The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued ten industrial control systems (ICS) advisories, highlighting current vulnerabilities, exploits, and security concerns affecting critical infrastructure. The impacted equipment comes from Siemens, AVEVA, and PTZOptics, and is widely used across critical infrastructure sectors. CISA urges organizations and administrators to review these advisories for technical details and recommended mitigations.
In an advisory, CISA disclosed the presence of an ‘Out-of-bounds Read’ vulnerability in Siemens Tecnomatix Plant Simulation equipment affecting all versions before V2404.0013. “Successful exploitation of this vulnerability could allow an attacker to execute code in the context of the current process.”
Affecting the global critical manufacturing sector, the affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted WRL files. This could allow an attacker to execute code in the context of the current process.
CVE-2025-32454 has been assigned to this vulnerability. It carries a CVSS v3 base score of 7.8 and a CVSS v4 base score of 7.3. Michael Heinzl reported this vulnerability to Siemens, who in turn reported this vulnerability to CISA.
Siemens recommends two key steps to reduce risk in Tecnomatix Plant Simulation V2404. First, users should avoid opening untrusted WRL files in the affected application, as these may contain malicious content. Second, Siemens advises updating the software to version V2404.0013 or later, which addresses the underlying vulnerability.
In another advisory, CISA reported the presence of a ‘cross-site scripting’ vulnerability in Siemens’ RUGGEDCOM APE1808 used across the critical manufacturing sector. “Successful exploitation of this vulnerability could allow an attacker to execute malicious JavaScript in the context of an authenticated Captive Portal user’s browser when they click on a specially crafted link.”
The advisory detailed that a reflected cross-site scripting (XSS) vulnerability in the GlobalProtect gateway and portal features of Palo Alto Networks PAN-OS software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user’s browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft-particularly if enabled clientless VPN.
CVE-2025-0133 has been assigned to this vulnerability, with a CVSS v3 base score of 4.3 and a CVSS v4 base score of 5.1. Siemens reported this vulnerability to CISA. The German conglomerate has called upon users to adopt specific measures to reduce risk in the RUGGEDCOM APE1808. Users are advised to disable the Clientless VPN feature and consult Palo Alto Networks’ Security Advisory for additional mitigation guidance. Siemens also recommends contacting customer support to obtain the necessary patch and perform the update.
CISA identified that its Siemens SCALANCE and RUGGEDCOM equipment contained an ‘improper privilege management’ vulnerability, affecting the critical manufacturing sector. “Successful exploitation of this vulnerability could allow an attacker to perform actions that exceed the permissions of the ‘guest’ role.”
Affected devices contain an incorrect authorization check vulnerability. This could allow an authenticated remote attacker with the ‘guest’ role to invoke an internal ‘do system’ command exceeding their privileges. This command allows the execution of certain low-risk actions, the most critical of which is clearing the local system log.
CVE-2024-41797 has been assigned to this vulnerability. It carries a CVSS v3.1 base score of 4.3 and a CVSS v4 base score of 5.3. Siemens reported this vulnerability to CISA.
In another advisory affected Siemens’ SCALANCE and RUGGEDCOM hardware, CISA disclosed the presence of ‘incorrect authorization’ and ‘concurrent execution using shared resource with improper synchronization vulnerabilities. “Successful exploitation of these vulnerabilities could allow an attacker to circumvent authorization checks and perform actions that exceed the permissions of the ‘guest’ role.”
Affecting the critical manufacturing sector, Siemens reported these vulnerabilities to CISA.
CISA revealed that Siemens’ SIMATIC S7-1500 CPU line contained various vulnerabilities, including missing encryption of sensitive data, out-of-bounds read and write issues, use-after-free flaws, stack-based and heap-based buffer overflows, incorrect implementation of specified functionality, improper buffer size calculation, and external control over file names or paths. Additional issues involved uncontrolled resource consumption, improper input validation, truncation of security-relevant information, missing critical steps in authentication, and improper neutralization of special elements in operating system commands, leading to potential OS command injection.
It also included several vulnerabilities, including access of resources using incompatible types (type confusion), signal handler race conditions, inefficient algorithmic complexity, race conditions due to improper synchronization during concurrent execution, null pointer dereference, reachable assertions, return of pointer values outside expected ranges, inconsistent handling of length parameters, integer overflow or wraparound, improper locking, improper validation of array indices, buffer underwrites (buffer underflow), use of uninitialized resources, failure to act upon detected error conditions, and premature release of resources during their expected lifetime.
The agency assesses that exploitation of these vulnerabilities could allow an attacker to affect the confidentiality, integrity, or availability of affected devices.
Widely deployed across the global energy sector, these vulnerabilities were reported by Siemens to CISA. While fixes are in development, Siemens has confirmed that no patches are currently available.
