View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.7
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: ABB
• Equipment: MV Drives
• Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Out-of-bounds Write

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to gain full access to the drive or cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

ABB reports that the following MV Drives are affected by CODESYS RTS (Runtime System) vulnerabilities:

• ACS6080: LAAAA 2.10.0 to LAAAB 5.06.1
• ACS5000: LAAAB 4.03.0 to LAAAB 5.06.1
• ACS6000: LAAAA 2.10.0 to LAAAB 5.06.1

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119

The CODESYS Control runtime system does not restrict the memory access. An improper restriction of operations within the bounds of a memory buffer allows an attacker with access to the drive with user privileges to gain full access of the drive.

CVE-2022-4046 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2022-4046. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER INPUT VALIDATION CWE-20

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpApp component to read from an invalid internal address, potentially leading to a denial-of-service condition.

CVE-2023-37550 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-37550. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.3 IMPROPER INPUT VALIDATION CWE-20

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpApp component to read from an invalid internal address, potentially leading to a denial-of-service condition.

CVE-2023-37549 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-37549. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.4 IMPROPER INPUT VALIDATION CWE-20

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpApp component to read from an invalid internal address, potentially leading to a denial-of-service condition.

CVE-2023-37548 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-37548. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.5 IMPROPER INPUT VALIDATION CWE-20

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpApp component to read from an invalid internal address, potentially leading to a denial-of-service condition.

CVE-2023-37547 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-37547. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.6 IMPROPER INPUT VALIDATION CWE-20

In multiple versions of various CODESYS products, after a user successfully authenticates, specially crafted network communication requests with inconsistent content can cause the CmpApp component to read from an invalid internal address, potentially leading to a denial-of-service condition.

CVE-2023-37546 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-37546. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.7 IMPROPER INPUT VALIDATION CWE-20

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpApp component to read from an invalid internal address, potentially leading to a denial-of-service condition.

CVE-2023-37545 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-37545. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.8 IMPROPER INPUT VALIDATION CWE-20

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpAppBP component to read from an invalid internal address, potentially leading to a denial-of-service condition.

CVE-2023-37556 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-37556. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.9 IMPROPER INPUT VALIDATION CWE-20

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpAppBP component to read from an invalid internal address, potentially leading to a denial-of-service condition.

CVE-2023-37555 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-37555. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.10 IMPROPER INPUT VALIDATION CWE-20

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpAppBP component to read from an invalid internal address, potentially leading to a denial-of-service condition.

CVE-2023-37554 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-37554. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.11 IMPROPER INPUT VALIDATION CWE-20

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpAppBP component to read from an invalid internal address, potentially leading to a denial-of-service condition.

CVE-2023-37553 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-37553. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.12 IMPROPER INPUT VALIDATION CWE-20

In multiple versions of various CODESYS products, after successful user authentication, specifically crafted network communication requests with inconsistent content can cause the CmpAppBP component to read from an invalid internal address, potentially leading to a denial-of-service condition.

CVE-2023-37552 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-37552. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.13 OUT-OF-BOUNDS WRITE CWE-787

After successful user authentication in multiple versions of various CODESYS products, specifically crafted remote communication requests can cause the CmpAppBP component to overwrite a heap-based buffer, potentially leading to a denial-of-service condition.

CVE-2023-37557 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-37557. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.14 IMPROPER INPUT VALIDATION CWE-20

After successful user authentication in multiple versions of various CODESYS products, specifically crafted network communication requests with inconsistent content can cause the CmpAppForce component to read from an invalid internal address, potentially leading to a denial-of-service condition.

CVE-2023-37559 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-37559. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.15 IMPROPER INPUT VALIDATION CWE-20

After successful user authentication in multiple versions of various CODESYS products, specifically crafted network communication requests with inconsistent content can cause the CmpAppForce component to read from an invalid internal address, potentially leading to a denial-of-service condition.

CVE-2023-37558 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2023-37558. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Switzerland

3.4 RESEARCHER

ABB reported these vulnerabilities to CISA.

