CISA Issues 9 New ICS Advisories Addressing Critical Vulnerabilities

Summary: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued nine advisories addressing critical vulnerabilities in various Industrial Control Systems (ICS) products, requiring immediate attention from operators. These vulnerabilities could lead to unauthorized access, denial-of-service conditions, and potential code execution, presenting significant risks to critical infrastructure. Users are urged to apply patches and follow best security practices promptly.

Affected: Industrial Control Systems (ICS) products, including vendors such as Siemens, Growatt, Lantronix, National Instruments, Delta Electronics, ABB, and Mitsubishi Electric.

Keypoints :

• Siemens Mendix Runtime vulnerable to unauthenticated access; CVE-2025-30280, CVSS 6.9.
• Critical weak authentication flaw in Siemens Industrial Edge Device Kit; CVE-2024-54092, CVSS 9.3.
• Uncontrolled resource consumption in Siemens products could lead to denial-of-service; CVE-2024-23814, CVSS 6.9.
• Multiple vulnerabilities in Growatt Cloud Applications risking data exposure; CVE-2025-30511 and others, CVSS up to 8.7.
• Missing authentication in Lantronix Xport threatens configuration integrity; CVE-2025-2567, CVSS 9.3.
• National Instruments LabVIEW affected by out-of-bounds vulnerabilities; CVE-2025-2631 and CVE-2025-2632, CVSS 7.1.
• Weak random number generator in Delta Electronics COMMGR could enable brute-force attacks; CVE-2025-3495, CVSS 9.3.
• ABB M2M Gateway has serious vulnerabilities allowing remote code execution; CVE-2022-23521 and others, highest CVSS 8.8.
• Mitsubishi smartRTU vulnerable to authentication flaws and command injection; CVE-2025-3232 and CVE-2025-3128, CVSS up to 9.3.