CISA ICS Advisories Highlight Multiple High-Impact Vulnerabilities Across Industrial and IoT Products
CISA published multiple Industrial Control Systems (ICS) advisories detailing vulnerabilities across a range of OT and connected-device products, including critical issues in AVEVA Process Optimization (multiple CVEs) that could enable unauthenticated remote code execution, SQL injection, privilege escalation, and sensitive data exposure in affected versions (<=2024.1). Additional advisories describe flaws in several Siemens product lines, including a DoS condition in SIMATIC/SIPLUS ET 200 components triggered via an S7 protocol disconnect request (CVE-2025-40944), a TLS certificate upload input-validation issue that can crash/reboot RUGGEDCOM ROS devices (CVE-2025-40935), a local privilege escalation in TeleControl Server Basic prior to V3.1.2.4 (CVE-2025-40942), and multiple issues in SINEC Security Monitor (including improper authorization in ssmctl-client file transfer and report-generation DoS; CVE-2025-40830, CVE-2025-40831). CISA also noted vulnerabilities affecting Siemens Industrial Edge ecosystems, including an authorization bypass in the Industrial Edge Device Kit (CVE-2025-40805) and authentication enforcement weaknesses on specific API endpoints in Industrial Edge Devices that could allow impersonation if an attacker knows a legitimate user identity.
Other CISA advisories covered Schneider Electric EcoStruxure Power Build Rapsody (CVE-2025-13844), where importing a malicious project file (SSD) could trigger memory corruption (e.g., double free/use-after-free) and potentially arbitrary code execution, and Rockwell Automation FactoryTalk DataMosaix Private Cloud (CVE-2025-12807), where low-privilege users could perform sensitive database operations via exposed API endpoints (SQL injection class). Separately, CISA warned about YoSmart/YoLink weaknesses (multiple CVEs) including insufficient authorization controls in the MQTT broker enabling cross-account device control when device IDs are obtained (with IDs described as predictable), plus additional issues such as cleartext transmission and predictable identifiers. A non-CISA item in the set reported Cisco releasing updates for a max-severity AsyncOS vulnerability under active exploitation (CVE-2025-20393) affecting Secure Email Gateway and Secure Email and Web Manager appliances, including evidence of attacker-installed persistence and attribution by Cisco Talos to UAT-9686; this is a separate enterprise email-security incident and not part of the ICS advisory set.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
12 events from the most recent confirmed update back to the earliest known activity.
AVEVA Process Optimization vulnerabilities are republished by CISA
CISA republished an AVEVA advisory describing seven vulnerabilities in AVEVA Process Optimization 2024.1 and earlier, including unauthenticated remote code execution, SQL injection, privilege escalation, and information exposure. The most severe issue was rated CVSS 10.0, and CISA said no known public exploitation had been reported.
Schneider Electric discloses Power Build Rapsody file-import flaws
Schneider Electric disclosed double-free and use-after-free vulnerabilities in EcoStruxure Power Build Rapsody that can be triggered when a user imports a malicious project file, potentially causing heap corruption or arbitrary code execution. Schneider said fixes were available and credited both internal and external researchers for reporting the issues.
Siemens discloses critical auth bypass in Industrial Edge Device Kit
Siemens disclosed CVE-2025-40805 in Industrial Edge Device Kit, a critical authorization bypass that lets an unauthenticated remote attacker impersonate a legitimate user on certain API endpoints if the attacker knows a valid user identity. Siemens released new versions for several affected arm64 and x86-64 builds and provided mitigations for others.
Siemens discloses critical auth bypass in Industrial Edge devices
Siemens disclosed a critical authentication and authorization weakness across multiple Industrial Edge and related SIMATIC and SCALANCE products that allows unauthenticated remote impersonation of a legitimate user if a valid identity is known. Siemens provided fixes for many product lines, though some products had no fix available at the time.
Nozomi and Siemens identify RUGGEDCOM APE1808 exposure to Guardian/CMC flaws
Nozomi Networks published four vulnerabilities affecting Guardian/CMC, and Siemens issued an advisory stating that RUGGEDCOM APE1808 devices are impacted. The issues included stored HTML injection/XSS and a path traversal flaw, while Siemens said fixed versions were still being prepared.
