The Cybersecurity and Infrastructure Security Agency (CISA) has released seven new Industrial Control System (ICS) advisories, highlighting critical vulnerabilities across multiple vendors, including B&R Automation, Schneider Electric, Rockwell Automation, and BD Diagnostic Solutions. These vulnerabilities pose significant security risks, including remote code execution, data modification, and system disruptions.
Key ICS Vulnerabilities Identified
1. B&R Automation Runtime (CVE-2024-8603)
- Severity: CVSS v3 score of 7.5
- Issue: Use of a broken or risky cryptographic algorithm in SSL/TLS, allowing attackers to impersonate legitimate services.
- Affected Products: B&R Automation Runtime and B&R mapp View (versions prior to 6.1).
- Mitigation: Users are advised to update to version 6.1.
2. Schneider Electric Power Logic (CVE-2024-10497, CVE-2024-10498)
- Severity: CVSS v3 scores of 8.8 and 6.5
- Issues:
- Authorization Bypass through User-Controlled Key, allowing privilege escalation.
- Improper Restriction of Operations within Memory Buffer, leading to data corruption or denial-of-service.
- Affected Products: Schneider Electric Power Logic v0.62.7 and prior.
- Mitigation: Upgrade to version 0.62.11 and implement firewall restrictions.
3. Rockwell Automation FactoryTalk (CVE-2025-24479, CVE-2025-24480)
- Severity: CVSS v4 score of 9.3
- Issues:
- Incorrect Authorization, allowing attackers to access system files.
- OS Command Injection, enabling remote code execution with high privileges.
- Affected Products: FactoryTalk View ME (versions prior to 15.0).
- Mitigation: Upgrade to version 15.0 or apply security patches.
4. Rockwell Automation DataMosaix Private Cloud (CVE-2024-11932, CVE-2020-11656)
- Severity: CVSS v4 score of 9.3
- Issues:
- Exposure of Sensitive Information, allowing unauthorized modification of reports.
- Dependency on Vulnerable Third-Party Components (SQLite flaw leading to arbitrary code execution).
- Affected Products: DataMosaix Private Cloud (versions prior to 7.11).
- Mitigation: Upgrade to version 7.11.01.
5. Schneider Electric RemoteConnect and SCADAPack x70 Utilities (CVE-2024-12703)
- Severity: CVSS v4 score of 8.5
- Issue: Deserialization of untrusted data, potentially leading to remote code execution.
- Affected Products: All versions of RemoteConnect and SCADAPack x70 Utilities.
- Mitigation: Apply security best practices such as verifying file integrity and using encryption.
6. BD Diagnostic Solutions Products (CVE-2024-10476)
- Severity: CVSS v3 score of 8.0
- Issue: Use of default credentials, allowing attackers to access, modify, or delete sensitive data.
- Affected Products: Multiple BD diagnostic systems, including BD BACTEC, BD MAX, and BD Phoenix M50.
- Mitigation: BD is actively deploying patches and encouraging users to restrict device access.
CISA Recommendations
CISA urges organizations to take immediate action to mitigate these vulnerabilities:
- Minimize network exposure for ICS devices, ensuring they are not accessible from the internet.
- Implement firewalls and VPNs to protect remote access.
- Apply software updates and patches as soon as they are available.
- Monitor and log network activity to detect unauthorized access.
The vulnerabilities disclosed by CISA highlight the ongoing security challenges in critical infrastructure sectors. Organizations must prioritize security updates and implement robust cybersecurity measures to defend against potential attacks.