The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued new ICS (industrial control systems) advisories on Tuesday, highlighting active vulnerabilities and threats targeting critical infrastructure. The affected systems include equipment from Kaleris, Delta Electronics, Schneider Electric, ControlID, Parsons, and MICROSENS, widely deployed across critical industrial environments. CISA urges asset owners and administrators to review the technical advisories and apply available mitigations without delay.
In an advisory, CISA revealed the presence of ‘deserialization of untrusted data’ and ‘cleartext transmission of sensitive information’ vulnerabilities in terminal operating system Kaleris Navis N4 versions before 4.0, used across global transportation systems. “Successful exploitation of these vulnerabilities could allow an attacker to remotely exploit the operating system, achieve remote code execution, or extract sensitive information.”
Kaleris NAVIS N4 ULC (Ultra Light Client) contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can make specially crafted requests to execute arbitrary code on the server. CVE-2025-2566 has been assigned to the vulnerability, with a CVSS v3.1 base score of 9.8. Under CVSS v4, the base score is 9.3, signaling a critical severity level under both frameworks.
Kaleris NAVIS N4 ULC (Ultra Light Client) communicates insecurely using zlib-compressed data over HTTP. An attacker capable of observing network traffic between Ultra Light Clients and N4 servers can extract sensitive information, including plaintext credentials. CVE-2025-5087 has been assigned to this vulnerability. It carries a CVSS v3.1 base score of 5.9 and a CVSS v4 base score of 6.0, indicating a medium-severity risk under both scoring systems.
Kaleris reported these vulnerabilities to CISA. It recommends that users upgrade to one of the following or later versions of Navis N4: 3.1.44, 3.2.26, 3.3.27, 3.4.25, 3.5.18, 3.6.14, 3.7.0, or 3.8.0.
For users unable to upgrade, several mitigations are advised. If N4 does not need internet access, it should be placed behind a firewall. If CAP must be internet-facing, disable the Ultra Light Client on exposed nodes by blocking Ultra Light Client URLs at the load balancer or firewall. Alternatively, disable the Ultra Light Client endpoint on the N4 cluster node by commenting out the relevant sections in the web.xml file and restarting the server.
If internet exposure of the Ultra Light Client is unavoidable, use one of the following options: set up a secure VPN for authorized external users, deploy an authenticated jump system such as Citrix or VDI, or whitelist known external IP addresses, which is the least secure option.
Additional security controls include minimizing the number of N4 nodes exposed to the internet, enabling and correctly configuring HTTPS on the firewall or load balancer, and using a reliable third-party firewall with built-in DDoS protection and intrusion detection.
TLS implementation is mandatory in the load balancer, and setup guidance is available in the Application Security Guide provided to all users. As a long-term solution, Kaleris recommends upgrading to N4 version 4.0, which replaces the Ultra Light Client with an HTML-based UI. Kaleris has issued a security advisory to customers currently running its software.
In a separate advisory, CISA disclosed an out-of-bounds write vulnerability in Delta Electronics CNCSoft, a human-machine interface tool. The flaw affects version 1.01.34 and earlier, which are widely used in the critical manufacturing and energy sectors. “Successful exploitation of these vulnerabilities could allow an attacker to execute code within the context of the current process.”
Delta Electronics CNCSoft does not properly validate user-supplied files. If a user opens a maliciously crafted file, an attacker can leverage this vulnerability to execute code within the context of the current process. CVE-2025-47724 has been assigned to this vulnerability, which carries a CVSS v3.1 base score of 7.7 and a CVSS v4 base score of 7.3, indicating a high-severity risk under both scoring systems.
Natnael Samson, working with Trend Micro Zero Day Initiative, reported these vulnerabilities to CISA.
Delta Electronics does not plan to patch these vulnerabilities, as the A-series CNC products supported by CNCSoft have been discontinued. CNCSoft will be removed from the Delta Download Center. Users are strongly advised to migrate to newer Delta CNC products and their corresponding software as soon as possible.
As general guidance, Delta recommends avoiding untrusted internet links and unsolicited email attachments, keeping control systems and equipment off the internet, placing systems behind a firewall with proper network isolation, and using secure remote access methods such as a virtual private network (VPN) when access is necessary.
CISA revealed the presence of improper input validation, improper neutralization of input during web page generation (cross-site scripting), and uncontrolled resource consumption vulnerabilities in Schneider Electric Modicon controllers, which are deployed globally across commercial facilities, critical manufacturing, and energy sectors. “Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on the device or cause a denial-of-service condition.”
The advisory reports that multiple Schneider Modicon controller models are affected. Modicon M241 and M251 controllers are vulnerable in versions before 5.3.12.51, while Modicon M262 is affected in versions prior to 5.3.9.18, tied to CVE-2025-3898 and CVE-2025-3117. All versions of the Modicon M258 and LMC058 controllers are impacted, with vulnerabilities tracked as CVE-2025-3905, CVE-2025-3116, and CVE-2025-3117.
Loc Nguyen, Dat Phung, Thai Do, and Minh Pham of Unit 515, OPSWAT, reported these vulnerabilities to Schneider Electric.
Schneider Electric has detailed specific workarounds and mitigations to reduce the risk associated with recently disclosed vulnerabilities in several Modicon controllers.
For the Modicon M241 and M251 controllers, version 5.3.12.51 includes fixes for the vulnerabilities and can be downloaded directly. Users should update the firmware using the Controller Assistant feature within EcoStruxure Automation Expert – Motion V24.1 and then perform a reboot. This version of EcoStruxure is available via the Schneider Electric Software Installer.