Siemens releases fixes for SINEC Security Monitor vulnerabilities
Siemens disclosed two medium-severity flaws in SINEC Security Monitor before version 4.10.0, including arbitrary file read/write via the ssmctl-client file_transfer feature and a report-generation denial of service. Siemens released version 4.10.0 and recommended upgrading.
Siemens discloses RUGGEDCOM ROS certificate-upload DoS flaw
Siemens disclosed CVE-2025-40935, a medium-severity vulnerability in RUGGEDCOM ROS devices that can cause a temporary denial of service during TLS certificate upload by crashing and rebooting the device. Siemens released updated versions and recommended customers upgrade.
Siemens discloses TeleControl Server Basic privilege escalation flaw
Siemens disclosed CVE-2025-40942 in TeleControl Server Basic before version 3.1.2.4, a high-severity local privilege escalation issue that could enable arbitrary code execution with elevated privileges. Siemens released version 3.1.2.4 and advised customers to update.
Siemens discloses DoS flaw in SIMATIC and SIPLUS ET 200 products
Siemens disclosed CVE-2025-40944, a high-severity denial-of-service vulnerability in multiple SIMATIC and SIPLUS ET 200 interface modules and couplers that can be triggered with a valid S7 Disconnect Request. Siemens released fixes for several affected products and said additional fixes were in preparation for others.
Festo discloses undocumented remote-access protocol exposure in firmware
Festo disclosed that numerous industrial automation products expose remote-accessible functions through an undocumented protocol, creating a critical unauthenticated attack path with potential full loss of confidentiality, integrity, and availability. The issue was reported by researchers from Forescout, and Festo said mitigation would come through updated technical documentation in a future product version.
CISA publishes YoLink Smart Hub vulnerability advisory
CISA published an advisory covering multiple vulnerabilities in the YoSmart/YoLink ecosystem, including cross-account device control, sensitive data interception, session hijacking, and long-lived session tokens. Affected components included the YoLink Smart Hub, mobile app, server, and MQTT broker, with no known public exploitation reported at the time.
Rockwell FactoryTalk DataMosaix SQL injection advisory is republished
CISA republished an advisory for CVE-2025-12807 affecting Rockwell Automation FactoryTalk DataMosaix Private Cloud versions 7.11, 8.00, and 8.01. The high-severity SQL injection flaw could let low-privilege users perform sensitive database operations, and CISA said it had no reports of public exploitation at publication.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
AVEVA Process Optimization | CISA
cisa.gov
Open sourceFesto Firmware | CISA
cisa.gov
Open sourceSiemens RUGGEDCOM APE1808 Devices | CISA
cisa.gov
Open sourceSchneider Electric EcoStruxure Power Build Rapsody | CISA
cisa.gov
Open sourceSiemens Industrial Edge Device Kit | CISA
cisa.gov
Open sourceSiemens Industrial Edge Devices | CISA
cisa.gov
Open sourceRockwell Automation FactoryTalk DataMosaix Private Cloud | CISA
cisa.gov
Open sourceYoSmart YoLink Smart Hub | CISA
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Siemens Issues Security Updates for Multiple Industrial and Engineering Products
**Siemens published security advisories for multiple products**, prompting both CISA ICS advisories and a Canadian Centre for Cyber Security alert covering a broad set of affected industrial/engineering software and OT-adjacent components. Reported issues include a **stored XSS** in *Siemens Polarion* (CVE-2025-40587; CVSS 7.6) where authenticated users can inject JavaScript via crafted document titles, and **local privilege escalation** paths in *Siemens SINEC NMS* and its *User Management Component (UMC)* (CVE-2026-25655, CVE-2026-25656; CVSS 7.8) that allow low-privileged users to modify configuration/search paths to load malicious DLLs and potentially gain elevated execution (including SYSTEM-level impact). Siemens also addressed a **missing authorization** condition affecting *Siveillance Video Management Servers* Webhooks/MIP Webhooks API (CVSS 6.3), enabling a read-only user to obtain full API access. Additional advisories cover file-parsing and third-party component risks that can lead to crashes or potential code execution. *Siemens NX* is affected by multiple **CGM file parsing** flaws (CVE-2026-22923/22924/22925; CVSS 7.8) that can be triggered when a user opens a malicious file, and *Siemens Solid Edge* includes an **out-of-bounds read** in the PS/IGES Parasolid translator when processing crafted IGS files (CVSS 7.8). *Desigo CC* and *SENTRON Powermanager* are impacted via the third-party *WIBU Systems CodeMeter Runtime* chain tied to **CVE-2023-38545** (curl SOCKS5 heap overflow; CVSS 8.8), with Siemens providing component update instructions. *Siemens SINEC OS* before V3.3 aggregates a large set of third-party CVEs across supported platforms, and *Siemens COMOS* advisories include multiple issues (up to CVSS 10) spanning potential code execution, DoS, data exposure, and access control violations; Siemens recommends updating where fixes are available and applying countermeasures where they are not yet released.
