As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.2
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SIMATIC S7-1200 CPUs
• Vulnerability: Cross-Site Request Forgery

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to change the CPU mode by tricking a legitimate and authenticated user with sufficient permissions on the target CPU to click on a malicious link.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• SIMATIC S7-1200 CPU 1211C AC/DC/Rly (6ES7211-1BE40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1214C DC/DC/DC (6ES7214-1AG40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1214C DC/DC/Rly (6ES7214-1HG40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1214FC DC/DC/DC (6ES7214-1AF40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1214FC DC/DC/Rly (6ES7214-1HF40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1215C AC/DC/Rly (6ES7215-1BG40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1215C DC/DC/DC (6ES7215-1AG40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1215C DC/DC/Rly (6ES7215-1HG40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1215FC DC/DC/DC (6ES7215-1AF40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1215FC DC/DC/Rly (6ES7215-1HF40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1217C DC/DC/DC (6ES7217-1AG40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1211C DC/DC/DC (6ES7211-1AE40-0XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-2XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1212 AC/DC/RLY (6AG1212-1BE40-4XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-2XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1212 DC/DC/RLY (6AG1212-1HE40-4XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-2XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1212C DC/DC/DC (6AG1212-1AE40-4XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1212C DC/DC/DC RAIL (6AG2212-1AE40-1XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-2XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-4XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214 AC/DC/RLY (6AG1214-1BG40-5XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1211C DC/DC/Rly (6ES7211-1HE40-0XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-2XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-4XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214 DC/DC/DC (6AG1214-1AG40-5XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-2XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-4XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214 DC/DC/RLY (6AG1214-1HG40-5XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214C DC/DC/DC RAIL (6AG2214-1AG40-1XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214FC DC/DC/DC (6AG1214-1AF40-5XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1214FC DC/DC/RLY (6AG1214-1HF40-5XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-2XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1212C AC/DC/Rly (6ES7212-1BE40-0XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-4XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215 AC/DC/RLY (6AG1215-1BG40-5XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-2XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215 DC/DC/DC (6AG1215-1AG40-4XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-2XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-4XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215 DC/DC/RLY (6AG1215-1HG40-5XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215C DC/DC/DC (6AG1215-1AG40-5XB0): Versions prior to V4.7
• SIPLUS S7-1200 CPU 1215FC DC/DC/DC (6AG1215-1AF40-5XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1212C DC/DC/DC (6ES7212-1AE40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1212C DC/DC/Rly (6ES7212-1HE40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1212FC DC/DC/DC (6ES7212-1AF40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1212FC DC/DC/Rly (6ES7212-1HF40-0XB0): Versions prior to V4.7
• SIMATIC S7-1200 CPU 1214C AC/DC/Rly (6ES7214-1BG40-0XB0): Versions prior to V4.7

3.2 VULNERABILITY OVERVIEW 3.2.1 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

The web interface of the affected devices is vulnerable to cross-site request forgery (CSRF) attacks. This could allow an unauthenticated attacker to change the CPU mode by tricking a legitimate and authenticated user with sufficient permissions on the target CPU to click on a malicious link.

CVE-2024-47100 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-47100. A base score of 7.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

David Henrique Estevam de Andrade reported this vulnerability to Siemens.

4. MITIGATIONS

Siemens has released new versions for the affected products and recommends updating to the latest versions:

• SIMATIC S7-1200 CPU: Update to V4.7 or later version.
• SIPLUS S7-1200 CPU: Update to V4.7 or later version.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Do not click on links from untrusted sources.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-717113 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• January 21, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 5.9
• ATTENTION: Exploitable from an adjacent network/low attack complexity
• Vendor: ZF
• Equipment: RSSPlus
• Vulnerability: Authentication Bypass By Primary Weakness

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated attacker to remotely (proximal/adjacent with RF equipment) call diagnostic functions which could impact both the availability and integrity.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of RSSPlus are affected:

• RSSPlus 2M: build dates 01/08 through at least 01/23

3.2 VULNERABILITY OVERVIEW 3.2.1 AUTHENTICATION BYPASS BY PRIMARY WEAKNESS CWE-305

The affected product is vulnerable to an authentication bypass vulnerability targeting deterministic RSSPlus SecurityAccess service seeds, which may allow an attacker to remotely (proximal/adjacent with RF equipment or via pivot from J2497 telematics devices) call diagnostic functions intended for workshop or repair scenarios. This can impact system availability, potentially degrading performance or erasing software, however the vehicle remains in a safe vehicle state.

CVE-2024-12054 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.4 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12054. A base score of 5.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:A/AC:H/AT:P/PR:N/UI:P/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

National Motor Freight Traffic Association, Inc. (NMFTA) researchers Ben Gardiner and Anne Zachos reported this vulnerability to CISA.

4. MITIGATIONS

To most effectively mitigate general vulnerabilities of the powerline communication, any trucks, trailers, and tractors utilizing J2497 technology should disable all features where possible, except for backwards-compatibility with LAMP ON detection only. Users acquiring new trailer equipment should migrate all diagnostics to newer trailer bus technology. Users acquiring new tractor equipment should remove support for reception of any J2497 message other than LAMP messages.

ZF recommends:

• Moving away from security access and implementing the latest security feature authenticate (0x29)
• Ensure random numbers are generated from a cryptographically secure hardware true random number generator
• Adopting modern standards/protocols for truck trailer communication

NMFTA has published detailed information about how to mitigate these issues in the following ways:

• Install a LAMP ON firewall for each ECU
• Use a LAMP detect circuit LAMP ON sender with each trailer
• Change addresses dynamically on each tractor in response to detecting a transmitter on its current address.
• Install RF chokes on each trailer between chassis ground and wiring ground
• Load with LAMP keyhole signal on each tractor
• Flood with jamming signal on each tractor

Please visit NMFTA for additional details on these and other solutions.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• January 21, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Exploitable from adjacent network
• Standard: Traffic Alert and Collision Avoidance System (TCAS) II
• Equipment: Collision Avoidance Systems
• Vulnerabilities: Reliance on Untrusted Inputs in a Security Decision, External Control of System or Configuration Setting

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to manipulate safety systems and cause a denial-of-service condition.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following revisions of TCAS II are affected:

• TCAS II: Versions 7.1 and prior

3.2 VULNERABILITY OVERVIEW 3.2.1 Reliance on Untrusted Inputs in a Security Decision CWE-807

By utilizing software-defined radios and a custom low-latency processing pipeline, RF signals with spoofed location data can be transmitted to aircraft targets. This can lead to the appearance of fake aircraft on displays and potentially trigger undesired Resolution Advisories (RAs).