For the Modicon M262 controller, version 5.3.9.18 addresses CVE-2025-3898 and CVE-2025-3117. Users should apply the firmware update using the same EcoStruxure Controller Assistant and reboot the device. If users are unable or choose not to apply these updates, Schneider recommends the following mitigations to reduce exposure, such as operating controllers within a protected environment, ensuring they are isolated from the public internet and untrusted networks; enabling user management and password features, which are activated by default and enforce strong password creation at first use. Disable the web server when not in use. It also suggests using encrypted communication links, implementing network segmentation and firewalls to block unauthorized access to HTTP (port 80) and HTTPS (port 443), and using VPN tunnels for any required remote access.
Additional product-specific hardening guidelines are available in the ‘Cybersecurity Guidelines for EcoStruxure Machine Expert, Modicon and PacDrive Controllers and Associated Equipment.’
For Modicon M258 and LMC058 controllers, which are affected by CVE-2025-3905, CVE-2025-3116, and CVE-2025-3117, Schneider Electric is currently developing a remediation plan. Fixes will be included in future firmware versions. The advisory SEVD-2025-161-02 will be updated when remediation becomes available. In the meantime, users should implement the above-listed mitigations without delay.
In another advisory, CISA disclosed multiple vulnerabilities affecting all versions of Schneider Electric’s EVLink WallBox, including improper limitation of a pathname to a restricted directory (path traversal), improper neutralization of input during web page generation (cross-site scripting), and improper neutralization of special elements used in an OS command (OS command injection). “Successful exploitation of these vulnerabilities could allow an attacker to gain remote control of the charging station.”
Affecting the global transportation sector, the Dutch Institute for Vulnerability Disclosure (DIVD) reported these vulnerabilities to Schneider Electric.
Schneider Electric has confirmed that the EVLink WallBox has reached end of life and is no longer supported. Users are strongly encouraged to upgrade to the replacement product, EVLink Pro AC, to fully address the identified vulnerabilities.
In the meantime, Schneider recommends immediate risk-reduction measures. Users should configure firewalls and network segmentation to block all unauthorized access to HTTP ports and regularly review access logs for suspicious activity. Strong password practices are also essential—users should choose complex passwords, avoid sharing credentials, and update them regularly.
CISA reported that ControlID iDSecure On-premises, a vehicle control software, is affected by vulnerabilities in versions 4.7.48.0 and earlier, including improper authentication, server-side request forgery (SSRF), and SQL injection. “Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, retrieve information, leak arbitrary data, or perform SQL injections.”
ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to an Improper Authentication vulnerability, which could allow an attacker to bypass authentication and gain permissions in the product. CVE-2025-49851 has been assigned to this vulnerability. It carries a CVSS v3.1 base score of 7.5, while the updated CVSS v4 assessment rates it higher, with a base score of 8.7.
ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to a Server-Side Request Forgery vulnerability, which could allow an unauthenticated attacker to retrieve information from other servers. CVE-2025-49852 has been assigned to this vulnerability. It has a CVSS v3.1 base score of 7.5, while the CVSS v4 score is higher at 8.7, reflecting increased severity under the updated scoring system.
ControlID iDSecure On-premises versions 4.7.48.0 and prior are vulnerable to SQL injections, which could allow an attacker to leak arbitrary information and insert arbitrary SQL syntax into SQL queries. CVE-2025-49853 has been assigned to this vulnerability. It carries a CVSS v3.1 base score of 9.1, while the updated CVSS v4 score rates it slightly higher at 9.3, indicating critical severity.
Noam Moshe of Claroty Team82 reported these vulnerabilities to CISA. ControlID has released version 4.7.50.0 of iDSecure On-premises to address the reported vulnerabilities. Users are strongly advised to update to this version to mitigate risk.
In another advisory, CISA identified a cross-site scripting vulnerability affecting Parsons’ AccuWeather and Custom RSS widgets. “Successful exploitation of this vulnerability could allow an attacker to insert a malicious link that users might access through the RSS feed.”
The cross-site scripting vulnerability affects multiple versions of Parsons Utility Enterprise Data Management, including versions 5.18, 5.03, 3.30, and all versions from 4.02 through 4.26. AclaraONE Utility Portal is also impacted in all versions before 1.22.
A cross-site scripting vulnerability exists in the AccuWeather and Custom RSS widgets that allows an unauthenticated user to replace the RSS feed URL with a malicious one. CVE-2025-5015 has been assigned to this vulnerability. It has a CVSS v3.1 base score of 8.8, while the CVSS v4 assessment rates it slightly lower at 8.7.
Deployed across the global communications sector, Joshua Dillon reported this vulnerability to CISA.
Parsons has patched this vulnerability in all managed instances of Utility Enterprise Data Management as of January 7, 2025, and no action is required from end users. Aclara has also addressed the issue for all hosted instances of AclaraONE as of February 7, 2025, with no end-user action needed. However, on-premise users of AclaraONE must take action. A patch and mitigation details are available through the Aclara Connect Customer Portal. Users can request assistance by submitting a ticket via the portal or contacting Aclara Support by phone or email. Requests will be handled in the order they are received.
In another advisory, CISA disclosed that MICROSENS NMP Web+ version 3.2.5 and earlier contain multiple vulnerabilities, including use of hard-coded security-relevant constants, insufficient session expiration, and improper limitation of a pathname to a restricted directory (path traversal). “Successful exploitation of these vulnerabilities could allow an attacker to gain system access, overwrite files, or execute arbitrary code.”
Tomer Goldschmidt and Noam Moshe of Claroty Team82 reported the vulnerabilities to CISA, affecting systems deployed across the critical manufacturing sector. The German Federal Office for Information Security (BSI) CERT-Bund supported coordination efforts with MICROSENS.
MICROSENS recommends users to update to NMP Web+ Version 3.3.0 for Windows and Linux.