CISA identified in another advisory the presence of ‘incorrect default permissions’ across all versions of Siemens’ Energy Services’ hardware used in the global energy sector. “Successful exploitation of this vulnerability could allow an attacker to gain remote control of the G5DFR component and tamper outputs from the device.”
It added that affected solutions using G5DFR contain default credentials. This could allow an attacker to gain control of the G5DFR component and tamper with outputs from the device.
CVE-2025-40585 has been assigned to this vulnerability. It carries a CVSS v3 base score of 9.9, indicating critical severity. Under the updated CVSS v4 framework, the base score is 9.5.
Siemens has identified specific workarounds and mitigations that users can apply to reduce risk. Users should use the G5DFR web interface to change the default usernames, passwords, and permission levels. For further assistance, Siemens recommends contacting customer support.
In another advisory, CISA disclosed the presence of ‘uncaught exception’ and ‘heap-based buffer overflow’ vulnerabilities in AVEVA’s PI Data Archive equipment. “Successful exploitation of these vulnerabilities could shut down necessary subsystems and cause a denial-of-service condition.”
Deployed across the critical manufacturing sector, CISA said that the affected products are vulnerable to an uncaught exception that, if exploited, could allow an authenticated user to shut down certain necessary PI Data Archive subsystems, resulting in a denial of service. Depending on the timing of the crash, data present in snapshots/write cache may be lost.
CVE-2025-44019 has been assigned to this vulnerability. It has a CVSS v3.1 base score of 7.1. The same base score of 7.1 has been calculated under the CVSS v4 framework.
Also, the affected products are vulnerable to an uncaught exception that, if exploited, could allow an authenticated user to shut down certain necessary PI Data Archive subsystems, resulting in a denial of service. CVE-2025-36539 has been assigned to this vulnerability. It carries a CVSS v3.1 base score of 6.5, while the updated CVSS v4 calculation raises the base score to 7.1.
AVEVA Ethical Disclosure reported these vulnerabilities to CISA. AVEVA recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation. Users with affected product versions should apply security updates to mitigate the risk of an exploit.
In another advisory, CISA revealed the presence of a ‘cross-site scripting’ vulnerability in AVEVA’s PI Web API equipment affecting versions 2023 SP1 and prior used across the global critical manufacturing sector. “Successful exploitation of this vulnerability could allow an attacker to disable content security policy protections.”
It detailed that a cross-site scripting vulnerability exists in PI Web API version 2023 SP1 and prior that, if exploited, could allow an authenticated attacker (with privileges to create/update annotations or upload media files) to persist arbitrary JavaScript code that will be executed by users who were socially engineered to disable content security policy protections while rendering annotation attachments from within a web browser.
CVE-2025-2745 has been assigned to this vulnerability. It has a CVSS v3.1 base score of 6.5, while the CVSS v4 base score is lower, at 4.5. AVEVA Ethical Disclosure reported this vulnerability to CISA.
The CISA reported in another advisory that AVEVA PI Connector for CygNet version 1.6.14 and prior equipment contained ‘cross-site scripting’ and ‘improper validation of integrity check value’ vulnerabilities. “Successful exploitation of these vulnerabilities could allow an attacker to persist arbitrary code in the administrative portal of the product or cause a denial-of-service condition.”
A cross-site scripting vulnerability exists in PI Connector for CygNet Versions 1.6.14 and prior that, if exploited, could allow an administrator miscreant with local access to the connector admin portal to persist arbitrary JavaScript code that will be executed by other users who visit affected pages. CVE-2025-4417 has been assigned to this vulnerability. It has a CVSS v3.1 base score of 5.5, while the CVSS v4 base score increases to 6.9.
An improper validation of integrity check value vulnerability exists in PI Connector for CygNet Versions 1.6.14 and prior that, if exploited, could allow a miscreant with elevated privileges to modify PI Connector for CygNet local data files (cache and buffers) in a way that causes the connector service to become unresponsive. CVE-2025-4418 has been assigned to this vulnerability. It carries a CVSS v3.1 base score of 4.4, while the updated CVSS v4 calculation raises the base score to 6.7.
CISA also flagged critical vulnerabilities in pan-tilt-zoom cameras from ValueHD, PTZOptics, multiCAM Systems, and SMTAV, including improper authentication, OS command injection, and the use of hard-coded credentials. Affecting the global commercial facilities, critical manufacturing, government services and facilities, healthcare and public health sectors, “successful exploitation of these vulnerabilities could allow an attacker to leak sensitive data, execute arbitrary commands, and access the admin web interface using hard-coded credentials.”
An anonymous researcher reported the vulnerabilities to CISA. PTZOptics has issued patches for the affected versions, which are available on its Known Vulnerabilities and Fixes site. However, ValueHD, multiCAM Systems, and SMTAV did not respond to coordination efforts. Users of those products are advised to contact the vendors directly for guidance.