4. MITIGATIONS

ABB recommends users apply a firmware update as soon as possible to the latest firmware, i.e. LAAAB v. 5.07 and higher, for the affected products. ABB has addressed the CODESYS Runtime System vulnerabilities by disabling the IEC online programming communication by default. As a result, CODESYS communication between affected products and the ABB Automation Builder or ABB Drive Application Builder tools is disabled.
It should be noted that the CODESYS application continues to run on the Drive and if it is necessary to establish communication with CODESYS RTS, for example to debug the CODESYS application, this is possible through the drive parameter configuration. Open the user lock via the “96.02 Pass code” parameter and make sure that bit 9 “Enable online IEC programming” is set to TRUE in the “96.102 User lock functionality” parameter. IMPORTANT: After this task, be sure to disable CODESYS communication by setting the bit back to FALSE.
A future firmware update is planned to update the CODESYS RTS library, which will further strengthen defenses for the vulnerabilities mentioned above.

ABB recommends the following mitigating factors:
To exploit these vulnerabilities, a successful login to the affected product is required. This can be achieved by one of the following methods:

• Connecting a computer to the Drive that is running Drive Automation Builder or Drive Composer.
• Having access to the local network where the drive is located. In this case, an attacker could send malformed packets directly to the drive.
  To make the attack more difficult and less likely to succeed, provide network isolation where the drive is located and ensure that no computer running Drive Automation Builder or Drive Composer is connected to the drive without proper security controls. Please refer to “General security recommendations” for further advise on how to keep drive secure.

ABB proposes the following workaround to mitigate this threat for situations where the above actions are not feasible:

• Set bit 2 “Disable file download” to TRUE in the “96.102 User lock functionality” parameter.
  Although these workarounds will not correct the underlying vulnerability, they can help block known attack vectors. Please see below to understand possible reduced functionality of the drive. IMPORTANT: Contact a qualified and certified ABB personnel for more information about the parameter handling of the affected products.
  Impact of workaround: This workaround restricts the updating of IEC programs, but existing IEC programs on Drives can still be used. To update an IEC program, the operator must unlock the user lock and enable file download in a protected network environment. It is highly recommended to disable file download, as vulnerabilities are more easily exploitable when file download is enabled. WARNING: The user lock cannot be opened even by ABB if the pass code is lost.

For more information, see ABB’s security advisory 9AKK108470A9989.

ABB strongly recommends the following general cybersecurity practices for any installation of software-related products (this list is non-exhaustive):

• Isolate special purpose networks (e.g., automation systems) and remote devices behind firewalls, and separate them from any general-purpose network (e.g., office or home networks).
• Install physical controls to prevent unauthorized personnel from accessing devices, components, peripheral equipment, and networks.
• Never connect programming software or computers containing programming software to any network other than the network intended for the devices.
• Scan all data imported into your environment before use to detect potential malware infections.
• Minimize network exposure for all applications and endpoints to ensure they are not accessible from the Internet unless designed for such exposure and required for the intended use.
• Ensure all nodes are always up to date with installed software, operating system, and firmware patches, as well as anti-virus and firewall protections.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.
• Install the drive in a secure location accessible only to authorized personnel.
• Install physical controls to ensure only authorized personnel can access devices connected to the drive (e.g., computers, peripheral equipment, and networks).
• Avoid connecting computers containing Drive Automation Builder programming software to any network other than the network intended for the devices.
• Ensure security controls are followed on computers connected to the drive, such as installing updated security patches, firewalls, and anti-virus software, and running only authorized software. It is the user’s responsibility to ensure these conditions.
• More information on recommended practices can be found in Protecting operations through cyber security: ABB Drives solutions.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• April 22, 2025: Initial Republication of ABB PSIRT 9AKK108470A9989

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Yokogawa
• Equipment: GX10, GX20, GP10, GP20, GM Data Acquisition System, DX1000, DX2000, DX1000N, FX1000, μR10000, μR20000, MW100, DX1000T, DX2000T, CX1000, CX2000
• Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to manipulate information on the affected products.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Yokogawa recorder products are affected:

• GX10 / GX20 / GP10 / GP20 Paperless Recorders: Versions R5.04.01 and earlier
• GM Data Acquisition System: Versions R5.05.01 and earlier
• DX1000 / DX2000 / DX1000N Paperless Recorders: Versions R4.21 and earlier
• FX1000 Paperless Recorders: Versions R1.31 and earlier
• μR10000 / μR20000 Chart Recorders: Versions R1.51 and earlier
• MW100 Data Acquisition Units: All versions
• DX1000T / DX2000T Paperless Recorders: All versions
• CX1000 / CX2000 Paperless Recorders: All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

Authentication is disabled by default on the affected products. When connected to a network with default settings, this could allow anyone to access all functions related to settings and operations. As a result, an attacker can illegally manipulate and configure important data such as measured values and settings.