CVE-2024-9310 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.1 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2024-9310. A base score of 6.0 has been calculated; the CVSS vector string is (AV:A/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.2 External Control of System or Configuration Setting CWE-15

For TCAS II systems using transponders compliant with MOPS earlier than RTCA DO-181F, an attacker can impersonate a ground station and issue a Comm-A Identity Request. This action can set the Sensitivity Level Control (SLC) to the lowest setting and disable the Resolution Advisory (RA), leading to a denial-of-service condition.

CVE-2024-11166 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:H).

A CVSS v4 score has also been calculated for CVE-2024-11166. A base score of 7.1 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Transportation Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Giacomo Longo and Enrico Russo of Genova University reported these vulnerabilities to CISA.
Martin Strohmeier and Vincent Lenders of armasuisse reported these vulnerabilities to CISA.
Alessio Merlo of Centre for High Defense Studies reported these vulnerabilities to CISA.

4. MITIGATIONS

After consulting with the Federal Aviation Administration (FAA) and the researchers regarding these vulnerabilities, it has been concluded that CVE-2024-11166 can be fully mitigated by upgrading to ACAS X or by upgrading the associated transponder to comply with RTCA DO-181F.

Currently, there is no mitigation available for CVE-2024-9310.

These vulnerabilities in the TCAS II standard are exploitable in a lab environment. However, they require very specific conditions to be met and are unlikely to be exploited outside of a lab setting.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. These vulnerabilities have a high attack complexity.

5. UPDATE HISTORY

• January 21, 2024: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.2
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: Data Center Expert
• Vulnerabilities: Improper Verification of Cryptographic Signature, Missing Authentication for Critical Function

2. RISK EVALUATION

Exploitation of these vulnerabilities could allow an attacker to expose private data or achieve remote code execution.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

• Schneider Electric Data Center Expert: 8.1.1.3 and prior

3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER VERIFICATION OF CRYPTOGRAPHIC SIGNATURE CWE-347

An improper verification of cryptographic signature vulnerability exists that could compromise the Data Center Expert software when an upgrade bundle is manipulated to include arbitrary bash scripts that are executed as root.

CVE-2024-8531 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

3.2.2 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

A missing authentication for critical function vulnerability exists that could cause exposure of private data when an already generated "logcaptures" archive is accessed directly by HTTPS.

CVE-2024-8530 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric CPCERT reported these vulnerabilities to CISA.

Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

Version 8.2 of EcoStruxure™ IT Data Center Expert includes fixes for these vulnerabilities and is available upon request from Schneider Electric's Customer Care Center.

Additionally, Schneider Electric recommends that users:

• Ensure the principals of least privilege are being followed so that only those with need have account access and that the level of their respective account authorization aligns with their role, including Privileged Accounts as described in the Data Center Expert Security Handbook.
• Verify SHA1 checksums of upgrade bundles prior to executing upgrades as described in the Upgrades section of the Data Center Expert Security Handbook.
• Delete any existing "logcapture" archives present on the system and do not create any new "logcapture" archives. Existing archives can be deleted from the https://server_ip/capturelogs web page after authenticating.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• January 16, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 4.9
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: FOX61x Products
• Vulnerability: Relative Path Traversal

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to traverse the file system to access files or directories that would otherwise be inaccessible.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Hitachi Energy reports the following products are affected:

• Hitachi Energy FOX61x: R15A and prior
• Hitachi Energy FOX61x: R15B
• Hitachi Energy FOX61x: R16A
• Hitachi Energy FOX61x: R16B Revision E

3.2 VULNERABILITY OVERVIEW 3.2.1 RELATIVE PATH TRAVERSAL CWE-23

Hitachi Energy is aware of a vulnerability that affects the FOX61x. If exploited an attacker could traverse the file system to access files or directories that would otherwise be inaccessible.

CVE-2024-2461 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy PSIRT reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

• FOX61x R16B Revision E (cesm3_r16b04_02, cesne_r16b04_02 and f10ne_r16b04_02) and older: Update to FOX61x R16B Revision G, Version (cesm3_r16b04_07, cesne_r16b04_07, f10ne_r16b04_07) and apply general mitigation factors. (Hitachi Energy recommends that users apply the update at the earliest convenience).
• FOX61x R15B: Recommended to update to FOX61X R16B Revision G, (cesm3_r16b04_07, cesne_r16b04_07, f10ne_r16b04_07) and apply general mitigation factors.
• FOX61x R15A and older including all subversions, FOX61x R16A: EOL versions - no remediation will be available. Recommended to update to FOX61X R16B Revision G, (cesm3_r16b04_07, cesne_r16b04_07, f10ne_r16b04_07) and apply general mitigation factors.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• January 16, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.5
• ATTENTION: Low attack complexity
• Vendor: Fuji Electric
• Equipment: Alpha5 SMART
• Vulnerability: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Fuji Electric Alpha5 SMART, a servo drive system, are affected:

• Alpha5 SMART: Versions 4.5 and prior

3.2 VULNERABILITY OVERVIEW 3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

The affected product is vulnerable to a stack-based buffer overflow, which may allow an attacker to execute arbitrary code.

CVE-2024-34579 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-34579. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

An anonymous researcher working with Trend Micro's Zero Day Initiative reported this vulnerability to CISA.

4. MITIGATIONS

Fuji Electric has indicated that the vulnerabilities will not be fixed in Alpha5 SMART. Fuji Electric recommends users upgrade their systems to Alpha7.

