Industrial giants Siemens, Schneider Electrical and Phoenix Contact have launched ICS safety advisories on the Could 2025 Patch Tuesday. The cybersecurity businesses CISA and CERT@VDE have additionally revealed advisories.
Whereas a lot of the vulnerabilities described within the advisories have been patched, solely mitigations and workarounds are presently out there for among the flaws.
Siemens has revealed 18 new advisories, together with 4 that cowl critical-severity vulnerabilities. One among them describes an authentication bypass challenge within the Redfish interface of the BMC controller utilized by Simatic industrial PCs. The flaw was disclosed by firmware safety firm Eclypsium in March.
One other vital advisory describes an OZW internet server flaw that may be exploited to execute arbitrary code with root privileges, and one safety gap that may be leveraged by an attacker to realize admin privileges.
Three vulnerabilities that may permit an authenticated attacker to execute arbitrary code with root privileges on Ruggedcom ROX II gadgets have additionally been categorised as ‘vital’.
Siemens has additionally revealed one other advisory for the vulnerability generally known as BlastRADIUS, particularly its affect on Siprotec, Sicam and different merchandise.
Siemens addressed high-severity vulnerabilities in VersiCharge EV chargers, Simatic PCS neo, Desigo CC, Scalance, Sirius, Intralog, and Teamcenter Visualization merchandise. Medium-severity points have been resolved in Polarion, BACnet, MS/TP Level Pickup Module, Mendix, and Ruggedcom merchandise.
Schneider Electrical has revealed 4 new advisories, every overlaying one vulnerability. Two of the advisories describe the affect of CVE-2023-4041, an older Silicon Labs Gecko bootloader flaw, on PrismaSeT Lively and Wiser house automation merchandise. Commercial. Scroll to proceed studying.
One advisory describes the affect of CVE-2025-32433, a lately disclosed Erlang/OTP SSH flaw that exposes many gadgets to finish takeover. Schneider has decided that the vulnerability impacts its Galaxy knowledge heart UPS merchandise.
The final Schneider advisory describes a high-severity info disclosure vulnerability that may be exploited by an unauthenticated attacker to learn arbitrary information in Modicon PLCs.
Phoenix Contact has knowledgeable clients that a few of its bus couplers are impacted by a high-severity DoS vulnerability that has been noticed throughout community scans. An unauthenticated attacker might exploit the safety gap remotely to trigger disruption by sending numerous requests to port 80.
Germany’s CERT@VDE has revealed three advisories, together with for a high-severity privilege escalation challenge affecting a portal of photo voltaic power gear agency SMA Photo voltaic Expertise, an XSS flaw affecting a number of Wiesemann & Theis merchandise, and the aforementioned Phoenix Contact DoS vulnerability.
CISA revealed 4 new advisories on Patch Tuesday. Three of them describe over 20 vulnerabilities throughout Hitachi Power MACH GWS, Relion, and Service Suite merchandise. The fourth advisory informs organizations about two high-severity bugs in ABB’s Automation Builder product.
Associated: ICS Patch Tuesday: Vulnerabilities Addressed by Rockwell, ABB, Siemens, Schneider
Associated: ICS Patch Tuesday: Advisories Revealed by CISA, Schneider Electrical, Siemens
