All news in category “Security Advisory and Patch Watch”

⚠ AVEVA reported a basic cross-site scripting vulnerability (CVE-2025-8386) in the Application Server IDE affecting versions 2023 R2 SP1 P02 and earlier. An authenticated user with the aaConfigTools privilege can modify App Objects' help files to persist XSS that may execute in other users' sessions, potentially enabling horizontal or vertical privilege escalation. AVEVA provides a fix in System Platform 2023 R2 SP1 P03; CISA advises auditing permissions, minimizing network exposure, and using secure remote access methods.

⚠️ Siemens Altair Grid Engine contains multiple local vulnerabilities that can enable privilege escalation and arbitrary code execution with superuser rights. One issue discloses password hashes in error messages (CWE-209, CVE-2025-40760, CVSS 5.5) and another allows library path hijacking via uncontrolled environment variables (CWE-427, CVE-2025-40763, CVSS 7.8). Siemens and CISA recommend updating to V2026.0.0 and applying mitigations such as removing setuid bits from affected binaries where appropriate.

⚠️ CISA reports multiple high-severity vulnerabilities affecting General Industrial Controls Lynx+ Gateway, including weak password requirements, missing authentication for critical functions, and cleartext transmission of sensitive data. These issues carry CVSS v4 scores up to 9.2 and permit remote exploitation with low attack complexity, potentially enabling unauthorized access, device resets, information disclosure, or denial-of-service. Affected firmware versions include R08, V03, V05, and V18; the findings were disclosed in November 2025. CISA recommends minimizing network exposure, isolating control devices behind firewalls, and using secure remote access methods such as updated VPNs while coordinating with the vendor.

⚠️ Siemens published an advisory for LOGO! 8 and SIPLUS LOGO! devices detailing three vulnerabilities (CVE-2025-40815, CVE-2025-40816, CVE-2025-40817) that could enable remote code execution, denial-of-service, or unauthenticated device manipulation. CVE-2025-40815 is a buffer overflow (CVSSv4 8.6) caused by improper TCP packet validation; the others are missing-authentication issues affecting IP and time configuration. Siemens is preparing fixes; interim mitigations include protecting LSC access with a strong password and restricting UDP port 10006 to trusted IPs while CISA recommends impact analyses before changes.

⚠ Siemens warns that COMOS contains two high‑severity vulnerabilities — CVE-2023-45133 (CVSS 9.3) and CVE-2024-0056 (CVSS 8.7) — which can enable remote code execution or expose sensitive information. Siemens has released a patch in COMOS V10.4.5 and advises operators to update promptly. Implement network segmentation, avoid direct internet exposure of control systems, and follow Siemens and CISA guidance for secure remote access and system hardening.

🔒 Rockwell Automation disclosed multiple vulnerabilities in FactoryTalk DataMosaix Private Cloud that can enable MFA bypass and persistent cross-site scripting. The issues, tracked as CVE-2025-11084 and CVE-2025-11085, affect 7.11 and selected 8.x releases and carry CVSS v4 scores up to 8.6, indicating high severity. Rockwell has released patches and CISA advises applying updates, minimizing network exposure, and isolating control networks to reduce remote exploitation risk.

🔒 Siemens reported Cross-Site Request Forgery and incorrect permission assignment vulnerabilities affecting SICAM P850 and P855 devices (versions prior to 3.11). Exploitation could allow attackers to perform actions as authenticated users or impersonate sessions. Siemens recommends updating to v3.11+, restricting TCP/443 to trusted IPs, and hardening network access; CISA advises isolating control networks and avoiding internet exposure.

🔒 Siemens disclosed multiple vulnerabilities in Spectrum Power 4 that allow privilege escalation and remote command execution in affected versions prior to V4.70 SP12 Update 2. Several issues carry high severity ratings (CVSS v4 up to 8.7) and include weaknesses such as incorrect privilege and permission assignments (CWE-266, CWE-732), incorrect use of privileged APIs (CWE-648), and inclusion of untrusted control-sphere functionality (CWE-829). Siemens recommends updating to V4.70 SP12 Update 2 and limiting network exposure; CISA reiterates defensive best practices.

🔒 Rockwell Automation disclosed an Incorrect Authorization vulnerability in Verve Asset Manager that allows unauthorized read‑only users to read, update, and delete user accounts via the product API. The issue is tracked as CVE-2025-11862 and CISA reports a CVSS v4 base score of 8.4, noting remote exploitability and low attack complexity. Affected releases include versions 1.33 through 1.41.3; Rockwell fixed the flaw in 1.41.4 and 1.42. Administrators should prioritize updates and apply network mitigations to limit exposure.

🚨 Mitsubishi Electric disclosed a TCP communication vulnerability (CVE-2025-10259) in the MELSEC iQ-F Series CPU modules that can be triggered remotely to disconnect a session and cause a denial-of-service condition. The issue is remotely exploitable with low attack complexity and carries a CVSS v3.1 base score of 5.3. Mitsubishi recommends using VPNs and limiting physical and LAN access while applying vendor guidance and assessing risk.

