Industrial options suppliers Siemens, Schneider Electrical and Aveva have launched June 2025 Patch Tuesday ICS safety advisories.
Whereas a lot of the vulnerabilities described within the advisories have been patched, solely mitigations and workarounds are at present accessible for among the flaws.
Siemens printed six new advisories this Patch Tuesday. A very powerful describes CVE-2025-40585, a important default credentials problem impacting Siemens Power Companies options that use the Elspec G5 Digital Fault Recorder (G5DFR).
In keeping with Siemens, this part has default credentials with admin privileges and “a consumer configuration with distant entry may permit an attacker to achieve distant management of the G5DFR part and tamper outputs from the gadget”. Customers can mitigate this problem by altering the default credentials from the G5DFR interface.
Vital points are additionally described in an advisory for Simatic S7-1500 CPUs. Siemens is engaged on updates for the product to deal with dozens of vulnerabilities affecting the GNU/Linux subsystem.
Two advisories cowl medium-severity points in industrial communication units that use the Sinec OS. The issues permit an attacker to “carry out actions that exceed the permissions of the ‘visitor’ function”.
The economic large has additionally knowledgeable clients a couple of Tecnomatix Plant Simulation vulnerability that may result in arbitrary code execution by tricking a consumer to open malicious recordsdata. The problem was reported by researcher Michael Heinzl, who is usually credited by distributors for reporting vulnerabilities whose exploitation entails opening specifically crafted recordsdata.
Siemens additionally knowledgeable clients about an XSS vulnerability within the Palo Alto Networks digital firewall current in some Ruggedcom units. Patches are being ready by Siemens. Commercial. Scroll to proceed studying.
Schneider Electrical has printed three new advisories this Patch Tuesday. One in all them describes XSS and DoS vulnerabilities affecting some Modicon controllers.
4 vulnerabilities have been patched within the EVLink WallBox electrical automobile charging station, together with ones that may be exploited for studying or writing arbitrary recordsdata, launching XSS assaults, and taking distant management over the charging station.
Schneider has additionally knowledgeable clients about vulnerabilities within the third-party real-time working system powering Perception House and Perception Facility merchandise. The merchandise have reached finish of life and can’t be up to date, however customers can implement mitigations to cut back the chance of exploitation.
Aveva has printed three new advisories. One in all them describes two high-severity DoS vulnerabilities within the PI Information Archive product. The opposite two advisories cowl medium-severity XSS flaws in PI Connector for CygNet and PI Internet API.
CISA additionally printed three new advisories on Tuesday. One in all them describes high-severity SinoTrack GPS receiver vulnerabilities that may permit an attacker to trace automobiles and disconnect energy to the gasoline pump.
The opposite advisories describe the impression of a 2022 OpenSSL vulnerability on Hitachi Power Relion merchandise, and a distant code execution flaw found by Heinzl in MicroDicom DICOM Viewer.
ABB printed advisories a number of days earlier than Patch Tuesday. The corporate knowledgeable clients a couple of important EIBPORT vulnerability that results in data disclosure, in addition to flaws in third-party parts utilized by its Welcome IP-Gateway product.
Additionally on Tuesday, Kaspersky printed its ICS menace panorama report for Q1 2025, which exhibits that the safety agency’s merchandise blocked threats on almost 22% of protected ICS units.
The report seems at menace sources, regional developments, and the prevalence of varied kinds of malware.
Associated: ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Phoenix Contact
Associated: ICS Patch Tuesday: Vulnerabilities Addressed by Rockwell, ABB, Siemens, Schneider
