigates the vulnerability.
HPE Advisories
HPE published an advisory that discusses two vulnerabilities in their Unified OSS Console Assurance Monitoring product. These are third-party (Apache) vulnerabilities. HPE has a new version that mitigates the vulnerability.
The two reported vulnerabilities are:
Improper resource shutdown or release - CVE-2025-61795, and
Relative path traversal - CVE-2025-55752 (exploit)
HPE published an advisory that discusses three vulnerabilities in their Telco Service Activator products. These are third-party vulnerabilities. HPE has a new version that mitigates the vulnerabilities.
The three reported vulnerabilities are:
Improper authentication - CVE-2025-49146,
Allocation of resources without limit or throttling - CVE-2025-55163 (contains proof-of-concept code), and
Improper neutralization of input terminators - CVE-2025-7962.
NOTE: See ‘MadeYouReset’ article for the family of vulnerabilities that includes the allocation of resources vulnerability described above.
HPE published an advisory that describes a code injection vulnerability in their OneView software. The vulnerability was reported by Nguyen Quoc Khanh. HPE has a new version that mitigates the vulnerability.
Inaba Advisory
JP-CERT published an advisory that describes three vulnerabilities in the Inaba CHOCO TEI WATCHER mini. JTEKT Electronics reported the vulnerabilities. Inaba provides generic mitigation measures.
The three reported vulnerabilities are:
Improper restriction of rendered UI layers or frames - CVE-2025-59479, and
Improper check for unusual or exceptional conditions (2) - CVE-2025-61976 and CVE-2025-66357.
Moxa Advisory
Moxa published an advisory that describes a weak SSH algorithms supported vulnerability in their EDS-510E Series products. Moxa has a new version that mitigates the vulnerability.
Phoenix Contact Advisory
Phoenix Contact published an advisory that describes 15 vulnerabilities in their FL SWITCH 2xxx family. The vulnerabilities were reported by D. Blagojevic, S. Dietz, F. Koroknai, T. Weber from CyberDanube. Phoenix Contac has new firmware versions that mitigate the vulnerabilities.
Western Digital Advisories
Western Digital published an advisory that discusses a detection of error condition without action vulnerability in their My Cloud OS 5 product. This is a third-party (OpenSSH) that was reported to Western Digital by zhaoqiang. Western Digital has a new version that mitigates the vulnerability.
Western Digital published an advisory that describes a DLL hijacking vulnerability in their WD Discovery product. The vulnerability was reported by Kasuma Matsumoto at GMO Cybersecurity, and David Silva. Western Digital has a new version that mitigates the vulnerability.
Western Digital published an advisory that discusses a detection of error condition without action vulnerability in their My Cloud Home and My Cloud Home Duo products. This is a third-party (OpenSSH) vulnerability. Western Digital has a new versions that mitigates the vulnerability.
Cisco Update
Cisco published an update for their REACT server advisory that was originally published on December 4th, 2025, and most recently updated on December 11th, 2025. The new information includes updating the products confirmed not vulnerable list and summary section.
HPE Update
HPE published an update for their Compute Scale-up Server 3200 Platform advisory that was originally published on October 13, 2025. The new information includes updating the bulletin with Superdome Flex information.
Mitsubishi Update
Mitsubishi published an update for their MELSOFT Update Manager advisory that was originally published on July 3rd, 2025. The new information includes revising the CVSS data.
Grassroot Reports
Cisco Talos published three reports describing four vulnerabilities in the Grassroots DICOM product. The reports include proof-of-concept code. The vendor was notified but there is no indication that any action has been taken to remediate these vulnerabilities.
The four reported vulnerabilities are:
Improper restriction of operations within the bounds of a memory buffer (4) - CVE-2025-52582, CVE-2025-53618 and CVE-2025-53618, and CVE-2025-48429.
Sante Report
The Zero Day Initiative published a report describing a NULL pointer dereference vulnerability in the Sante PACS server. This was a coordinated disclosure, but there is no indication that any action has been taken to remediate the vulnerability.
Ilevia Exploit
Indoushka published an exploit for an OS command injection vulnerability in the Ilevia EVE X1 Server. The vulnerability was originally reported by Zero Science, but there is no indication that any action has been taken to remediate the vulnerability. This may be a 0-day exploit.