All news with #opto 22 tag

Opto 22 groov View: API exposes user API keys and metadata

🔒 CISA warns that Opto 22's groov View API exposes API keys and user metadata through a users endpoint that returns keys for all accounts to any principal with an Editor role. The issue affects groov View Server for Windows R1.0a–R4.5d and GRV‑EPIC‑PR1/PR2 firmware prior to 4.0.3. Successful exploitation could disclose credentials, reveal keys, and enable privilege escalation; Opto 22 has released patches and recommends upgrading to Server R4.5e and firmware 4.0.3 alongside network-level mitigations.

CISA Releases Seven Industrial Control Systems Advisories

🔔 CISA released seven new Industrial Control Systems advisories addressing vulnerabilities across multiple vendors and product families. The advisories cover Ashlar-Vellum, Rockwell Automation, Zenitel, Opto 22, Festo, SiRcom, and an update for Mitsubishi Electric FA engineering software. Administrators are urged to review technical details and apply recommended mitigations promptly.

Opto 22 GRV-EPIC and groov RIO: Remote RCE Vulnerability

⚠️ A remotely exploitable OS command injection in the Opto 22 Groov Manage REST API allows attackers with administrative credentials to inject shell commands that execute as root on affected GRV-EPIC and groov RIO devices. The issue is tracked as CVE-2025-13087 and carries a CVSS v4 base score of 7.5. Opto 22 has released firmware 4.0.3 to address the flaw; users should apply the update promptly. CISA also recommends isolating control networks, minimizing Internet exposure, and monitoring API and system logs for suspicious activity.