Public ICS Disclosures – Week of 9-20-25
This week we have nine vendor disclosures from Delta Electronics, Honeywell, HP (3), HPE, Philips, Rockwell, and WAGO. There are also three vendor updates from HPE, WAGO, and Welotec.
Delta Advisory
Delta published an advisory that describes two stack-based buffer overflow vulnerabilities in their CNCSoft-G2 product. Delta has a new version that mitigates the vulnerability.
Honeywell Advisory
Honeywell published an end-of-life notice for the legacy integrations in their Pro-Watch product. Honeywell provides recommendations for replacement hardware.
HP Advisories
HP published an advisory that discusses seven vulnerabilities in multiple HP product lines. These are third-party (NVIDA) vulnerabilities. HP has SoftPaqs that mitigate the vulnerabilities.
The seven reported vulnerabilities are:
Files or directories accessible to external parties - CVE‑2025‑23276,
Improper access control - CVE‑2025‑23277,
Improper validation of array index - CVE‑2025‑23278,
Use after free - CVE‑2025‑23281,
Out-of-bounds read - CVE‑2025‑23286, and
Exposure of sensitive system information to an unauthorized control sphere (2) - CVE‑2025‑23287 and CVE‑2025‑23288
HP published an advisory that discusses six vulnerabilities in multiple PC product lines. These are third-party (Realtek) vulnerabilities with publicly available exploits. HP has SoftPaqs that mitigate the vulnerabilities.
The six reported vulnerabilities are:
Improper input validation - CVE-2024-40431,
Insufficient information (2) - CVE-2022-25478 and CVE-2024-40432,
Out-of-bounds write - CVE-2022-25480,
Insertion of sensitive information into log file - CVE-2022-25477,
Missing release of memory after effective lifetime - CVE-2022-25479
NOTE: NVD.NIST.gov provides the same Realtek advisory for four of the six vulnerabilities even though that advisory only lists two of them. Better information on the vulnerabilities is available on the ‘exploits’ link.
HP published an advisory that discusses four vulnerabilities in multiple product lines. These are third-party (Intel) vulnerabilities. HP has SoftPaqs that mitigate the vulnerabilities.
The four reported vulnerabilities are:
NULL pointer dereference - CVE-2025-24515,
Incorrect default permissions - CVE-2025-20023,
Uncontrolled search path element - CVE-2025-27717, and
Protection mechanism failure - CVE-2025-24835
HPE Advisory
HPE published an advisory that discusses an out-of-bounds read vulnerability in their HPE Superdome Flex and Compute Scale-up Server 3200. This is a third-party (TianoCore) vulnerability. HPE has new versions that mitigate the vulnerability.
Philips Advisory
Philips published an advisory that discusses the Shai-Hulud worm. Philips reports that none of their products are affected.
Rockwell Advisory
Rockwell published an advisory that discusses a stack-based buffer overflow vulnerability in their Stratix products. This is a third-party (Cisco) vulnerability. Rockwell provides generic mitigation measures pending development of a fix.
WAGO Advisory
CERT-VDE published an advisory that describes two missing authentication for critical function vulnerabilities in the WAGO Software Device Sphere and Software Solution Builder. WAGO has new versions that mitigate the vulnerabilities.
HPE Update
HPE published an update for their Blast-RADIUS advisory that was originally published on July 9th, 2024, and most recently updated on January 22nc, 2025. The new information includes:
Adding AOS and ECOS to Affected Products and Resolution Sections, and
Removing “Final Resolution Pending” section.
WAGO Update
CERT-VDE published an update for the WAGO 750-8xx Controller advisory that was originally published on August 17th, 2018, and most recently updated on May 22nd, 2025. The new information includes fixing CVE Number.
Welotec Update
CERT-VDE published an update for the Welotec SmartEMS Upload advisory that was originally published on September 10th, 2025. The new information includes changing impact note categorie from details to description.