CVE-2025-1863 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-1863. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Food and Agriculture
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Souvik Kandar of MicroSec (microsec.io) reported this vulnerability to CISA.

4. MITIGATIONS

Yokogawa has provided the following countermeasures for this vulnerability:

• Yokogawa urges users to enable the authentication function when connecting the affected products to the network (login function).
• Be sure to change the password from the default setting after enabling the authentication function.

Yokogawa strongly recommends all users to establish and maintain a full security program. Security program components are patch updates, anti-virus, backup and recovery, zoning, hardening, whitelisting, firewall, etc. Yokogawa can assist in setting up and running the security program continuously. For considering the most effective risk mitigation plan, as a starting point, Yokogawa can perform a security risk assessment.

For more information, contact Yokogawa.

For more information and details on implementing these mitigations, users should see the Yokogawa advisory.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• April 17, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.4
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: ConneXium Network Manager
• Vulnerabilities: Files or Directories Accessible to External Parties, Improper Input Validation

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to access sensitive data, escalate privileges, or perform remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

• Schneider Electric ConneXium Network Manager: Version 2.0.01 (CVE-2025-2222)
• Schneider Electric ConneXium Network Manager: All versions (CVE-2025-2223)

3.2 VULNERABILITY OVERVIEW

3.2.1 FILES OR DIRECTORIES ACCESSIBLE TO EXTERNAL PARTIES CWE-552

CWE-552: Files or Directories Accessible to External Parties vulnerability over https exists that could leak information and potential privilege escalation following a Man-In-The-Middle attack.

CVE-2025-2222 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-2222. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.2 IMPROPER INPUT VALIDATION CWE-20

CWE-20: Improper Input Validation vulnerability exists that could cause a loss of confidentiality, integrity, and availability of the engineering workstation when a malicious project file is loaded by a user from the local system.

CVE-2025-2223 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-2223. A base score of 8.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing, Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Schneider Electric CPCERT reported these vulnerabilities to CISA.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

Schneider Electric ConneXium Network Manager v2.0.01: Please note that the ConneXium Network Manager product has reached the end of its life and is no longer supported. Customers should immediately apply the following mitigations to reduce the risk of exploit:

• Disable the webserver (disabled by default)
• Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices available for download here: https://www.se.com/ww/en/download/document/7EN52-0390/

Schneider Electric ConneXium Network Manager All versions: Please note that the ConneXium Network Manager product has reached the end of its life and is no longer supported. Customers should immediately apply the following mitigations to reduce the risk of exploit:

• Only open project files received from a trusted source.
• Compute a hash of the project files and regularly check the consistency of this hash to verify the integrity before usage.
• Encrypt project files when stored and restrict the access to only trusted users.
• When exchanging files over the network, use secure communication protocols.
• Follow workstation, network and site-hardening guidelines in the Recommended Cybersecurity Best Practices available for download here: https://www.se.com/ww/en/download/document/7EN52-0390/

For more information see the associated Schneider Electric CPCERT security advisory SEVD-2025-098-01 ConneXium Network Manager Software – SEVD-2025-098-01 PDF Version, ConneXium Network Manager Software – SEVD-2025-098-01 CSAF Version.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• April 17, 2025: Initial Republication of Schneider Electric CPCERT SEVD-2025-098-01

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Schneider Electric
• Equipment: Sage series
• Vulnerabilities: Out-of-bounds Write, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Incorrect Default Permissions, Unchecked Return Value, Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’), Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to compromise the impacted device, leading to loss of data, loss of operation, or impacts to the performance of the device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Schneider Electric reports that the following products are affected:

• Sage 1410: Versions C3414-500-S02K5_P8 and prior
• Sage 1430: Versions C3414-500-S02K5_P8 and prior
• Sage 1450: Versions C3414-500-S02K5_P8 and prior
• Sage 2400: Versions C3414-500-S02K5_P8 and prior
• Sage 4400: Versions C3414-500-S02K5_P8 and prior
• Sage 3030 Magnum: Versions C3414-500-S02K5_P8 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS WRITE CWE-787

An out-of-bounds write vulnerability exists that could result in an authentication bypass when sending a malformed POST request and particular configuration parameters are set.

