Multiple High-Severity Vulnerability Disclosures Across ICS, Open-Source Software, and SOHO Routers
Public disclosures highlighted multiple high-severity vulnerabilities across industrial control systems, open-source software, and consumer networking gear, with several issues enabling unauthenticated remote compromise. Johnson Controls disclosed CVE-2025-26385 (CVSS 10.0), a critical SQL injection affecting multiple building/ICS management products (including ADS/ADX, LCS8500, NAE8500, SCT, CCT) that can allow remote, unauthenticated attackers to execute arbitrary SQL to alter/delete/exfiltrate data; CISA guidance emphasized isolating control system networks from the internet, segmentation, and controlled remote access (e.g., VPNs). Additional unauthenticated remote issues include CVE-2026-25069 in SunFounder Pironman Dashboard (path traversal in log API endpoints enabling arbitrary file read/deletion) and CVE-2025-51958 in the DokuWiki runcommand plugin (unauthenticated command execution via lib/plugins/runcommand/postaction.php).
Other disclosures include developer-tooling and application-layer injection flaws and multiple router memory-corruption bugs with public exploit references. Orval fixed CVE-2026-25141, a code-injection issue where incomplete escaping can be bypassed using JSFuck-style payloads, and Cybersecurity AI (CAI) addressed CVE-2026-25130, where subprocess.Popen(..., shell=True) enables argument/command injection leading to RCE (notably via the find_file() tool). Data-layer issues include CVE-2025-69662 in geopandas (to_postgis() SQL injection) and CVE-2026-24854 in ChurchCRM (authenticated SQL injection via PerID in /PaddleNumEditor.php, patched in 6.7.2), while CVE-2025-36384 affects IBM Db2 for Windows (local privilege escalation via unquoted search path). SOHO router flaws CVE-2026-1686 (Totolink A3600R) and CVE-2026-1637 (Tenda AC21) describe remotely reachable buffer/stack overflows with publicly available exploit material, increasing the likelihood of opportunistic exploitation where exposed management interfaces exist.
Related Entities
Vulnerabilities
Organizations
Sources
5 more from sources like cvefeed high severity
Related Stories
CISA ICS Advisories Highlight Multiple High-Impact Vulnerabilities Across Industrial and IoT Products
CISA published multiple Industrial Control Systems (ICS) advisories detailing vulnerabilities across a range of OT and connected-device products, including **critical** issues in *AVEVA Process Optimization* (multiple CVEs) that could enable unauthenticated **remote code execution**, SQL injection, privilege escalation, and sensitive data exposure in affected versions (<=2024.1). Additional advisories describe flaws in several **Siemens** product lines, including a DoS condition in **SIMATIC/SIPLUS ET 200** components triggered via an S7 protocol disconnect request (`CVE-2025-40944`), a TLS certificate upload input-validation issue that can crash/reboot **RUGGEDCOM ROS** devices (`CVE-2025-40935`), a local privilege escalation in **TeleControl Server Basic** prior to V3.1.2.4 (`CVE-2025-40942`), and multiple issues in **SINEC Security Monitor** (including improper authorization in `ssmctl-client` file transfer and report-generation DoS; `CVE-2025-40830`, `CVE-2025-40831`). CISA also noted vulnerabilities affecting **Siemens Industrial Edge** ecosystems, including an authorization bypass in the **Industrial Edge Device Kit** (`CVE-2025-40805`) and authentication enforcement weaknesses on specific API endpoints in **Industrial Edge Devices** that could allow impersonation if an attacker knows a legitimate user identity. Other CISA advisories covered **Schneider Electric EcoStruxure Power Build Rapsody** (`CVE-2025-13844`), where importing a malicious project file (SSD) could trigger memory corruption (e.g., double free/use-after-free) and potentially arbitrary code execution, and **Rockwell Automation FactoryTalk DataMosaix Private Cloud** (`CVE-2025-12807`), where low-privilege users could perform sensitive database operations via exposed API endpoints (SQL injection class). Separately, CISA warned about **YoSmart/YoLink** weaknesses (multiple CVEs) including insufficient authorization controls in the MQTT broker enabling cross-account device control when device IDs are obtained (with IDs described as predictable), plus additional issues such as cleartext transmission and predictable identifiers. A non-CISA item in the set reported Cisco releasing updates for a max-severity **AsyncOS** vulnerability under active exploitation (`CVE-2025-20393`) affecting *Secure Email Gateway* and *Secure Email and Web Manager* appliances, including evidence of attacker-installed persistence and attribution by Cisco Talos to **UAT-9686**; this is a separate enterprise email-security incident and not part of the ICS advisory set.
2 months ago
ICS/OT Vulnerability Disclosures for Airleader Master, Hitachi Energy SuprOS, and WAGO Industrial Switches
CISA published an ICS advisory for **Airleader GmbH Airleader Master** identifying **CVE-2026-1358**, a **critical (CVSS 9.8)** *unrestricted file upload* issue (`CWE-434`) affecting versions **6.381 and earlier**. The advisory states that multiple web pages running with maximum privileges allow **unauthenticated** file uploads without restriction, which could enable **remote code execution** on the server; the issue was reported by **SySS GmbH**. CISA also issued an ICS advisory for **Hitachi Energy SuprOS** describing a **default credentials** weakness (`CWE-1392`) affecting **SuprOS 9.2.1 and below and 9.2.2.0** (listed as **CVE-2025-7740**, **CVSS 8.8**), where an admin account created during deployment could be abused by an attacker with local authenticated access, impacting confidentiality, integrity, and availability. Separately, CERT@VDE warned of multiple critical vulnerabilities in **WAGO 852 series Industrial Managed Switches** (models **8052-1322** and **0852-1328**, firmware **2.64 and prior**), including **CVE-2026-22906** (hardcoded key enabling decryption of AES-ECB–protected stored credentials if a configuration file is obtained) and cookie-parsing flaws such as **CVE-2026-22904** that can be triggered remotely via oversized cookie values, enabling denial of service and potentially code execution through the web management interface (modified *lighttpd* and custom CGI binaries).
1 months ago
CISA ICS advisories disclose multiple critical-manufacturing vulnerabilities in Hitachi Energy, Ilevia, and Open62541
CISA published multiple ICS advisories affecting **critical manufacturing** environments, including a **critical RADIUS forgery weakness** impacting **Hitachi Energy XMC20** and **FOX61x** when configured for **remote RADIUS authentication**. The issue (tracked as **CVE-2024-3596**, CVSS v3.1 **9.0**) stems from the RADIUS protocol’s use of an **MD5 Response Authenticator**, enabling a local attacker to perform a **chosen-prefix collision** and alter server responses (e.g., `Access-Accept`, `Access-Reject`, `Access-Challenge`), with potential confidentiality, integrity, and availability impact. Separately, CISA warned that **Ilevia EVE X1 Server** (<= **4.7.18.0**) contains multiple vulnerabilities (including **CVE-2025-34183/34184/34185/34186/34187** and **CVE-2025-34512/34513/34517/34518**) that can enable **pre-auth file disclosure** (via the `db_log` POST parameter) and **unauthenticated OS command injection** (in `/ajax/php/login.php`), potentially leading to arbitrary command execution and sensitive information exposure; at least one issue is scored **CVSS 9.8**. CISA also disclosed an **out-of-bounds write** in **o6 Automation GmbH Open62541** (**CVE-2026-1301**, CVSS **5.7**) where, with PubSub and JSON enabled, a crafted JSON message can trigger **pre-auth memory corruption** and a reliable **denial of service**.
1 months ago