For assistance, reach out directly to Fuji Electric's support team.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• January 16, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 7.1
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Siemens
• Equipment: SIPROTEC 5
• Vulnerability: Files or Directories Accessible to External Parties

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an authenticated remote attacker to read arbitrary files or the entire filesystem of the device.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens SIPROTEC 5 6MD84 (CP300): Versions prior to 9.80
• Siemens SIPROTEC 5 7SA87 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7SD82 (CP100): Versions 7.80 and after
• Siemens SIPROTEC 5 7SD82 (CP150): Versions prior to 9.80
• Siemens SIPROTEC 5 7SD86 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7SD87 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7SJ81 (CP100): Versions 7.80 and after
• Siemens SIPROTEC 5 7SJ81 (CP150): Versions prior to 9.80
• Siemens SIPROTEC 5 7SJ82 (CP100): Versions 7.80 and after
• Siemens SIPROTEC 5 7SJ82 (CP150): Versions prior to 9.80
• Siemens SIPROTEC 5 7SJ85 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 6MD85 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7SJ86 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7SK82 (CP100): Versions 7.80 and after
• Siemens SIPROTEC 5 7SK82 (CP150): Versions prior to 9.80
• Siemens SIPROTEC 5 7SK85 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7SL82 (CP100): Versions 7.80 and after
• Siemens SIPROTEC 5 7SL82 (CP150): Versions prior to 9.80
• Siemens SIPROTEC 5 7SL86 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7SL87 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7SS85 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7ST85 (CP300): All versions
• Siemens SIPROTEC 5 6MD86 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7ST86 (CP300): Versions prior to 9.80
• Siemens SIPROTEC 5 7SX82 (CP150): Versions prior to 9.80
• Siemens SIPROTEC 5 7SX85 (CP300): Versions prior to 9.80
• Siemens SIPROTEC 5 7SY82 (CP150): Versions prior to 9.80
• Siemens SIPROTEC 5 7UM85 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7UT82 (CP100): Versions 7.80 and after
• Siemens SIPROTEC 5 7UT82 (CP150): Versions prior to V9.80
• Siemens SIPROTEC 5 7UT85 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7UT86 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7UT87 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 6MD89 (CP300): Versions 7.80 and after
• Siemens SIPROTEC 5 7VE85 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7VK87 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7VU85 (CP300): Versions prior to 9.80
• Siemens SIPROTEC 5 Compact 7SX800 (CP050): Versions prior to V9.80
• Siemens SIPROTEC 5 6MU85 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7KE85 (CP300): Versions 7.80 up to but not including 9.80
• Siemens SIPROTEC 5 7SA82 (CP100): Versions 7.80 and after
• Siemens SIPROTEC 5 7SA82 (CP150): Versions prior to 9.80
• Siemens SIPROTEC 5 7SA86 (CP300): Versions 7.80 up to but not including 9.80

3.2 VULNERABILITY OVERVIEW 3.2.1 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552

Affected devices do not properly limit the path accessible via their webserver. This could allow an authenticated remote attacker to read arbitrary files from the filesystem of affected devices.

CVE-2024-53649 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2024-53649. A base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• SIPROTEC 5 6MD89 (CP300), SIPROTEC 5 7SA82 (CP100), SIPROTEC 5 7SD82 (CP100), SIPROTEC 5 7SJ81 (CP100), SIPROTEC 5 7SJ82 (CP100), SIPROTEC 5 7SK82 (CP100), SIPROTEC 5 7SL82 (CP100), SIPROTEC 5 7ST85 (CP300), SIPROTEC 5 7UT82 (CP100): Currently no fix is available
• SIPROTEC 5 Compact 7SX800 (CP050): Update to V9.80 or later version
• SIPROTEC 5 6MD84 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7SA82 (CP150), SIPROTEC 5 7SD82 (CP150), SIPROTEC 5 7SL82 (CP150), SIPROTEC 5 7SA86 (CP300), SIPROTEC 5 7SA87 (CP300), SIPROTEC 5 7SD86 (CP300), SIPROTEC 5 7SD87 (CP300), SIPROTEC 5 7SJ86 (CP300), SIPROTEC 5 7SL86 (CP300), SIPROTEC 5 7SL87 (CP300) and SIPROTEC 5 7VK87 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7SJ81 (CP150), SIPROTEC 5 7SJ82 (CP150), and SIPROTEC 5 7SJ85 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7SK82 (CP150) and SIPROTEC 5 7SK85 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7ST86 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7SX82 (CP150) and SIPROTEC 5 7SX85 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7SY82 (CP150): Update to V9.80 or later version
• SIPROTEC 5 7UT82 (CP150), SIPROTEC 5 7UT85 (CP300), SIPROTEC 5 7UT86 (CP300), and SIPROTEC 5 7UT87 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7VU85 (CP300): Update to V9.80 or later version
• SIPROTEC 5 6MD85 (CP300) and SIPROTEC 5 6MD86 (CP300): Update to V9.80 or later version
• : Update to V9.80 or later version
• SIPROTEC 5 6MU85 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7KE85 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7SS85 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7UM85 (CP300): Update to V9.80 or later version
• SIPROTEC 5 7VE85 (CP300): Update to V9.80 or later version

Siemens recommends operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid's reliability can thus be minimized by virtue of the grid design. Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment.

Recommended security guidelines can be found here.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-194557 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• January 16, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 5.2
• ATTENTION: Exploitable locally
• Vendor: Siemens
• Equipment: Siveillance Video Camera Drivers
• Vulnerability: Insertion of Sensitive Information into Log File

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow a local attacker to read camera credentials stored in the Recording Server under specific conditions.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siveillance Video Device Pack: Versions prior to V13.5

3.2 VULNERABILITY OVERVIEW 3.2.1 INSERTION OF SENSITIVE INFORMATION INTO LOG FILE CWE-532

Disclosure of sensitive information in HikVision camera driver's log file in XProtect Device Pack allows an attacker to read camera credentials stored in the Recording Server under specific conditions.

CVE-2024-12569 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12569. A base score of 5.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Ensure that only trusted people get local access to the driver log files on the Recording Server.
• Update to V13.5 or later version.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-404759 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• January 16, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 4.9
• ATTENTION: Low attack complexity
• Vendor: Hitachi Energy
• Equipment: FOX61x, FOXCST, FOXMAN-UN
• Vulnerability: Improper Validation of Certificate with Host Mismatch

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow attackers to intercept or falsify data exchanges between the client and the server.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Hitachi Energy reports that the following products are affected:

• FOX61x: Versions prior to R16B
• FOXCST: Versions prior to 16.2.1
• FOXMAN-UN: R15A and prior
• FOXMAN-UN: R15B PC4 and prior
• FOXMAN-UN: R16A
• FOXMAN-UN: R16B PC2 and prior

3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER VALIDATION OF CERTIFICATE WITH HOST MISMATCH CWE-297

Hitachi Energy is aware of a vulnerability that affects the FOXCST client application, which if exploited would allow attackers to intercept or falsify data exchanges between the client and the server.

