This week we have a relatively light disclosure week with 11 vendor disclosures from Dell (5), Delta Electronics, Honeywell, HP (2), RT Labs, and Wiesemann & Theis. We also have 10vendor updates from FortiGurad (6), HPE, Moxa, and Omron (2). Finally, we have three researcher reports for vulnerabilities in products from Kunbus, and libplctags (2).
Dell Advisories
Dell published an advisory that discusses 41 vulnerabilities in their Dell Networking OS10 product. These are third-party vulnerabilities (with one exception - CVE-2025-30103, a files or directories accessible to external parties vulnerability). Dell has a new version that mitigates the vulnerabilities.
Dell published an advisory that describes a use of hard-coded credentials vulnerability in their Dell Networking OS10 product. The vulnerability was reported by Thorsten Tüllmann from the Karlsruhe Institute of Technology. Dell has a new version that mitigates the vulnerability.
Dell published an advisory that discusses three vulnerabilities in their EMC Networking OS10 product. These are third-party (Linux) vulnerabilities. Dell has a new version that mitigates the vulnerabilities.
The three reported vulnerabilities are:
Integer overflow or wraparound - CVE-2019-11477,
Uncontrolled resource consumption - CVE-2019-11478, and
Allocation of resources without limit or throttling - CVE-2019-11479
Dell published an advisory that discusses eleven vulnerabilities (three with publicly available exploits) in their Dell Wyse Management Suite product. Five of these vulnerabilities are third-party (MongoDB) vulnerabilities. Dell has new versions that mitigate the vulnerabilities.
The following reported vulnerabilities have publicly available exploits:
Improper validation of specific quantity in input - CVE-2022-4904 (exploit),
Improper validation of integrity check value - CVE-2023-48795 (exploit), and
NULL pointer dereference - CVE-2022-44792 (exploit)
Dell published an advisory that describes an OS command injection vulnerability in their Dell Networking OS10 product. The vulnerability was reported by Thorsten Tüllmann from the Karlsruhe Institute of Technology. Dell has a new version that mitigates the vulnerability.
Delta Advisory
Delta published an advisory that describes four out-of-bounds write vulnerabilities in their CNCSoft product. The CNCSoft product is end-of-life and these vulnerabilities will not be fixed.
Honeywell Advisory
Honeywell published an advisory that describes an OS command injection vulnerability in the MB-Secure and MB-Secure PRO building security manager. The vulnerability was reported by SEC Consult; the report includes proof-of-concept code. Honeywell has new versions that mitigate the vulnerability.
HP Advisories
HP published an advisory that discusses an integer overflow or wrap around vulnerability (with a publicly available exploit) in their HP Universal Scan. This is a third-party (libssh2) vulnerability. HP has a new version that mitigates the vulnerability.
HP published an advisory that discusses three vulnerabilities in multiple HP product lines. These are third-party (AMD) vulnerabilities. HP has SoftPaqs that mitigate the vulnerabilities.
The three reported vulnerabilities are:
Improper input validation (2) - CVE-2024-0179 and CVE-2024-21925, and
Execution with unnecessary privileges - CVE-2024-21924
RT Labs Advisory
RT Labs published an advisory that describes 10 vulnerabilities in their P-Net Profinet stack. The vulnerabilities were reported by Nozomi Networks; the report includes proof-of-concept code. RT Labs has a new version that mitigates the vulnerabilities.
Wiesemann Advisory
CERT-VDE published an advisory that describes a cross-site scripting vulnerability in multiple Wiesemann & Theis products. All products are end-of-life, but three of the affected products have newer versions that mitigate the vulnerability.
FortiGuard Updates
FortiGuard published an update for their ipsec ike advisory that was originally published on January 14th, 2025, and most recently updated on April 11th, 2025. The new information includes FortiOS 7.2 fix indication.
FortiGuard published an update for their cross-site scripting advisory that was originally published on February 11th, 2025. The new information includes clarifying the fix information for FortiSandbox Cloud product
FortiGuard published an update for their OS command injection advisory that was originally published on January 14th, 2025. The new information includes clarifying the fix information for FortiSandbox Cloud product.
FortiGuard published an update for their vm download feature advisory that was originally published on March 11th, 2025. The new information includes clarifying the fix information for FortiSandbox Cloud product.
FortiGuard published an update for their execute sensitive operations advisory that was originally published on May 14th, 2024. The new information includes clarifying the fix information for FortiSandbox Cloud product.
FortiGuard published an update for their device del feature advisory that was originally published on March 11th, 2025. The new information includes clarifying the fix information for FortiSandbox Cloud product.
HPE Update
HPE published an update for their ProLiant DL/XL Servers advisory that was originally published on March 10th, 2025. The new information includes removing CVE-2024-56161 (improper verification of cryptographic signature).
Moxa Update
Moxa published an update for their command injection advisory that was originally published on April 2nd, 2025. The new information includes updating the impact description.
Omron Updates
Omron published an update for their NJ/NX-series Machine advisory that was originally published on January 14th, 2025. The new information includes adding date of availability of countermeasures, and lot number information.
Omron published an update for their CX-Programmer advisory that was originally published on April 22nd, 2025. The new information includes updating the Description.
Kunbus Report
Pen Test Partners published a report that describes four vulnerabilities in the Kunbus Revolution Pi industrial PLCs. The report includes proof-of-concept code. This is a coordinated disclosure and KunbusKUNBUS has a new version that mitigates the vulnerabilities.
The four reported vulnerabilities are:
Missing authentication for critical function - CVE-2025-24522,
Authentication bypass by primary weakness - CVE-2025-32011, and
Improper neutralization of server-side includes within a web page (2) - CVE-2025-35996 and CVE-2025-36558
libplctags Report
Nozomi Networks published two reports that described individual vulnerabilities in the libplctags library. There is a new version of the library that mitigates the vulnerabilities, so apparently these are coordinated disclosures.
The two reported vulnerabilities are:
Out-of-bounds read - CVE-2025-1400 and CVE-2025-1399