The U.S. Cybersecurity and Infrastructure Security Agency (CISA) last week released ten Industrial Control Systems (ICS) advisories, offering timely information on current security issues, vulnerabilities, and exploits affecting ICS environments. The agency disclosed the presence of hardware vulnerabilities in equipment from Delta Electronics, Johnson Controls, Burk Technology, Rockwell Automation, Packet Power, Dreame Technology, EG4 Electronics, and Yealink.
In its advisory, CISA disclosed that Delta Electronics’ DIAView industrial automation management system contains an improper restriction of a pathname to a restricted directory vulnerability. The flaw affects version 4.2.0.0 of DIAView, which is used for real-time system control. “Successful exploitation of this vulnerability may allow a remote attacker to read or write files on the affected device.”
Used across the global chemical, commercial facilities, critical manufacturing, energy, transportation, and water and wastewater sectors, Delta Electronics’ DIAView is vulnerable to a path traversal flaw that could allow an attacker to remotely read or write files on the system. The vulnerability, tracked as CVE-2025-53417, has been assigned a CVSS v3.1 base score of 9.8 and a CVSS v4 base score of 9.3.
hir0ot, working with Trend Micro Zero Day Initiative, reported this vulnerability to CISA. Delta Electronics recommends users update to DIAView v4.3.0 or later.
In another advisory, CISA reported that Johnson Controls’ FX80 and FX90 equipment contain a dependency on a vulnerable third-party component. Used globally in critical manufacturing, commercial facilities, government facilities, transportation systems, and energy sectors, the flaw could allow an attacker to compromise the device’s configuration files if exploited.
The affected Johnson Controls products include FX80 versions 14.10.10 and 14.14.1, as well as FX90 versions 14.10.10 and 14.14.1.
The affected product is vulnerable to a vulnerable third-party component, which could allow an attacker to compromise device configuration files. The vulnerability is tracked as CVE-2025-43867, with a CVSS v3.1 base score of 7.7 and a CVSS v4 base score of 8.4. Johnson Controls reported the flaw to CISA.
Johnson Controls advises users to update to the latest version, warning that successful exploitation of CVE-2025-43867 could trigger additional flaws, including CVE-2025-3936 through CVE-2025-3945. For systems running version 14.10.10, the 14.10.11 patch is available through the company’s software portal, while systems running version 14.14.1 should apply the 14.14.2 patch. Version 14.10.10 contains Niagara 4.10u10, and version 14.14.1 contains Niagara 4.14u1. Access to the software portal requires valid login credentials.
In another advisory, CISA announced that Burk Technology’s ARC Solo, a monitoring and control device primarily used in broadcasting, contains a missing authentication for critical function vulnerability in versions prior to v1.0.62. The flaw, which affects the global communications sector, could allow an attacker to gain access to the device, lock out authorized users, or disrupt operations.
The device’s password change mechanism can be utilized without proper authentication procedures, allowing an attacker to take over the device. A password change request can be sent directly to the device’s HTTP endpoint without providing valid credentials. The system does not enforce proper authentication or session validation, allowing the password change to proceed without verifying the request’s legitimacy.
The vulnerability is tracked as CVE-2025-5095, with a CVSS v3 base score of 9.8 and a CVSS v4 base score of 9.3. Souvik Kandar of MicroSec (microsec.io) reported this vulnerability to CISA.
Burk Technology recommends users update their ARC Solo devices to Version v1.0.62 or later. The upgrade can be downloaded from the Burk Technology website.
In another advisory, CISA reported that Rockwell Automation’s Arena software, version 16.20.09 and earlier, contains out-of-bounds read, stack-based buffer overflow, and heap-based buffer overflow vulnerabilities. Successful exploitation could allow an attacker to disclose sensitive information or execute arbitrary code.
A local code execution vulnerability exists in Rockwell Automation Arena due to a threat actor’s ability to read outside of the allocated memory buffer. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can disclose information and execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
The vulnerability is tracked as CVE-2025-7025, with a CVSS v3.1 base score of 7.8 and a CVSS v4 base score of 8.4.
A local code execution vulnerability exists in Rockwell Automation Arena due to a stack-based memory buffer overflow. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file.
The vulnerability is tracked as CVE-2025-7032, with a CVSS v3.1 base score of 7.8 and a CVSS v4 base score of 8.4.
A local code execution vulnerability exists in Rockwell Automation Arena due to a heap-based buffer overflow. The flaw is a result of improper validation of user-supplied data. If exploited, a threat actor can execute arbitrary code on the system. To exploit the vulnerability a legitimate user must open a malicious DOE file. The vulnerability is tracked as CVE-2025-7033, with a CVSS v3.1 base score of 7.8 and a CVSS v4 base score of 8.4.
Deployed across the global critical manufacturing sector, Michael Heinzl reported these vulnerabilities to CISA. Rockwell Automation recommends users updating to arena Version 16.20.10 or later.
In a separate advisory, CISA disclosed a missing authentication for critical function vulnerability affecting Packet Power EMX and EG equipment. Impacted products include EMX versions earlier than 4.1.0 and EG versions earlier than 4.1.0. “Successful exploitation of this vulnerability could allow an attacker to gain full access to the device without authentication.”
Deployed in the global energy sector, CISA said that by default, the Packet Power Monitoring and Control Web Interface do not enforce authentication mechanisms. This vulnerability could allow unauthorized users to access and manipulate monitoring and control functions.