CVE-2024-2462 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy PSIRT reported this vulnerability to CISA.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

• FOXMAN-UN R16B PC2 and earlier: Update to FOXMAN-UN R16B PC3 or later and apply general mitigation factors.
• FOXMAN-UN R15B or prior: Update to FOXMAN-UN R15B PC5 and apply general mitigation factors. (Update planned)
• FOXMAN-UN R16A, FOXMAN-UN R15A, FOXMAN-UN older than R15A: EOL versions - no remediation will be available. Recommended to update to FOXMAN-UN R16B PC4 or R15B PC5 (update planned) and apply general mitigation factors.
• FOX61x less than R16B: Update to FOX61x R16B
• FOXCST less than 16.2.1: Update to FOXCST_16.2.1

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• January 16, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.4
• ATTENTION: Exploitable remotely
• Vendor: Siemens
• Equipment: Mendix LDAP
• Vulnerability: LDAP Injection

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to bypass username verification.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens Mendix LDAP: All versions prior to 1.1.2

3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN AN LDAP QUERY ('LDAP INJECTION') CWE-90

Affected versions of the module are vulnerable to LDAP injection. This could allow an unauthenticated remote attacker to bypass username verification.

CVE-2024-56841 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Mendix LDAP: Update to V1.1.2 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-314390 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• January 16, 2025: Initial Publication

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 2.1
• ATTENTION: Exploitable remotely
• Vendor: Siemens
• Equipment: Industrial Edge Management
• Vulnerability: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to extract sensitive information by tricking users into accessing a malicious link.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

• Siemens Industrial Edge Management OS (IEM-OS): All versions

3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79

Affected components are vulnerable to reflected cross-site scripting (XSS) attacks. This could allow an attacker to extract sensitive information by tricking users into accessing a malicious link.

CVE-2024-45385 has been assigned to this vulnerability. A CVSS v3 base score of 4.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2024-45385. A base score of 2.1 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens ProductCERT reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Industrial Edge Management OS (IEM-OS): Currently no fix is planned. Migrate to Industrial Edge Management Virtual (IEM-V)

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information see the associated Siemens security advisory SSA-416411 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

5. UPDATE HISTORY

• January 16, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 7.8
• ATTENTION: Low Attack Complexity
• Vendor: Schneider Electric
• Equipment: Vijeo Designer
• Vulnerability: Improper Privilege Management

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could cause a non-admin authenticated user to perform privilege escalation by tampering with the binaries.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

• Schneider Electric Vijeo Designer: All versions prior to 6.3 SP1

3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER PRIVILEGE MANAGEMENT CWE-269

Improper Privilege Management vulnerabilities exist that could cause unauthorized access, loss of confidentiality, integrity, and availability of the workstation if non-admin authenticated users try to perform privilege escalation by tampering with the binaries.

CVE-2024-8306 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric CPCERT reported this vulnerability to CISA.

CVE-2024-8306:
Charit Misra of Applied Risk(DNV Cyber) reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Schneider Electric Vijeo Designer Versions prior to V6.3 SP1: 
  • Limit authenticated user access to the workstation running Vijeo Designer and implement existing User Account Control practices. 
  • Remove the write permissions for "Everyone" on the folder "C:\Program Files (x86)\Schneider Electric\Vijeo-Designer 6.3\Vijeo-Runtime" 
  • Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices guide available for download here.
• Schneider Electric Vijeo Designer embedded in EcoStruxure™ Machine Expert All versions: 
  • Schneider Electric is establishing a remediation plan for all future versions of Vijeo Designer embedded in EcoStruxure™ Machine Expert that will include a fix for this vulnerability. We will update this document when the remediation is available. Until then, users should immediately apply the following mitigations to reduce the risk of exploit: 
    • Limit authenticated user access to the workstation running Vijeo Designer and implement existing User Account Control practices. 
    • Remove the write permissions for "Everyone" on the folder "C:\Program Files (x86)\Schneider Electric\Vijeo-Designer 6.3\Vijeo-Runtime" 
    • Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices guide available for download here.
• Schneider Electric Vijeo Designer Versions prior to V6.3 SP1: 
  • Version V6.3 SP1 of Vijeo Designer includes a fix for this vulnerability and can be updated through the Schneider Electric Software Update (SESU) application. https://www.se.com/ww/en/product-range/1054-vijeo%02designer-hmi-software/#software-and-firmware On the engineering workstation, update to v6.3 SP1 of Vijeo Designer.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

5. UPDATE HISTORY

• January 14, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 10.0
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: FOXMAN-UN
• Vulnerabilities: Authentication Bypass Using an Alternate Path or Channel, Improper Neutralization of Argument Delimiters in a Command ('Argument Injection'), Heap-based Buffer Overflow, Incorrect User Management, Improper Certificate Validation, Improper Restriction of Excessive Authentication Attempts, Use of Hard-coded Password, Cleartext Storage of Sensitive Information

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an unauthenticated malicious user to interact with the services and the post-authentication attack surface.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Hitachi Energy reports that the following products are affected:

• Hitachi Energy FOXMAN-UN: All versions prior to R15A
• Hitachi Energy FOXMAN-UN: R15B (CVE-2024-28020, CVE-2024-28022, CVE-2024-28024)
• Hitachi Energy FOXMAN-UN: R15B PC4 (CVE-2024-2013, CVE-2024-2012, CVE-2024-2011, CVE-2024-28021, CVE-2024-28023)
• Hitachi Energy FOXMAN-UN: R16A
• Hitachi Energy FOXMAN-UN: R16B (CVE-2024-28020, CVE-2024-28022, CVE-2024-28024)
• Hitachi Energy FOXMAN-UN: R16B PC2 (CVE-2024-2013, CVE-2024-2012, CVE-2024-2011, CVE-2024-28021, CVE-2024-28023)

3.2 VULNERABILITY OVERVIEW 3.2.1 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL CWE-288

An authentication bypass vulnerability exists in the FOXMAN-UN server / APIGateway component that if exploited allows unauthenticated malicious users to interact with the services and the post-authentication attack surface.