May 14, 2026
CISA ICS advisories warn of critical authentication and RCE flaws in industrial and IoT devices
CISA published multiple ICS advisories warning of high-severity vulnerabilities affecting industrial/IoT products deployed in critical infrastructure environments. For **Jinan USR IOT Technology (PUSR) USR-W610** (<= `3.1.1.0`), CISA reported multiple issues (including **CVE-2026-25715**, **CVE-2026-24455**, **CVE-2026-26049**, **CVE-2026-26048**) that could allow authentication to be effectively disabled (e.g., permitting blank admin credentials over the web interface and Telnet), enable credential exposure (including administrator credentials), and cause denial-of-service; one of the cited conditions results in full administrative control for a network-adjacent attacker without valid credentials (CVSS v3.1 **9.8**). Separately, **EnOcean SmartServer IoT** (<= `4.60.009`) was reported vulnerable to **OS command execution** via crafted LON IP-852 management messages (**CVE-2026-20761**) and an additional weakness that could leak memory and help bypass mitigations such as ASLR (**CVE-2026-22885**) (CVSS v3.1 **8.1**). CISA also warned that **Welker OdorEyes EcoSystem Pulse Bypass System with XL4 Controller** is affected by **CVE-2026-24790** (**missing authentication for a critical function**), where the underlying PLC can be remotely influenced without proper safeguards, creating risk of **over- or under-odorization events** (CVSS v3.1 **8.2**). In parallel reporting, a separate CISA warning covered **Honeywell CCTV** products impacted by **CVE-2026-1670** (CVSS **9.8**), where an unauthenticated API endpoint could allow an attacker to change the “forgot password” recovery email and take over accounts to access camera feeds; at the time of reporting, there were no public exploitation reports, and CISA recommended reducing exposure (e.g., isolating devices behind firewalls and using secure remote access).
Mar 21, 2026
CISA Releases Multiple ICS Vulnerability Advisories
The Cybersecurity and Infrastructure Security Agency (CISA) released a coordinated set of 18 Industrial Control Systems (ICS) advisories, detailing newly discovered vulnerabilities across a range of products from vendors such as Siemens, Mitsubishi Electric, AVEVA, Brightpick AI, and General Industrial Controls. These advisories highlight critical and high-severity issues including improper authentication, buffer overflows, weak cryptography, DLL hijacking, and improper certificate validation, many of which are remotely exploitable and could lead to code execution, privilege escalation, denial-of-service, or unauthorized access to sensitive systems. Affected products span widely used ICS components such as Siemens LOGO! 8 BM Devices, AVEVA Edge, Brightpick Mission Control, and General Industrial Controls Lynx+ Gateway, with several vulnerabilities assigned CVSS v4 scores above 8, indicating significant risk to industrial environments. CISA urges organizations to review the technical details and apply mitigations as recommended in the advisories to reduce exposure to these threats. The advisories provide actionable intelligence for asset owners and operators, including lists of affected product versions, vulnerability descriptions, and remediation steps. This coordinated disclosure underscores the ongoing targeting of ICS environments and the need for timely patching and robust security practices to protect critical infrastructure from exploitation.
Mar 21, 2026