The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued four new industrial control systems (ICS) advisories, one medical device cybersecurity alert, and an update to a previous ICS advisory addressing hardware vulnerabilities in Honeywell, Medtronic, Mitsubishi, LG, and Network Thermostat devices deployed across the critical infrastructure sector. The notices outline current vulnerabilities, threat activity, and mitigation steps. CISA is urging asset owners and operators to review the technical details and apply recommended protections.
In an advisory, CISA disclosed the presence of an ‘Uncontrolled Search Path Element’ vulnerability in Mitsubishi Electric’s CNC Series equipment used in the global critical manufacturing sector. “Successful exploitation of this vulnerability could allow an attacker to execute malicious code by getting setup-launcher to load a malicious DLL.”
The affected Mitsubishi Electric CNC Series products include NC Designer2, NC Designer, NC Configurator2, NC Analyzer2, NC Analyzer, NC Explorer, NC Monitor2, NC Monitor, NC Trainer, NC Trainer plus, NC Visualizer, Remote Monitor Tool, MS Configurator, Mitsubishi Electric Numerical Control Device Communication Software (FCSB1224), and the CNC communication software runtime library M70LC/M730LC.
Additionally, NC Trainer2 and NC Trainer2 plus versions labeled ‘AB’ and prior are also affected. The NC Virtual Simulator is affected in all versions as well.
Malicious code execution vulnerability via DLL hijacking due to Uncontrolled Search Path Element (CWE-427) exists in Flexera InstallShield used in multiple software tools and industrial IoT-related products for Mitsubishi Electric CNC Series. This vulnerability is tracked as CVE-2016-2542 and carries a CVSS v3.1 base score of 7.0.
Sahil Shah reported this vulnerability to Mitsubishi Electric.
The vulnerability has been addressed in NC Trainer2 version ‘AC’ or later and NC Trainer2 plus version ‘AC’ or later. Users should download and install the updated versions from the Mitsubishi Electric download site. Furthermore, there are no plans to release fixed versions for the following products: NC Designer, NC Analyzer, NC Monitor, NC Trainer, NC Trainer plus, NC Visualizer, Remote Monitor Tool, and MS Configurator.
For users of products without a fix or those unable to update immediately, Mitsubishi Electric recommends the following mitigations to reduce the risk of exploitation: restrict physical access to the computer running the software, install antivirus protection, avoid opening untrusted files or clicking untrusted links, and only use setup launchers obtained from official Mitsubishi Electric sources. Before running the setup launcher, ensure no DLL files are present in the same folder as the executable.
In another advisory, CISA revealed that Network Thermostat’s X-Series WiFi thermostats contained a ‘Missing Authentication for Critical Function’ vulnerability. The hardware is used across commercial facilities in the U.S. and Canada. “Successful exploitation of this vulnerability could allow an attacker to gain full administrative access to the device.”
The affected Network Thermostat product lines include X-Series WiFi thermostats running version 4.5 up to but not including version 4.6; X-Series WiFi thermostats running version 9.6 up to but not including version 9.46; X-Series WiFi thermostats running version 10.1 up to but not including version 10.29; and X-Series WiFi thermostats running version 11.1 up to but not including version 11.5.
The embedded web server on the thermostat listed version ranges contains a vulnerability that allows unauthenticated attackers, either on the Local Area Network or from the Internet via a router with port forwarding set up, to gain direct access to the thermostat’s embedded web server and reset user credentials by manipulating specific elements of the embedded web interface.
The vulnerability is tracked as CVE-2025-6260. It carries a CVSS v3.1 base score of 9.8 and a CVSS v4 base score of 9.3. Souvik Kandar reported this vulnerability to CISA.
Network Thermostat recommends that users update their X-Series WiFi thermostats to the following minimum versions or newer: version 4.x devices should be updated to at least version 4.6, version 9.x to at least version 9.46, version 10.x to at least version 10.29, and version 11.x to at least version 11.5. This update was applied automatically to reachable units, requiring no action from end users.