CVE-2024-2013 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.2 IMPROPER NEUTRALIZATION OF ARGUMENT DELIMITERS IN A COMMAND ('ARGUMENT INJECTION') CWE-88

A vulnerability exists in the FOXMAN-UN server / APIGateway that if exploited could be used to allow unintended commands or code to be executed on the FOXMAN-UN server.

CVE-2024-2012 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.2.3 HEAP-BASED BUFFER OVERFLOW CWE-122

A heap-based buffer overflow vulnerability exists in the FOXMAN-UN that if exploited will generally lead to a denial of service but can be used to execute arbitrary code, which is usually outside the scope of a program's implicit security policy.

CVE-2024-2011 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H).

3.2.4 INCORRECT USER MANAGEMENT CWE-286

A user/password reuse vulnerability exists in the FOXMAN-UN application and server management. If exploited a malicious user could use the passwords and login information to extend access on the server and other services.

CVE-2024-28020 has been assigned to this vulnerability. A CVSS v3 base score of 8.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

3.2.5 IMPROPER CERTIFICATE VALIDATION CWE-295

A vulnerability exists in the FOXMAN-UN server that affects the message queueing mechanism's certificate validation. If exploited a malicious user could spoof a trusted entity causing a loss of confidentiality and integrity.

CVE-2024-28021 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).

3.2.6 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307

A vulnerability exists in the FOXMAN-UN server / APIGateway that if exploited allows a malicious user to perform an arbitrary number of authentication attempts using different passwords, and eventually gain access to other components in the same security realm using the targeted account.

CVE-2024-28022 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L).

3.2.7 USE OF HARD-CODED PASSWORD CWE-259

A vulnerability exists in the message queueing mechanism that if exploited can lead to the exposure of resources or functionality to unintended actors, possibly providing malicious users with sensitive information or even execute arbitrary code.

CVE-2024-28023 has been assigned to this vulnerability. A CVSS v3 base score of 5.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L).

3.2.8 CLEARTEXT STORAGE OF SENSITIVE INFORMATION CWE-312

A vulnerability exists in the FOXMAN-UN in which sensitive information is stored in cleartext within a resource that might be accessible to another control sphere.

CVE-2024-28024 has been assigned to this vulnerability. A CVSS v3 base score of 4.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Hitachi Energy PSIRT reported these vulnerabilities to CISA.

4. MITIGATIONS

Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:

• FOXMAN-UN R16A, FOXMAN-UN R15A, FOXMAN-UN older than R15A: EOL versions - no remediation will be available. Recommended to update to UNEM R16B PC4 or R15B PC5 (update planned) and apply general mitigation factors.
• (CVE-2024-2013, CVE-2024-2012, CVE-2024-2011, CVE-2024-28021, CVE-2024-28023) FOXMAN-UN R16B PC2: Fixed in FOXMAN-UN R16B PC3 Recommended to update to FOXMAN-UN R16B PC4 and apply general mitigation factors.
• (CVE-2024-2013, CVE-2024-2012, CVE-2024-2011, CVE-2024-28021, CVE-2024-28023) FOXMAN-UN R15B PC4: Update to FOXMAN-UN R15B PC5 (under development) and apply general mitigation factors.
• (CVE-2024-28020) FOXMAN-UN R16B, FOXMAN-UN R15B: Deny nemadm account for ssh logins by configuring DenyUsers in /etc/ssh/sshd_config
• (CVE-2024-28022, CVE-2024-28024) FOXMAN-UN R16B, FOXMAN-UN R15B: Apply general mitigation factors

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• January 14, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 5.4
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: EcoStruxure Power Monitoring Expert, EcoStruxure Power Operation, EcoStruxure Power SCADA Operation 2020
• Vulnerability: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to tamper with folder names within the context of the product.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

• Schneider Electric EcoStruxure™ Power Monitoring Expert (PME) 2021: All versions prior to 2021 CU1
• Schneider Electric EcoStruxure™ Power Monitoring Expert (PME) 2020: All versions prior to 2020 CU3
• Schneider Electric EcoStruxure™ Power Operation (EPO) 2022: All versions prior to 2022 CU4
• Schneider Electric EcoStruxure™ Power Operation (EPO) 2022 – Advanced Reporting and Dashboards Module: All versions prior to 2022 CU4
• Schneider Electric EcoStruxure™ Power Operation (EPO) 2021: All versions prior to 2021 CU3 Hotfix 2
• Schneider Electric EcoStruxure™ Power Operation (EPO) 2021 – Advanced Reporting and Dashboards Module: All versions prior to 2021 CU3 Hotfix 2
• Schneider Electric EcoStruxure™ Power SCADA Operation 2020 (PSO) - Advanced Reporting and Dashboards Module: All versions

3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting') vulnerability exists when an authenticated attacker modifies folder names within the context of the product.

CVE-2024-8401 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric CPCERT reported this vulnerability to CISA.

