CISA has published five advisories alerting of critical vulnerabilities in Industrial Control Systems (ICS) manufactured by Siemens, Schneider Electric, and ABB.
The advisories detail high-severity flaws that could enable malicious actors to access sensitive systems, disrupt industrial operations, or execute malicious code
Firstly, CISA warns that multiple SQL injection vulnerabilities have been discovered in Siemens’ TeleControl Server Basic SQL, with the potential to grant attackers unauthorized database access and code execution capabilities.
Affected internal methods include:
- CreateTrace (CVE-2025-27495, CVSS 9.8)
- VerifyUser (CVE-2025-27539, CVSS 9.8)
- UpdateConnectionVariables (CVE-2025-30002, CVSS 8.8)
- ImportDatabase (CVE-2025-30030, CVSS 8.8)
- LockProject (CVE-2025-32822, CVSS 8.8)
Each vulnerability could allow bad actors to bypass authorization mechanisms and manipulate backend databases, threatening the integrity of industrial systems.
Another advisory details a medium-severity vulnerability (CVE-2025-29931, CVSS 3.7) in Siemens TeleControl Server Basic, stemming from improper length parameter handling. If exploited, it could lead to partial denial-of-service (DoS) in environments with redundant server configurations.
Also, the Wiser Home Controller WHC-5918A contains a critical vulnerability (CVE-2024-6407, CVSS 9.8) that may expose sensitive credentials. CISA says remote attackers can exploit this flaw by sending specially crafted messages, potentially gaining unauthorized access to residential automation networks.
Next, ABB MV Drives using the CODESYS Runtime System are exposed to multiple vulnerabilities, including improper input validation, memory buffer operation issues, and out-of-bounds writes—flaws that could enable remote attackers to gain full control of devices or induce denial-of-service conditions, putting industrial operations that rely on ABB systems at risk.
Also, an update to a previous advisory warns of a buffer size miscalculation (CVE-2024-11425, CVSS 7.5) in Schneider Electric’s Modicon M580 PLCs, BMENOR2200H modules, and EVLink Pro AC chargers. Exploitation could fuel denial-of-service attacks via malicious HTTPS packets, affecting operations in sectors such as manufacturing and energy.
Mitigation and Network Segmentation
In response to these threats, CISA recommends the following actions for asset owners and operators:
- Apply firmware patches as soon as they are available.
- Isolate ICS networks from business and public-facing networks.
- Reduce device exposure by limiting internet-facing interfaces.
- Regularly monitor for abnormal or unauthorized activity.
- Maintain up-to-date software and hardware configurations.
Rapid Risk Awareness
An ICS advisory is published when a vendor or researcher discloses a flaw that affects industrial hardware and offers a patch or workaround, says Jason Soroko, Senior Fellow at Sectigo. “The goal is rapid risk awareness for operators whether or not attacks are happening. A CVE moves to the KEV catalog only after CISA confirms real exploitation. At that point US federal agencies receive a binding directive with a patch-by date, and private operators usually adopt the same deadline in their risk scoring.”
Different Security Feeds
Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, says the CISA KEV Catalog is primarily for the benefit of IT organizations while ICS advisories benefit the OT community. “Since many organizations have differing cybersecurity requirements for IT staff vs OT systems, it’s reasonable to have different security feeds.”
Also, Mackey says as OT systems usually include systems controlling a manufacturing or production line, or an industrial environment, patch processes are often more involved than simply updating a laptop and rebooting it.
Exposure Points
“Security staff should treat TeleControl Server Basic versions older than 3.1.2.2 as exposure points because an unauthenticated user on port 8000 can inject SQL, change process data, open an OS shell under Network Service, or crash the service,” adds Soroko.
“Block the port at every ingress edge, isolate the server on its own VLAN, collect logs on every SQL statement, and move to the fixed Siemens build. Where downtime will not be approved, place an inline WAF or reverse proxy that drops SQL metacharacters,” Soroko adds. “CVE-2025-27495 is recorded in the public CVE list and the NVD, but no public report shows in-the-wild use.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.