Major industrial corporations, including Siemens, Schneider Electric, Aveva, and Phoenix Contact, have issued advisories as part of Patch Tuesday, alerting their customers to vulnerabilities discovered in their industrial control systems (ICS) and operational technology (OT) products.
Siemens Releases Multiple Security Advisories
Siemens has been proactive, issuing eight new advisories that address high-severity vulnerabilities in various products such as Desigo CC, Sentron Powermanager, and others. The company has provided patches and mitigations to tackle issues that could lead to unauthorized access, cross-site scripting (XSS), denial-of-service (DoS) attacks, code execution, and privilege escalation. Additionally, a medium-severity issue was identified in Siveillance Video Management Servers.
Further, Siemens highlighted concerns regarding the Siport desktop client application, which lacks anti-tamper protections and modern exploit mitigation controls. This susceptibility could allow unauthorized modifications and potential misuse of the application.
Schneider Electric and Aveva Address Critical Flaws
Schneider Electric has issued two advisories. The first outlines high-severity vulnerabilities in EcoStruxure Building Operation Workstation and WebStation that could result in DoS, information disclosure, or code execution. The second advisory focuses on a critical flaw capable of causing DoS or code execution in SCADAPack RTUs.
Aveva has alerted customers to a high-severity DoS vulnerability in PI Data Archive and a medium-severity unauthorized access issue in PI to Connect Agent, emphasizing the need for timely updates to these systems.
Phoenix Contact and CISA Updates
Phoenix Contact has responded to a 2024 OpenSSL vulnerability, with Germany’s VDE CERT also acknowledging the issue and releasing an advisory for related Wago managed switch vulnerabilities. Meanwhile, CISA has published five new advisories detailing vulnerabilities in products from Yokogawa, Zlan, and Zoll, alongside the Aveva issues disclosed earlier.
In the days leading up to Patch Tuesday, Mitsubishi Electric and Moxa also released advisories for vulnerabilities affecting their products, including Freqship-mini for Windows and Melsec iQ-R.
These proactive measures underscore the ongoing efforts by industry leaders to secure ICS environments against potential threats, emphasizing the importance of regular security updates and vigilant monitoring to safeguard critical infrastructure.