CVE-2024-8401:
McKade Umbenhower of Sandia National Labs reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Schneider Electric EcoStruxure™ Power Monitoring Expert (PME) 2021 CU1 and prior: EcoStruxure™ Power Monitoring Expert 2021 CU2 includes a fix for this vulnerability and is available for download here: https://ecoxpert.se.com/software-center/power-monitoringexpert/ power-monitoring-expert-2021 OR EcoStruxure™ Power Monitoring Expert 2022 includes a fix for this vulnerability and is available for download here: https://ecoxpert.se.com/software-center/power-monitoringexpert/ power-monitoring-expert-2022 OR Upgrade to the latest version of EcoStruxure™ Power Monitoring Expert. Contact the customer care center for more information.
• Schneider Electric EcoStruxure™ Power Operation (EPO) 2022 CU4 and prior, Schneider Electric EcoStruxure™ Power Operation (EPO) 2022 – Advanced Reporting and Dashboards Module 2022 CU4 and prior: EcoStruxure™ Power Operations 2022 CU5 includes a fix for this vulnerability and is available for download here: https://community.se.com/t5/EcoStruxure-Power-Operation/v2022- Release-amp-Updates-Install-Procedure/m-p/416561/thread-id/6058 OR Upgrade to latest version of EcoStruxure™ Power Operations. Contact the customer care center for more information. Additionally, EcoStruxure™ Power operation 2022 with Advanced Reporting utilizes EcoStruxure™ Power Monitoring Expert. You will need to update the version of EcoStruxure™ Power Monitoring Expert installed independently of the EcoStruxure™ Power Operation patch level installed and apply the appropriate EcoStruxure™ Power Monitoring Expert update as outlined above. For assistance in determining the version of PME installed, contact the Schneider Electric Customer Care Center.
• Schneider Electric EcoStruxure™ Power Operation (EPO) 2021 CU3 Hotfix 2 and prior, Schneider Electric EcoStruxure™ Power Operation (EPO) 2021 – Advanced Reporting and Dashboards Module 2021 CU3 Hotfix 2 and prior: EcoStruxure™ Power Operations 2021 CU3 Hotfix 3 includes a fix for this vulnerability and is available for download here: https://community.se.com/t5/EcoStruxure-Power-Operation/v2022- Release-amp-Updates-Install-Procedure/m-p/416561/thread-id/6058 OR Upgrade to latest version of EcoStruxure™ Power Operations. Contact the customer care center for more information. Additionally, EcoStruxure™ Power Operation 2021 with Advanced Reporting utilizes EcoStruxure™ Power Monitoring Expert. You will need to update the version of EcoStruxure™ Power Monitoring Expert installed independently of the EcoStruxure™ Power Operation patch level installed and apply the appropriate EcoStruxure™ Power Monitoring Expert update as outlined above. For assistance in determining the version of PME installed, contact the Schneider Electric Customer Care Center.
• Schneider Electric EcoStruxure™ Power Monitoring Expert (PME) 2020 CU3 and prior: EcoStruxure™ Power Monitoring Expert 2020 is at its end-of-life support. Users should consider upgrading to the latest version offering of PME to resolve this issue. Please contact Schneider Electric Customer Care Center for more details.
• Schneider Electric EcoStruxure™ Power SCADA Operation 2020 (PSO) - Advanced Reporting and Dashboards Module All Versions: EcoStruxure™ Power SCADA Operation 2020 (PSO) - Advanced Reporting and Dashboards Module is at its end-of-life support. Users should consider upgrading to the latest version offering of EPO to resolve this issue. Please contact Schneider Electric Customer Care Center for more details.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• January 14, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Belledonne Communications
• Equipment: Linphone-Desktop
• Vulnerability: NULL Pointer Dereference

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in a remote attacker causing a denial-of-service condition on the affected devices.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following version of Linphone-Desktop is affected:

• Linphone-Desktop: Version 5.2.6

3.2 VULNERABILITY OVERVIEW 3.2.1 NULL POINTER DEREFERENCE CWE-476

The affected product is vulnerable to a NULL Dereference vulnerability, which could allow a remote attacker to create a denial-of-service condition.

CVE-2025-0430 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-0430. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Communications
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Vera Mens of Claroty Research - Team82 reported this vulnerability to CISA.

4. MITIGATIONS

Belledonne Communications recommends users implement the fix in Version 5.3.99 of the linphone-sdk.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• January 14, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 6.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: PowerChute Serial Shutdown
• Vulnerability: Improper Authentication

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause a denial of access to the web interface when someone on the local network repeatedly requests the /accessdenied URL.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Schneider Electric reports the following versions of PowerChute Serial Shutdown are affected:

• PowerChute Serial Shutdown: Versions 1.2.0.301 and prior

3.2 Vulnerability Overview 3.2.1 IMPROPER AUTHENTICATION CWE-287

An improper authentication vulnerability exists that could cause a denial of access to the web interface when someone on the local network repeatedly requests the /accessdenied URL.

CVE-2024-10511 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-10511. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric recommends the following mitigations for the affected product:

• PowerChute Serial Shutdown: Versions v1.2.0.301 and prior: Update to PowerChute Serial Shutdown: Version 1.3

For users to be informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric's security notification service here:
https://www.se.com/ww/en/work/support/cybersecurity/notification-contact.jsp

Schneider Electric strongly recommend the following industry cybersecurity best practices:

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the "Program" mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2024-345-01 in PDF and CSAF.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• January 10, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: Harmony HMI and Pro-face HMI Products
• Vulnerability: Use of Unmaintained Third-Party Components

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause complete control of the device when an authenticated user installs malicious code into HMI product

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

Schneider Electric reports the following versions of Harmony HMI and Pro-face HMI are affected:

• Harmony HMIST6: All versions
• Harmony HMISTM6: All versions
• Harmony HMIG3U: All versions
• Harmony HMIG3X: All versions
• Harmony HMISTO7 series with Ecostruxure Operator Terminal Expert runtime: All versions
• PFXST6000: All versions
• PFXSTM6000: All versions
• PFXSP5000: All versions
• PFXGP4100 series with Pro-face BLUE runtime: All versions

3.2 Vulnerability Overview 3.2.1 USE OF UNMAINTAINED THIRD-PARTY COMPONENTS CWE-1104

The affected product is vulnerable to a use of an unmaintained third-party component vulnerability that could cause complete control of the device when an authenticated user installs malicious code into HMI product.

CVE-2024-11999 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-11999. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Chemical, Critical Manufacturing, Energy, Water and Wastewater Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric reported this vulnerability to CISA.

4. MITIGATIONS

Schneider Electric recommends for users to immediately apply the following mitigations to reduce the risk of exploit:

• Use HMI only in a protected environment to minimize network exposure and ensure that they are not accessible from public Internet or untrusted networks.
• Setup network segmentation and implement a firewall to block all unauthorized access.
• Restrict usage of unverifiable portable media.
• Restricting the application access to limit the transfer of Firmware to HMIScanning of software/files for rootkits before usage and verifying the digital signature.
• When exchanging files over the network, use secure communication protocols.

For users to be informed of all updates, including details on affected products and remediation plans, subscribe to Schneider Electric's security notification service here:
https://www.se.com/ww/en/work/support/cybersecurity/notification-contact.jsp

Schneider Electric strongly recommend the following industry cybersecurity best practices:

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the "Program" mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

For more information refer to the Schneider Electric Recommended Cybersecurity Best Practices document and the associated Schneider Electric Security Notification SEVD-2024-345-02 in PDF and CSAF.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• January 10, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.4
• ATTENTION: Low attack complexity
• Vendor: Delta Electronics
• Equipment: DRASimuCAD
• Vulnerabilities: Out-of-bounds Write, Type Confusion

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could crash the device or potentially allow remote code execution.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of DRASimuCAD, a robotic simulation platform, are affected:

• DRASimuCAD : Version 1.02.00.00 and prior

3.2 VUNERABILITY OVERVIEW 3.2.1 Access of Resource Using Incompatible Type ('Type Confusion') CWE-843

Delta Electronics DRASimuCAD expects a specific data type when it opens files, but the program will accept data of the wrong type from specially crafted files.