⚠️ Siemens disclosed an improper certificate validation vulnerability in Solid Edge SE2025 that could enable unauthenticated remote man-in-the-middle attacks against the product's license service connections. The issue is tracked as CVE-2025-40744 and carries a CVSS v3.1 base score of 7.5 and a CVSS v4 base score of 8.7, indicating high impact and low attack complexity. Siemens recommends updating to V225.0 Update 11 or later and restricting network access to licensing endpoints; CISA also advises network segmentation, use of secure remote access, and standard anti-phishing protections. No known public exploitation targeting this vulnerability has been reported.

🛡️ CISA, FBI, DC3, HHS and international partners released updated guidance to help organizations mitigate the evolving Akira ransomware threat. The advisory details new indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs) used by the group, which primarily targets small and medium-sized businesses but has also struck larger organizations across multiple sectors. It strongly urges immediate actions such as regular backups, enforcing multifactor authentication, and prioritizing remediation of known exploited vulnerabilities.

⚠ Siemens disclosed a DLL hijacking vulnerability (CVE-2025-40827) affecting Siemens Software Center and Solid Edge SE2025. The issue is an uncontrolled search path element (CWE-427) that could permit arbitrary code execution if a crafted DLL is placed on a system. Siemens has published fixes (Software Center v3.5+, Solid Edge V225.0 Update 10+) and recommends network isolation, access controls, and following its industrial security guidance to reduce risk.

⚠️ Rockwell Automation's AADvance-Trusted SIS Workstation has a directory traversal vulnerability (CWE-22) in DotNetZip (v1.16.0 and earlier) that can enable remote code execution if a user opens a crafted file. The issue is tracked as CVE-2024-48510 and has a CVSS v4 base score of 8.6 (CVSS v3.1 8.8). Affected versions are 2.00.00 through 2.00.04; Rockwell reports the defect is corrected in Version 2.01.00. Users unable to immediately upgrade should follow vendor guidance, minimize network exposure of control devices, isolate control networks, use secure remote access, and contact Rockwell support for assistance.

🔐 CISA and partner agencies published an updated advisory on Nov. 13, 2025, detailing new indicators, tactics, and detection guidance related to Akira ransomware. The update documents expanded targeting across Manufacturing, Education, IT, Healthcare, Financial, and Food and Agriculture, and links activity to groups such as Storm-1567 and Punk Spider. Key findings include exploitation of edge and backup vulnerabilities, use of remote management tools for defense evasion, and a faster, more destructive Akira_v2 variant that complicates recovery.

🔔 CISA has warned federal agencies to patch a critical, actively exploited vulnerability in WatchGuard Firebox firewalls that permits remote code execution through an out-of-bounds write in Fireware OS 11.x (EOL), 12.x, and 2025.1. The agency added CVE-2025-9242 to its Known Exploited Vulnerabilities catalog and imposed a three-week remediation deadline under BOD 22-01. WatchGuard released patches on September 17 but only marked the flaw as exploited on October 21. Internet scans tracked over 75,000 vulnerable appliances before counts fell to roughly 54,000.

🔒 CISA has added a critical WatchGuard Fireware vulnerability, CVE-2025-9242 (CVSS 9.3), to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The out-of-bounds write in the OS iked process affects Fireware OS 11.10.2 through 11.12.4_Update1, 12.0 through 12.11.3 and 2025.1 and can allow remote unauthenticated code execution. Researchers at watchTowr Labs attribute the flaw to a missing length check on an identification buffer used during the IKE handshake, which permits a pre‑authentication code path before certificate validation. Shadowserver scans show over 54,300 vulnerable Firebox instances worldwide (about 18,500 in the U.S.), and Federal Civilian Executive Branch agencies are directed to apply WatchGuard patches by December 3, 2025.

🖨️ Independent researcher Peter Geissler disclosed a critical vulnerability (CVE-2024-12649) in certain Canon printers that can be triggered simply by printing an XPS document containing a malicious TTF font. The exploit abuses TTF hinting instructions to overflow a virtual-machine stack in the printer’s font engine, allowing code execution on devices running Canon’s DryOS. Canon has issued firmware updates, but organizations should promptly patch, restrict printer exposure, and segment printers to reduce risk.

🔧 Microsoft resolved a bug that caused incorrect end-of-support warnings to appear in Windows Update settings after the October 2025 updates. The cosmetic issue affected Windows 10 22H2 devices enrolled in the Extended Security Updates (ESU) program as well as LTSC 2021 editions that remain supported, but affected systems continued to receive security updates. Microsoft issued a cloud configuration fix and on Nov 11, 2025 released KB5068781; admins can also apply a Known Issue Rollback policy if immediate deployment is required.

🔒 Amazon Threat Intelligence identified an advanced threat actor exploiting undisclosed zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix products. The actor achieved pre-authentication remote code execution via a newly tracked Cisco deserialization flaw (CVE-2025-20337) and earlier Citrix Bleed Two activity (CVE-2025-5777). Following exploitation, a custom in-memory web shell disguised as IdentityAuditAction was deployed, demonstrating sophisticated evasion using Java reflection, Tomcat request listeners, and DES with nonstandard Base64. Amazon recommends limiting external access to management endpoints and implementing layered defenses and detection coverage.