Cyber threat intelligence firm PRODAFT has identified two critical OS command injection vulnerabilities in mySCADA myPRO Manager, a widely used SCADA (supervisory control and data acquisition) management system. These flaws, discovered by PRODAFT’s research team, enable remote attackers to execute arbitrary commands, posing a significant risk to industrial control networks and potentially disrupting industrial operations.
“These vulnerabilities, if exploited, could grant unauthorized access to industrial control networks, potentially leading to severe operational disruptions and financial losses,” PRODAFT researchers detailed in a Tuesday post.
The vulnerabilities have been rated 9.3 on the CVSS v4 scoring system. They include CVE-2025-20014, which is an operating system command injection vulnerability that could permit an attacker to execute arbitrary commands on the affected system via specially crafted POST requests containing a version parameter; and CVE-2025-20061 covering an operating system command injection vulnerability that could permit an attacker to execute arbitrary commands on the affected system via specially crafted POST requests containing an email parameter.
These vulnerabilities exist due to improper input sanitization in the myPRO Manager. An attacker can inject system commands and execute arbitrary code by sending a specially crafted POST request containing email or version parameters to a specific port. The impacted mySCADA products are the myPRO Manager – versions before 1.3; and myPRO Runtime – versions before 9.2.1.
“Given the increasing cyber threats to SCADA systems, the article emphasizes the urgent need for security measures such as patching, network segmentation, strong authentication, and continuous monitoring,” the post added. “By addressing these risks proactively, organizations can protect critical infrastructure from cyberattacks and ensure operational resilience.”
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) had in October 2023 disclosed the presence of OS Command Injection vulnerability in mySCADA Technologies’ mySCADA myPRO hardware. “Successful exploitation of these vulnerabilities could allow an authenticated user to inject arbitrary operating system commands,” the advisory added.
At the time, the agency identified that the equipment was deployed across the energy, food and agriculture, transportation systems, water and wastewater systems, and called upon organizations to upgrade the mySCADA hardware to version 8.29.0 or higher.
In its conclusion, PRODAFT identified that these vulnerabilities highlight the persistent security risks in SCADA systems and the need for stronger defenses. Exploitation could lead to operational disruptions, financial losses, and safety hazards.
The post included a couple of risk mitigation measures including applying patches and installing vendor-issued updates immediately; network segmentation by isolating SCADA systems from IT networks to reduce attack surfaces; and enforcing access controls through strong authentication, including multi-factor authentication (MFA).
It also advised monitoring by use of IDS (intrusion detection system) and SIEM (security information and event management) solutions to detect and respond to threats in real-time; and appropriate incident response to develop and test response plans for rapid containment and recovery. As SCADA threats evolve, proactive security research and robust defense strategies remain crucial.
Earlier this month, Palo Alto Networks uncovered multiple vulnerabilities within a SCADA system, specifically identifying five vulnerabilities in versions 10.97.2 and earlier for Microsoft Windows. Early last year, they conducted a comprehensive security assessment of the ICONICS Suite, a SCADA system. In collaboration with the ICONICS security team, they facilitated the release of several security patches in 2024 to address some of these vulnerabilities.