CVE-2024-37036 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-37036. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

An improper limitation of a pathname to a restricted directory (‘path traversal’) vulnerability exists that could allow an authenticated user with access to the device’s web interface to corrupt files and impact device functionality when sending a crafted HTTP request.

CVE-2024-37037 has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-37037. A base score of 7.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 INCORRECT DEFAULT PERMISSIONS CWE-276

An incorrect default permissions vulnerability exists that could allow an authenticated user with access to the device’s web interface to perform unauthorized file and firmware uploads when crafting custom web requests.

CVE-2024-37038 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2024-37038. A base score of 7.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.4 UNCHECKED RETURN VALUE CWE-252

An unchecked return value vulnerability exists that could cause denial of service of the device when an attacker sends a specially crafted HTTP request.

CVE-2024-37039 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2024-37039. A base score of 8.2 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N).

3.2.5 BUFFER COPY WITHOUT CHECKING SIZE OF INPUT (‘CLASSIC BUFFER OVERFLOW’) CWE-120

A buffer copy without checking size of input (‘classic buffer overflow’) vulnerability exists that could allow a user with access to the device’s web interface to cause a fault on the device when sending a malformed HTTP request.

CVE-2024-37040 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2024-37040. A base score of 7.1 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L).

3.2.6 OUT-OF-BOUNDS READ CWE-125

An out-of-bounds read vulnerability exists that could cause denial of service of the device’s web interface when an attacker sends a specially crafted HTTP request.

CVE-2024-5560 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

A CVSS v4 score has also been calculated for CVE-2024-5560. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:L/SA:L).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: France

3.4 RESEARCHER

Marlon Schumacher and Alex Armstrong from LLNL and Vishal Madipadga from SNL reported these vulnerabilities to Schneider Electric.

4. MITIGATIONS

Schneider Electric has identified the following specific workarounds and mitigations users can apply to reduce risk:

• Firmware version C3414-500-S02K5_P9 of SAGE RTU includes a fix for these vulnerabilities and is available for download.

  For more information, see Schneider Electric security notification “SEVD-2024-163-05 SAGE RTU”.

Schneider Electric strongly recommend the following industry cybersecurity best practices.

• Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network.
• Install physical controls so no unauthorized personnel can access your industrial control and safety systems, components, peripheral equipment, and networks.
• Place all controllers in locked cabinets and never leave them in the “Program” mode.
• Never connect programming software to any network other than the network intended for that device.
• Scan all methods of mobile data exchange with the isolated network such as CDs, USB drives, etc. before use in the terminals or any node connected to these networks.
• Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.
• Minimize network exposure for all control system devices and systems and ensure that they are not accessible from the Internet.
• When remote access is required, use secure methods, such as virtual private networks (VPNs). Recognize that VPNs may have vulnerabilities and should be updated to the most current version available. Also, understand that VPNs are only as secure as the connected devices.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• April 17, 2025: Initial Republication of Schneider Electric Advisory SEVD-2024-163-05

CISA is aware of public reporting regarding potential unauthorized access to a legacy Oracle cloud environment. While the scope and impact remains unconfirmed, the nature of the reported activity presents potential risk to organizations and individuals, particularly where credential material may be exposed, reused across separate, unaffiliated systems, or embedded (i.e., hardcoded into scripts, applications, infrastructure templates, or automation tools). When credential material is embedded, it is difficult to discover and can enable long-term unauthorized access if exposed.

The compromise of credential material, including usernames, emails, passwords, authentication tokens, and encryption keys, can pose significant risk to enterprise environments. Threat actors routinely harvest and weaponize such credentials to: 

• Escalate privileges and move laterally within networks.
• Access cloud and identity management systems.
• Conduct phishing, credential-based, or business email compromise (BEC) campaigns.  
• Resell or exchange access to stolen credentials on criminal marketplaces.
• Enrich stolen data with prior breach information for resale and/or targeted intrusion. 

