Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released on Tuesday five ICS (industrial control systems) advisories, providing... The post CISA flags critical ICS vulnerabilities in Siemens, Schneider Electric, ABB equipment affecting critical sectors appeared first on Industrial Cyber.
Analysis Summary
# Vulnerability: Multiple ICS Vulnerabilities Disclosed in Siemens, Schneider Electric, and ABB Products
## CVE Details
- CVE ID: CVE-2025-32475, CVE-2025-31353, CVE-2025-31352, CVE-2025-31351, CVE-2025-31350, CVE-2025-31349, CVE-2025-31343, CVE-2025-30032, CVE-2025-30031, CVE-2025-30030, CVE-2025-30003, CVE-2025-30002, CVE-2025-29905, CVE-2025-27540, CVE-2025-27539, CVE-2025-27495 (for Siemens SQLi cluster)
- CVE ID: CVE-2025-29931 (Siemens Improper Handling of Length Parameter)
- CVE ID: CVE-2024-6407 (Schneider Electric Information Exposure)
- CVE ID: Unspecified (ABB Improper Buffer/Input Validation)
- CVSS Score: 9.8 (Critical) for CVE-2024-6407 (v3.1)
- CWE: SQL Injection (CWE-89) for Siemens SQLi cluster; Improper Handling of Length Parameter Inconsistency (CWE likely related); Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) for Schneider Electric.
## Affected Systems
- Products: Siemens TeleControl Server Basic, Schneider Electric Wiser Home Controller WHC-5918A, Schneider Electric Modicon M580 PLCs/BMENOR2200H/EVLink Pro AC, ABB MV Drives equipment.
- Versions:
- Siemens TeleControl Server Basic: Versions before V3.1.2.2.
- Schneider Electric Wiser Home Controller WHC-5918A: Unspecified.
- Schneider Electric Modicon M580 PLCs/BMENOR2200H/EVLink Pro AC: Unspecified (Older advisory regarding buffer size vulnerability).
- ABB MV Drives: Unspecified firmware versions (prior to LAAAB v5.07).
- Configurations:
- CVE-2025-29931 exploitation is only possible in redundant TeleControl Server Basic setups if the connection between redundant servers is disrupted.
## Vulnerability Description
**Siemens TeleControl Server Basic (Multiple SQLi CVEs):** An Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability allows attackers to read/write to the application’s database, cause a denial-of-service, and execute code in an OS shell.
**Siemens TeleControl Server Basic (CVE-2025-29931):** An Improper Handling of Length Parameter Inconsistency flaw exists because the product fails to properly validate a length field in a serialized message used for memory allocation during deserialization. In specific redundant configurations with disrupted communication, this could allow an unauthenticated remote attacker to cause a partial denial-of-service by exhausting memory.
**Schneider Electric Wiser Home Controller WHC-5918A (CVE-2024-6407):** An Exposure of Sensitive Information to an Unauthorized Actor vulnerability allows an attacker sending a specially crafted message to disclose sensitive credentials.
**ABB MV Drives (Buffer/Input Validation):** Flaws related to Improper Restriction of Operations within the Bounds of a Memory Buffer and Improper Input Validation/Out-of-bounds Write could allow an attacker to gain full access to the drive or cause a denial-of-service condition.
**Schneider Electric Modicon M580 PLCs (Buffer Size):** An Incorrect Calculation of Buffer Size vulnerability causes a denial-of-service when an unauthenticated user sends a crafted HTTPS packet to the webserver.
## Exploitation
- Status: PoC available/Implied exploitation possible for Siemens SQLi cluster. Exploitation details for the ABB and Schneider Electric Buffer issues suggest high impact potential.
- Complexity: Low for SQLi and Information Exposure, potentially Low/Medium for DoS issues depending on required configuration.
- Attack Vector: Network (Remote, Unauthenticated for several flaws).
## Impact
- Confidentiality: High (Disclosure of sensitive credentials for Schneider Electric WHC-5918A; potential database access for Siemens SQLi).
- Integrity: High (Ability to read/write the database and potentially execute code via Siemens SQLi; full access potential in ABB Drives).
- Availability: High (Denial-of-Service conditions possible across multiple affected products).
## Remediation
### Patches
- **Siemens TeleControl Server Basic:** Update to V3.1.2.2 or a later version to address the SQLi and length inconsistency vulnerabilities.
- **ABB MV Drives:** Update firmware to LAAAB version 5.07 or higher. (This update disables IEC online programming communication by default).
### Workarounds
- **Siemens TeleControl Server Basic:** Restrict access to port 8000 on affected systems to trusted IP addresses only. For CVE-2025-29931, users can disable TeleControl Server Basic redundancy if not used.
- **ABB MV Drives:** If CODESYS communication is required (e.g., for debugging), it can be temporarily re-enabled by unlocking user settings via parameter 96.02 Pass code, and setting bit 9 (Enable online IEC programming) in parameter 96.102 User lock functionality to TRUE.
- **General Recommendation:** Protect network access to devices with appropriate mechanisms and configure environments according to Siemens’ operational guidelines for industrial security.
- **Schneider Electric M580:** Use appropriate patching methodologies, including backups and testing in a non-production environment before application.
## Detection
- **Siemens SQLi/Code Execution:** Monitor for unusual outbound connections or unexpected database activity associated with the affected server. Look for known SQL injection payloads targeting the application inputs.
- **Siemens DoS (CVE-2025-29931):** Monitor for excessive memory allocation requests directed at the server, particularly observed during configuration changes affecting redundant links.
- **Schneider Electric WHC-5918A (CVE-2024-6407):** Monitor network traffic for specially crafted messages directed at the device that attempt to trigger information exposure.
- **ABB Drives:** Monitor for unauthorized attempts to enable IEC online programming or unusual activity related to CODESYS runtime system communication.
## References
- CISA ICS Advisory ICSA-25-112-01
- CISA ICS Advisory ICSA-25-112-02
- CISA ICS Advisory ICSA-25-112-03
- CISA ICS Advisory ICSA-25-112-04