In another ICS advisory, CISA revealed that Honeywell Experion PKS hardware is affected by multiple critical flaws, including use of uninitialized variables, buffer operation restrictions, improper data sanitization, integer underflow, and deployment of incorrect handlers. “Successful exploitation of these vulnerabilities could result in information exposure, denial of service, or remote code execution.”
Honeywell reports that these vulnerabilities affect all releases of Experion PKS prior to R520.2 TCU9 Hot Fix 1, as well as all releases prior to R530 TCU3 Hot Fix 1.
Affecting the global chemical, critical manufacturing, energy, healthcare and public health, and water and wastewater systems, Positive Technologies reported these vulnerabilities to Honeywell. The company recommends updating Experion PKS R520.2 TCU9 Hot Fix 1 or R530 TCU3 Hot Fix 1.
In another advisory, CISA disclosed that LG Innotek Camera Model LNV5110R contained ‘Authentication Bypass Using an Alternate Path or Channel’ vulnerability, affecting global commercial facilities. “Successful exploitation of this vulnerability could allow an attacker to gain administrative access to the device.”
An authentication vulnerability exists in the LG Innotek camera model LNV5110R firmware that allows a malicious actor to upload an HTTP POST request to the device’s non-volatile storage. This action may result in remote code execution that allows an attacker to run arbitrary commands on the target device at the administrator privilege level.
CVE-2025-7742 has been assigned to this vulnerability. It carries a CVSS v3 base score of 7.0 and a higher CVSS v4 base score of 8.3. Souvik Kandar reported this vulnerability to CISA.
The cybersecurity agency added in its advisory that “LG Innotek is aware of the vulnerability but has noted this is an end-of-life product that can no longer be patched.”
CISA warned that Medtronic’s MyCareLink Patient Monitors 24950 and 24952, used globally in the healthcare and public health sector, contain critical vulnerabilities, including cleartext storage of sensitive information, empty passwords in configuration files, and deserialization of untrusted data. “Successful exploitation of these vulnerabilities could lead to system compromise, unauthorized access to sensitive data, and manipulation of the monitor’s functionality.”
All versions of Medtronic’s MyCareLink Patient Monitor models 24950 and 24952 are affected.
Medtronic MyCareLink Patient Monitor uses an unencrypted filesystem on internal storage, which allows an attacker with physical access to read and modify files. CVE-2025-4394 has been assigned to this vulnerability, with a CVSS v3.1 base score of 6.8 and an updated CVSS v4 base score of 7.0.
Medtronic MyCareLink Patient Monitor has a built-in user account with an empty password, which allows an attacker with physical access to log in with no password and access/modify system functionality. CVE-2025-4395 has been assigned to this vulnerability, carrying a CVSS v3.1 base score of 6.8 and a CVSS v4 base score of 7.0.
Medtronic MyCareLink Patient Monitor has an internal service that deserializes data, which allows a local attacker to interact with the service by crafting a binary payload to crash the service or elevate privileges. CVE-2025-4393 has been assigned to this vulnerability, with a CVSS v3.1 base score of 6.5 and a lower CVSS v4 base score of 5.9.
Ethan Morchy from Somerset Recon and Carl Mann, an independent researcher, reported these vulnerabilities to Medtronic.
The advisory noted that the identified vulnerabilities were classified as low risk, requiring physical tampering with the monitor to exploit. In response, Medtronic began deploying security updates in June 2025. These updates are applied automatically when the monitor is connected to the internet, so users should ensure their device remains plugged in. Physicians are advised to continue prescribing the monitors as intended. Users should maintain possession of their home monitor and only use devices provided directly by a healthcare provider or a Medtronic representative.
CISA recommends users take defensive steps to reduce the risk of exploitation. Control system devices and networks should not be exposed to the internet. Place these systems behind firewalls and isolate them from business networks. If remote access is necessary, use secure methods such as virtual private networks (VPNs). Keep in mind that VPNs can have their own vulnerabilities and should be kept up to date. A VPN is only as secure as the devices connected to it.
The agency also urges organizations to conduct thorough impact analyses and risk assessments before implementing any defensive measures.