CISA recommends the following actions to reduce the risks associated with potential credential compromise: 

• For Organizations:
  • Reset passwords for any known affected users across enterprise services, particularly where local credentials may not be federated through enterprise identity solutions.  
  • Review source code, infrastructure-as-code templates, automation scripts, and configuration files for hardcoded or embedded credentials and replace them with secure authentication methods supported by centralized secret management.
  • Monitor authentication logs for anomalous activity, especially involving privileged, service, or federated identity accounts, and assess whether additional credentials (such as API keys and shared accounts) may be associated with any known impacted identities.
  • Enforce phishing-resistant multi-factor authentication (MFA) for all user and administrator accounts wherever technically feasible.
  • For additional information for or on Cloud security best practices please review the following Cybersecurity Information Sheets: CISA and NSA Release Cybersecurity Information Sheets on Cloud Security Best Practices.
• For Users:
  • Immediately update any potentially affected passwords that may have been reused across other platforms or services.
  • Use strong, unique passwords for each account and enable phishing-resistant multifactor authentication (MFA) on services and applications that support it. For more information on using strong passwords, see CISA’s Use Strong Passwords web page. For more information on phishing-resistant MFA see CISA’s Implementing Phishing-Resistant MFA Fact Sheet.
  • Remain alert against phishing attempts (e.g., referencing login issues, password resets, or suspicious activity notifications) and reference Phishing Guidance: Stopping the Attack Cycle at Phase One.

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at Report@cisa.gov or (888) 282-0870.  

 Disclaimer:  

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. 

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Delta Electronics
• Equipment: COMMGR
• Vulnerability: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow for an attacker to remotely access the AS3000Simulator family in the COMMGR software and execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of COMMGR, a software management platform that contain virtual PLCs, are affected:

• COMMGR (Version 1): All versions
• COMMGR (Version 2): All versions

3.2 VULNERABILITY OVERVIEW

3.2.1 USE OF CRYPTOGRAPHICALLY WEAK PSEUDO-RANDOM NUMBER GENERATOR (PRNG) CWE-338

The software uses insufficiently randomized values to generate session IDs. An attacker could easily brute force a session ID and load and execute arbitrary code.

CVE-2025-3495 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-3495. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Communications, Critical Manufacturing, Energy, Healthcare and Public Health
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: Taiwan

3.4 RESEARCHER

Trend Micro’s Zero Day Initiative (ZDI) reported this vulnerability to CISA.

4. MITIGATIONS

COMMGR software Version 1 has reached end of life (EOL). Delta Electronics will release a fix for COMMGR software Version 2.

Delta Electronics recommends users of COMMGR software Version 1 to take the following precautions:

• Minimize network exposure for all control system devices and software, ensuring they are not accessible from the Internet.
• When remote access is required, use secure methods such as Virtual Private Networks (VPNs).
• Place control system networks and remote devices behind firewalls and isolate them from the business network.
• Never connect programming software to any network other than the one intended for that device.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• April 15, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Growatt
• Equipment: Cloud Applications
• Vulnerabilities: Cross-site Scripting, Authorization Bypass Through User-Controlled Key, Insufficient Type Distinction, External Control of System or Configuration Setting

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to compromise confidentiality, achieve cross-site scripting, or code execution on affected devices.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Growatt products are affected:

• Growatt cloud portal: Versions 3.6.0 and prior.

3.2 VULNERABILITY OVERVIEW

3.2.1 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79

An authenticated attacker can achieve stored XSS by exploiting improper sanitization of the plant name value while adding or editing a plant.

CVE-2025-30511 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30511. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.2 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can check the existence of usernames in the system by querying an API.

CVE-2025-31933 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-CVE-2025-31933. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.3 Authorization Bypass Through User-Controlled Key CWE-639

An authenticated attacker can obtain any plant name by knowing the plant ID.

CVE-2025-31949 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-31949. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.4 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can obtain a user’s plant list by knowing the username.

CVE-2025-31357 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-31357. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.5 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can obtain a list of smart devices by knowing a valid username.

CVE-2025-31941 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-31941. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.6 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can infer the existence of usernames in the system by querying an API.

CVE-2025-24487 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-24487. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.7 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can get users’ emails by knowing usernames. A password reset email will be sent in response to this unsolicited request.

CVE-2025-27568 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27568. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.8 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can obtain a serial number of a smart meter(s) using its owner’s username.

CVE-2025-30254 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-30254. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.9 Authorization Bypass Through User-Controlled Key CWE-639

An attacker can change registered email addresses of other users and take over arbitrary accounts.

CVE-2025-27939 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27939. A base score of 8.7 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N).

3.2.10 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can obtain restricted information about a user’s smart device collections (i.e., “rooms”).