CVE-2024-12834 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12834. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Out-of-bounds Write CWE-787

When a specially crafted file is opened with Delta Electronics DRASimuCAD, the program can be forced to write data outside of the intended buffer.

CVE-2024-12835 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12835. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 Access of Resource Using Incompatible Type ('Type Confusion') CWE-843

Delta Electronics DRASimuCAD expects a specific data type when it opens files, but the program will accept data of the wrong type from specially crafted files.

CVE-2024-12836 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-12836. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

rgod working with Trend Micro Zero Day Initiative reported these vulnerabilities to CISA.

4. MITIGATIONS

Delta has released a patch to fix these vulnerabilities on Delta Download Center. This patch is based on the formal DRASimuCAD v1.02.00.00. Users should have the original v1.02.00.00 installed, then install this new patch.

Delta also recommends the following general security practices:

• Don't click on untrusted Internet links or open unsolicited attachments in emails.
• Avoid exposing control systems and equipment to the Internet.
• Place systems and devices behind a firewall and isolate them from the business network.
• When remote access is required, use a secure access method, such as a virtual private network (VPN).

For more information, please see the Delta product cybersecurity advisory for these issues.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

5. UPDATE HISTORY

• January 9, 2025: Initial Publication.
• January 16, 2025: Update A - Patch available to fix vulnerabilities.

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v3 10.0
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: ABB
• Equipment: ASPECT-Enterprise, NEXUS, and MATRIX series
• Vulnerabilities: Files or Directories Accessible to External Parties, Improper Validation of Specified Type of Input, Cleartext Transmission of Sensitive Information, Cross-site Scripting, Server-Side Request Forgery (SSRF), Improper Neutralization of Special Elements in Data Query Logic, Allocation of Resources Without Limits or Throttling, Weak Password Requirements, Cross-Site Request Forgery (CSRF), Use of Weak Hash, Code Injection, PHP Remote File Inclusion, External Control of System or Configuration Setting, Insufficiently Protected Credentials, Unrestricted Upload of File with Dangerous Type, Absolute Path Traversal, Use of Default Credentials, Off-by-one Error, Use of Default Password, Session Fixation

2. RISK EVALUATION

Multiple vulnerabilities in ABB ASPECT-Enterprise, NEXUS, and MATRIX series products have been reported, which could enable an attacker to disrupt operations or execute remote code.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

ABB reports the following products are affected:

• ABB NEXUS Series: NEXUS-3-x <=3.08.02 (CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317)
• ABB NEXUS Series: NEX-2x <=3.07.02 (CVE-2024-48845, CVE-2024-51551, CVE-2024-51555)
• ABB NEXUS Series: NEX-2x <=3.08.02 (CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317)
• ABB NEXUS Series: NEXUS-3-x <=3.08.01 (CVE-2024-6209, CVE-2024-6298, CVE-2024-48847)
• ABB ASPECT-Enterprise: ASP-ENT-x <=3.08.02 (CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317)
• ABB MATRIX Series: MAT-x <=3.08.02 (CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317)
• ABB MATRIX Series: MAT-x <=3.08.01 (CVE-2024-6209, CVE-2024-6298, CVE-2024-48847)
• ABB MATRIX Series: MAT-x <=3.07.02 (CVE-2024-48845, CVE-2024-51551, CVE-2024-51555)
• ABB ASPECT-Enterprise: ASP-ENT-x <=3.08.01 (CVE-2024-6209, CVE-2024-6298, CVE-2024-48847)
• ABB ASPECT-Enterprise: ASP-ENT-x <=3.07.02 (CVE-2024-48845, CVE-2024-51551, CVE-2024-51555)
• ABB NEXUS Series: NEX-2x <=3.08.01 (CVE-2024-6209, CVE-2024-6298, CVE-2024-48847)
• ABB NEXUS Series: NEXUS-3-x <=3.07.02 (CVE-2024-48845, CVE-2024-51551, CVE-2024-51555)

3.2 VULNERABILITY OVERVIEW 3.2.1 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552

Unauthorized file access in WEB Server in ASPECT versions 3.08.01 and prior allow an attacker to access files unauthorized.

CVE-2024-6209 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.2 IMPROPER VALIDATION OF SPECIFIED TYPE OF INPUT CWE-1287

An improper input validation vulnerability in ASPECT allows remote code inclusion.

CVE-2024-6298 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.3 CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319

Web browser interface may manipulate application username/password in clear text or Base64 encoding in ABB ASPECT providing a higher probability of unintended credentials exposure.

CVE-2024-6515 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).

3.2.4 IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79

A cross-site scripting vulnerability was found in ABB ASPECT providing a potential for malicious scripts to be injected into a client browser.

CVE-2024-6516 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L).

3.2.5 SERVER-SIDE REQUEST FORGERY (SSRF) CWE-918

A server-side request forgery vulnerability was found in ASPECT providing a potential for access to unauthorized resources and unintended information disclosure.

CVE-2024-6784 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.2.6 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN DATA QUERY LOGIC CWE-943

A SQL injection vulnerability was found in ASPECT providing a potential for unintended information disclosure.

CVE-2024-48843 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N).

3.2.7 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

A denial of service vulnerability was found in ASPECT providing a potential for device service disruptions.

CVE-2024-48844 has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:H).

3.2.8 WEAK PASSWORD REQUIREMENTS CWE-521

A weak password reset rules vulnerability was found in ASPECT providing a potential for the storage of weak passwords that could facilitate unauthorized admin/application access.

CVE-2024-48845 has been assigned to this vulnerability. A CVSS v3 base score of 9.4 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).

3.2.9 CROSS-SITE REQUEST FORGERY (CSRF) CWE-352

A cross site request forgery vulnerability was found in ASPECT providing a potential for exposing sensitive information or changing system settings.

