The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released on Tuesday five ICS (industrial control systems) advisories, providing timely information about current security issues, vulnerabilities, and exploits surrounding critical hardware. The agency warned of security flaws in Siemens, Schneider Electric, and ABB hardware deployed across critical infrastructure installations.
In an advisory, CISA warned of the presence of an ‘Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)’ vulnerability in Siemens’ TeleControl Server Basic versions before V3.1.2.2, deployed globally across the energy, water and wastewater, and transportation sectors. “Successful exploitation of these vulnerabilities could allow an attacker to read and write to the application’s database, cause a denial-of-service condition, and execute code in an OS shell,” it added.
Trend Micro Zero Day Initiative coordinated CVE-2025-32475, CVE-2025-31353, CVE-2025-31352, CVE-2025-31351, CVE-2025-31350, CVE-2025-31349, CVE-2025-31343, CVE-2025-30032, CVE-2025-30031, CVE-2025-30030, CVE-2025-30003, CVE-2025-30002, CVE-2025-29905, CVE-2025-27540, CVE-2025-27539, and CVE-2025-27495 with Siemens.
Siemens reported these vulnerabilities to CISA.
Siemens identified specific workarounds and mitigations users can apply to reduce risk. For TeleControl Server Basic, organizations must restrict access to port 8000 on the affected systems to trusted IP addresses only and update to V3.1.2.2 or a later version. As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms.
To operate the devices in a protected environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.
In another advisory, CISA revealed that Siemens’ TeleControl Server Basic affecting versions before V3.1.2.2, contained an ‘Improper Handling of Length Parameter Inconsistency’ vulnerability. “Successful exploitation of this vulnerability could allow an attacker to cause the application to allocate exhaustive amounts of memory and subsequently create a denial-of-service condition.”
“The affected product does not properly validate a length field in a serialized message, which it uses to determine the amount of memory to be allocated for deserialization,” CISA added. “This could allow an unauthenticated remote attacker to cause the application to allocate exhaustive amounts of memory and subsequently create a partial denial-of-service condition. Successful exploitation is only possible in redundant TeleControl Server Basic setups and only if the connection between the redundant servers has been disrupted.”
The vulnerability has been assigned CVE-2025-29931. Under the CVSS v3.1 scoring system, it has a base score of 3.7, and a CVSS v4.0 base score has also been calculated, resulting in a higher severity rating of 6.3.
Jin Huang from ADLab of Venustech coordinated this vulnerability with Siemens. The German company released a new version for TeleControl Server Basic and recommends updating to V3.1.2.2 or a later version. It also identified that users can disable TeleControl Server Basic redundancy if not used to reduce risk.
CISA also disclosed the presence of ‘Exposure of Sensitive Information to an Unauthorized Actor’ vulnerability in Schneider Electric’s Wiser Home Controller WHC-5918A. “Successful exploitation of this vulnerability could allow an attacker to disclose sensitive credentials,” it added.
The advisory added that an information exposure vulnerability exists that could cause the disclosure of credentials when a specially crafted message is sent to the device. The vulnerability has been assigned CVE-2024-6407. It has a CVSS v3.1 base score of 9.8, indicating critical severity. A CVSS v4.0 base score has also been calculated, with a slightly lower score of 9.3.
In another advisory, CISA disclosed that ABB MV Drives equipment contained ‘Improper Restriction of Operations within the Bounds of a Memory Buffer’ and ‘Improper Input Validation, Out-of-bounds Write’ vulnerabilities, Used in the critical manufacturing sector, the agency notice added that “Successful exploitation of these vulnerabilities could allow an attacker to gain full access to the drive or cause a denial-of-service condition.”
ABB reported these vulnerabilities to CISA. The company recommends that users update to the latest firmware—LAAAB version 5.07 or higher—for the affected products as soon as possible. This update addresses CODESYS Runtime System vulnerabilities by disabling IEC online programming communication by default. As a result, CODESYS communication with ABB Automation Builder and ABB Drive Application Builder tools is now disabled.
Additionally, the CODESYS application will continue to run on the drive. If communication with the CODESYS Runtime System is required—for example, for debugging purposes—it can be temporarily enabled through drive parameter settings. To do so, unlock the user settings via parameter 96.02 Pass code, and set bit 9 (Enable online IEC programming) in parameter 96.102 User lock functionality to TRUE.
A future firmware update is planned to include an updated CODESYS RTS library, further enhancing protection against the identified vulnerabilities.
The CISA also updated an earlier advisory addressing Schneider Electric’s Modicon M580 PLCs, BMENOR2200H, and EVLink Pro AC hardware containing an ‘Incorrect Calculation of Buffer Size’ vulnerability. “Successful exploitation of this vulnerability could cause a denial-of-service of the product when an unauthenticated user sends a crafted HTTPS packet to the webserver.”
Deployed across the commercial facilities, critical manufacturing, and energy critical sectors, CISA added that the affected product is vulnerable to an incorrect calculation of buffer size vulnerability that could cause a denial-of-service of the product when an unauthenticated user sends a crafted HTTPS packet to the web server.
Schneider Electric reported this vulnerability to CISA. It also suggests that users should use appropriate patching methodologies when applying these patches to their systems and recommends making use of back-ups and evaluating the impact of these patches in a test and development environment or on an offline infrastructure.
Last week, the CISA ensured that the Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) programs did not lapse. The move will ensure that MITRE will continue operating the CVE program for at least another 11 months after federal cybersecurity officials confirmed that they temporarily extended their contract with the organization to keep the platform running.