CVE-2025-27938 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27938. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.11 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can obtain restricted information about a user’s smart device collections (i.e., “scenes”).

CVE-2025-30514 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-30514. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.12 Authorization Bypass Through User-Controlled Key CWE-639

An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., “rooms”).

CVE-2025-31654 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-31654. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.13 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can query an API endpoint and get device details.

CVE-2025-27719 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27719. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.14 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can rename arbitrary devices of arbitrary users (i.e., EV chargers).

CVE-2025-26857 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-26857. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.15 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can obtain other users’ charger information.

CVE-2025-31945 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-31945. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.16 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can obtain EV charger energy consumption information of other users.

CVE-2025-31950 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-31950. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.17 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can obtain EV charger version and firmware upgrading history by knowing the charger ID.

CVE-2025-27575 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27575. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.18 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can delete any user’s “rooms” by knowing the user’s and room IDs.

CVE-2025-27565 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27565. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.19 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attacker can hijack other users’ devices and potentially control them.

CVE-2025-25276 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-25276. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.20 Authorization Bypass Through User-Controlled Key CWE-639

An attacker can export other users’ plant information.

CVE-2025-24850 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-24850. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.21 Insufficient Type Distinction CWE-351

An attacker can upload an arbitrary file instead of a plant image.

CVE-2025-30510 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-30510. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.22 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) CWE-79

Due to lack of server-side input validation, attackers can inject malicious JavaScript code into users personal spaces of the web portal.

CVE-2025-24297 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-24297. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.23 Authorization Bypass Through User-Controlled Key CWE-639

An unauthenticated attackers can obtain a list of smart devices by knowing a valid username through an unprotected API.

CVE-2025-27927 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27927. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.24 External Control of System or Configuration Setting CWE-15

Unauthenticated attackers can send configuration settings to device and possible perform physical actions remotely (e.g., on/off).

CVE-2025-30512 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-30512. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N).

3.2.25 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can trigger device actions associated with specific “scenes” of arbitrary users.

CVE-2025-31360 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-31360. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N).

3.2.26 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users.

CVE-2025-31147 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-31147. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.27 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can retrieve serial number of smart meters associated to a specific user account.

CVE-2025-30257 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-30257. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.28 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can rename “rooms” of arbitrary users.

CVE-2025-27561 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27561. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.29 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).

CVE-2025-24315 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-24315. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.2.30 Authorization Bypass Through User-Controlled Key CWE-639

Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.

CVE-2025-27929 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N).

A CVSS v4 score has also been calculated for CVE-2025-27929. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Energy
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: China

3.4 RESEARCHER

Forescout Technologies reported these vulnerabilities to CISA.

4. MITIGATIONS

Growatt reports the cloud-based vulnerabilities were patched and no user action is needed. Additionally, Growatt strongly recommends that their users take proactive steps in securing their devices and take the following actions:

• Update all devices to the latest firmware version when available. (Updates are automatic, no user action needed.)
• Use strong passwords and enable multi-factor authentication where applicable.
• Report any security concerns to Service@Growatt.com.
• Stay vigilant. Users and installers should regularly review security settings, follow best practices, and report any unusual activity.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

5. UPDATE HISTORY

• April 15, 2025: Initial Publication

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Lantronix
• Equipment: Xport

• Vulnerability: Missing Authentication for Critical Function

  2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker unauthorized access to the configuration interface and cause disruption to monitoring and operations.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Lantronix products are affected:

• Xport: Versions 6.5.0.7 to 7.0.0.3

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

An attacker could modify or disable settings, disrupt fuel monitoring and supply chain operations, leading to disabling of ATG monitoring. This would result in potential safety hazards in fuel storage and transportation.

CVE-2025-2567 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-2567. A base score of 9.3 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

• CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing, Energy, Transportation Systems, Water and Wastewater Systems
• COUNTRIES/AREAS DEPLOYED: Worldwide
• COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Souvik Kandar from Microsec(microsec.io) reported this vulnerability to CISA.

4. MITIGATIONS

Lantronix recommends users upgrade to their Xport Edge product, which brings in more cutting edge security suite. Xport edge is not affected by these vulnerabilities. Users should contact Lantronix directly for assistance.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

• Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
• Locate control system networks and remote devices behind firewalls and isolating them from business networks.
• When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

• Do not click web links or open attachments in unsolicited email messages.
• Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
• Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

• April 15, 2025: Initial Publication