CVE-2024-48846 has been assigned to this vulnerability. A CVSS v3 base score of 7.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).

3.2.10.0 USE OF WEAK HASH CWE-328

A MD5 checksum bypass vulnerability was found in ASPECT exploiting a weakness in the way an application dependency calculates or validates MD5 checksum hashes.

CVE-2024-48847 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N).

3.2.11 IMPROPER CONTROL OF GENERATION OF CODE ('CODE INJECTION') CWE-94

An improper input validation vulnerability in ASPECT allows remote code execution.

CVE-2024-48839 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L).

3.2.12 IMPROPER CONTROL OF GENERATION OF CODE ('CODE INJECTION') CWE-94

An unauthorized access vulnerability in ASPECT allows remote code execution.

CVE-2024-48840 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L).

3.2.13 IMPROPER CONTROL OF FILENAME FOR INCLUDE/REQUIRE STATEMENT IN PHP PROGRAM ('PHP REMOTE FILE INCLUSION') CWE-98

A local file inclusion vulnerability in ASPECT allows access to sensitive system information.

CVE-2024-51541 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

3.2.14 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552

A configuration download vulnerability in ASPECT allows access to dependency configuration information.

CVE-2024-51542 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

3.2.15 EXTERNAL CONTROL OF SYSTEM OR CONFIGURATION SETTING CWE-15

An information disclosure vulnerability in ASPECT allows access to application configuration information.

CVE-2024-51543 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

3.2.16 EXTERNAL CONTROL OF SYSTEM OR CONFIGURATION SETTING CWE-15

A service control vulnerability in ASPECT allows access to service restart requests and vm configuration settings.

CVE-2024-51544 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H).

3.2.17 INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522

An username enumeration vulnerability in ASPECT allows access to application level username add, delete, modify and list functions.

CVE-2024-51545 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.18 IMPROPER VALIDATION OF SPECIFIED TYPE OF INPUT CWE-1287

A credentials disclosure vulnerability in ASPECT allow access to on board project backup bundles.

CVE-2024-51546 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.2.19 UNRESTRICTED UPLOAD OF FILE WITH DANGEROUS TYPE CWE-434

A dangerous file upload vulnerability in ASPECT allows upload of malicious scripts.

CVE-2024-51548 has been assigned to this vulnerability. A CVSS v3 base score of 9.9 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

3.2.20 ABSOLUTE PATH TRAVERSAL CWE-36

An absolute file traversal vulnerability in ASPECT allows access and modification of unintended resources.

CVE-2024-51549 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L).

3.2.21 IMPROPER VALIDATION OF SPECIFIED TYPE OF INPUT CWE-1287

A data validation / data sanitization vulnerability in ASPECT Linux allows unvalidated and unsanitized data to be injected in an ASPECT device.

CVE-2024-51550 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L).

3.2.22 USE OF DEFAULT CREDENTIALS CWE-1392

A default credential vulnerability in ASPECT on Linux allows access to an ASPECT device using publicly available default credentials.

CVE-2024-51551 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.23 OFF-BY-ONE ERROR CWE-193

An off by one error vulnerability in ASPECT allow an array out of bounds condition in a log script.

CVE-2024-51554 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L).

3.2.24 USE OF DEFAULT PASSWORD CWE-1393

Default credential vulnerability in ASPECT allows access to an ASPECT device using publicly available default credentials, since the system does not require the installer to change default credentials.

CVE-2024-51555 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

3.2.25 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

A filesize check vulnerability in ASPECT allow a malicious user to bypass size limits or overload an ASPECT device.

CVE-2024-11316 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

3.2.26 SESSION FIXATION CWE-384

Session fixation vulnerability in ASPECT allow an attacker to fix a user's session identifier before login providing an opportunity for session takeover on an ASPECT device.

CVE-2024-11317 has been assigned to this vulnerability. A CVSS v3 base score of 10.0 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

Gjoko Krstikj of Zero Science Lab reported these vulnerabilities to CISA.

4. MITIGATIONS

ABB has identified the following specific workarounds and mitigations users can apply to reduce risk:

• (CVE-2024-6209, CVE-2024-6298, CVE-2024-48847) ASP-ENT-x <=3.08.01, NEX-2x <=3.08.01, MAT-x <=3.08.01, NEXUS-3-x <=3.08.01: The vulnerabilities have been resolved in product versions 3.08.02 and later.
• (CVE-2024-6515, CVE-2024-6516, CVE-2024-6784, CVE-2024-48843, CVE-2024-48844, CVE-2024-48846, CVE-2024-48839, CVE-2024-48840, CVE-2024-51541, CVE-2024-51542, CVE-2024-51543, CVE-2024-51544, CVE-2024-51545, CVE-2024-51546, CVE-2024-51548, CVE-2024-51549, CVE-2024-51550, CVE-2024-51554, CVE-2024-11316, CVE-2024-11317) ASP-ENT-x <=3.08.02, NEX-2x <=3.08.02, NEXUS-3-x <=3.08.02, MAT-x <=3.08.02: The vulnerabilities have been resolved in product versions 3.08.03 and later.
• (CVE-2024-48845) ASP-ENT-x <=3.07.02, NEXUS-3-x <=3.07.02, NEX-2x <=3.07.02, MAT-x <=3.07.02: The vulnerabilities have been resolved in product versions 3.08.00 and later.
• (CVE-2024-51551, CVE-2024-51555) ASP-ENT-x <=3.07.02, NEXUS-3-x <=3.07.02, NEX-2x <=3.07.02, MAT-x <=3.07.02: The vulnerabilities have been resolved in product versions 3.08.00 and later.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• January 7, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/Low attack complexity
• Vendor: Nedap Librix
• Equipment: Ecoreader
• Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could result in remote code execution.

3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS

The following versions of Ecoreader are affected:

• Ecoreader: All versions

3.2 VULNERABILITY OVERVIEW 3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

The affected product is missing authentication for critical functions that could allow an unauthenticated attacker to potentially execute malicious code.

CVE-2024-12757 has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2024-12757. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Netherlands

3.4 RESEARCHER

Prajitesh Singh of Cyble reported this vulnerability to CISA.

4. MITIGATIONS

Nedap Librix did not respond to our attempts to coordinate with them.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• January 07, 2025: Initial Publication