CVE-2025-8284 has been assigned to this vulnerability. It carries a CVSS v3.1 base score of 9.8 and a CVSS v4 base score of 9.3. Anthony Rose and Jacob Krasnov of BC Security reported this vulnerability to CISA. Packet Power recommends updating affected products to version 4.1.0 or later and isolating devices whenever possible.
In another advisory, CISA revealed that Dreame Technology Dreamehome and MOVAhome mobile applications contained Improper Certificate Validation vulnerability. The affected versions include Dreamehome for iOS, version 2.3.4 and earlier; Dreamehome for Android, version 2.1.8.8 and earlier; and MOVAhome for iOS, version 1.2.3 and earlier. “Successful exploitation of this vulnerability could result in unauthorized information disclosure.”
Deployed in the global communications sector, CISA disclosed that a TLS vulnerability exists in the phone application used to manage a connected device. The phone application accepts self-signed certificates when establishing TLS communication which may result in man-in-the-middle attacks on untrusted networks. Captured communications may include user credentials and sensitive session tokens.
CVE-2025-8393 has been assigned to this vulnerability, with a CVSS v3.1 base score of 7.3 and a CVSS v4 base score of 8.5. Dennis Giese reported this vulnerability to CISA. However, Dreame Technology did not respond to CISA’s request for coordination.
In another advisory, CISA reported that EG4 Electronics’ EG4 inverters contain multiple vulnerabilities, including cleartext transmission of sensitive information, download of code without integrity check, observable discrepancy, and improper restriction of excessive authentication attempts. All versions of the EG4 12kPV, EG4 18kPV, EG4 Flex 21, EG4 Flex 18, EG4 6000XP, EG4 12000XP, and EG4 GridBoss are affected.
The advisory noted that successful exploitation of these vulnerabilities could allow an attacker to intercept and manipulate critical data, install malicious firmware, hijack device access, and gain unauthorized control over the system.
Deployed across the global energy sector, CISA identified that the MOD3 command traffic between the monitoring application and the inverter is transmitted in plaintext without encryption or obfuscation. This vulnerability may allow an attacker with access to a local network to intercept, manipulate, replay, or forge critical data, including read/write operations for voltage, current, and power configuration, operational status, alarms, telemetry, system reset, or inverter control commands, potentially disrupting power generation or reconfiguring inverter settings.
CVE-2025-52586 has been assigned to this vulnerability, with a CVSS v3.1 base score of 6.9 and a CVSS v4 base score of 7.5.
The affected product allows firmware updates to be downloaded from EG4’s website, transferred via USB dongles, or installed through EG4’s Monitoring Center (remote, cloud-connected interface) or via a serial connection, and can install these files without integrity checks. The TTComp archive format used for the firmware is unencrypted and can be unpacked and altered without detection. CVE-2025-53520 has been assigned to this vulnerability, with a CVSS v3.1 base score of 8.8 and a CVSS v4 base score of 8.6.
The public-facing product registration endpoint server responds differently depending on whether the S/N is valid and unregistered, valid but already registered, or does not exist in the database. Combined with the fact that serial numbers are sequentially assigned, this allows an attacker to gain information on the product registration status of different S/Ns. CVE-2025-47872 has been assigned to this vulnerability, with a CVSS v3.1 base score of 5.8 and a CVSS v4 base score of 6.9.
The affected product does not limit the number of attempts for inputting the correct PIN for a registered product, which may allow an attacker to gain unauthorized access using brute-force methods if they possess a valid device serial number. The API provides clear feedback when the correct PIN is entered. This vulnerability was patched in a server-side update on April 6, 2025. CVE-2025-46414 has been assigned to this vulnerability, with a CVSS v3.1 base score of 8.1 and a CVSS v4 base score of 9.2.
In another advisory, CISA reported that Yealink IP phones contain multiple vulnerabilities, including improper restriction of excessive authentication attempts, allocation of resources without limits or throttling, incorrect authorization, and improper certificate validation. CISA warned that successful exploitation could lead to information disclosure.
The affected products lack serial number verification attempt limits, enabling brute-force enumeration (last five digits). CVE-2025-52916 has been assigned to this vulnerability, with a CVSS v3 base score of 2.2 and a CVSS v4 base score of 2.1.
The affected products lack rate limiting, potentially enabling information disclosure via excessive requests. CVE-2025-52917 has been assigned to this vulnerability, with a CVSS v3 base score of 4.3 and a CVSS v4 base score of 5.3.
The affected products fail to enforce access restrictions on OpenAPIs for frozen enterprise accounts, allowing unauthorized access to deactivated interfaces. CVE-2025-52918 has been assigned to this vulnerability, with a CVSS v3 base score of 5.0 and a CVSS v4 base score of 5.3.
The certificate upload function in the affected products does not properly validate certificate content, potentially allowing invalid certificates to be uploaded. CVE-2025-52919 has been assigned to this vulnerability, with a CVSS v3 base score of 4.3 and a CVSS v4 base score of 5.3.
Deployed from the communications sector, Jeroen Hermans of CloudAware reported these vulnerabilities to the cybersecurity agency.
CISA advises users to minimize the risk of exploitation by reducing network exposure for all control system devices and systems, ensuring they are not accessible from the Internet. Control system networks and remote devices should be placed behind firewalls and isolated from business networks.
When remote access is necessary, organizations should use secure methods such as Virtual Private Networks (VPNs), keeping in mind that VPNs may contain vulnerabilities and must be kept up to date, and that a VPN is only as secure as the devices connected to it. CISA also urges organizations to conduct proper impact analysis and risk assessments before implementing any defensive measures.
