The Cybersecurity & Infrastructure Security Agency (CISA) has issued urgent alerts warning of multiple critical vulnerabilities affecting Industrial Control Systems (ICS), including Hitachi Energy MicroSCADA Pro/X SYS600 and Rockwell Automation Lifecycle Services with Veeam Backup and Replication.
These security flaws, some remotely exploitable, could allow malicious actors to execute code, manipulate critical files, hijack sessions, and launch phishing attacks against industrial networks.
Hitachi Energy Vulnerabilities
With a CVSS v3 score of up to 9.9 (Critical), the vulnerabilities in Hitachi Energy MicroSCADA Pro/X SYS600 could pose major security risks, including code injection, unauthorized system file access, session hijacking, and phishing.
Affected versions include 10.0 to 10.5 (CVE-2024-4872, CVE-2024-3980), 10.2 to 10.5 (CVE-2024-7940), 10.5 (CVE-2024-7941), and 9.4 FP1 and FP2 HF1 to HF5 (CVE-2024-3980, CVE-2024-4872).
The vulnerabilities include:
- Improper Query Validation (CVE-2024-4872): Allows attackers to inject persistent malicious code.
- Path Traversal (CVE-2024-3980): Enables unauthorized modification of critical system files.
- Authentication Bypass (CVE-2024-3982): Permits session hijacking through captured credentials.
- Open Redirect (CVE-2024-7941): Can be exploited for phishing attacks.
Entities using affected versions should apply security patches immediately to mitigate these risks.
Mitigation Measures
Hitachi Energy recommends several security practices and firewall configurations to help protect process control networks from attacks that come from outside the network:
- Ensure process control systems are physically protected from direct access by unsanctioned users, do not connect directly to the Internet, and are segregated from other networks by means of a firewall that has the bare minimum of ports exposed.
- Process control systems should not be used to surf the web, send instant messages, or receive e-mails.
- Portable computers and removable storage media should be carefully and thoroughly scanned for viruses before they are connected to a control system.
- Proper password policies and processes should be followed.
- Apply security patches (Version 10.6 or Patch 9.4 FP2 HF6).
Rockwell Automation Vulnerability
The vulnerability in Rockwell Automation Lifecycle Services with Veeam Backup and Replication has a CVSS v3 score of 9.4 (Critical) and puts ICS at serious risk of remote code execution through untrusted data deserialization.
Affected products include:
- Industrial Data Center (IDC) with Veeam (Generations 1–5)
- VersaVirtual Appliance (VVA) with Veeam (Series A–C)
The vulnerability, identified as Deserialization of Untrusted Data (CVE-2025-23120), enables bad actors with administrative access to execute arbitrary code on the system, which could lead to full system compromise, data breaches, and unauthorized control over critical infrastructure.
Entities using these versions are advised to apply security patches as soon as possible and follow these recommended cybersecurity practices to prevent exploitation.
Mitigation Measures
Rockwell Automation Managed Services says remediation will be provided to contracted users. It advises non-contracted users to:
- Refer to Veeam’s security advisory for patching guidelines.
- Restrict ICS exposure to the internet.
- Use secure remote access tools, such as VPNs, with up-to-date patches.
- Implement Defense-in-Depth strategies to limit risk.
Protecting Critical Infrastructure
ICS vulnerabilities present to critical industrial sectors worldwide and society as a whole cannot be understated. Malefactors exploiting these weaknesses could disrupt essential services, manipulate production environments, and put human life at risk.
CISA recommends that all affected entities apply every possible security patch at once and restrict access to control systems using firewalls and network segmentation.
In addition, the Agency says to monitor for suspicious activity, report incidents to CISA, and educate employees on social engineering attacks to prevent phishing and credential theft.
No public exploits targeting these vulnerabilities have been reported yet, but entities should act swiftly to secure their ICS assets against potential cyber threats.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.