Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released six industrial control systems (ICS) advisories and updated an... The post CISA flags hardware vulnerabilities in ICS and medical devices; affects B&R, Schneider Electric, Rockwell, BD Systems appeared first on Industrial Cyber.
Analysis Summary
# Vulnerability: Multiple ICS Vulnerabilities Disclosed by CISA (B&R, Schneider Electric, Rockwell Automation, BD)
## CVE Details
- **CVE ID:** CVE-2024-8603
- **CVSS Score:** 7.5 (High)
- **CWE:** Use of a Broken or Risky Cryptographic Algorithm
- **CVE ID:** CVE-2024-10497
- **CVSS Score:** 8.8 (High)
- **CWE:** Authorization Bypass through User-Controlled Key
- **CVE ID:** CVE-2024-10498
- **CVSS Score:** 6.5 (Medium)
- **CWE:** Improper Restriction of Operations within the Bounds of a Memory Buffer (Buffer Over-read/Write)
- **CVE ID:** CVE-2025-24479
- **CVSS Score:** 8.4 (CVSS v3.1) / 8.6 (CVSS v4) (High)
- **CWE:** Incorrect Authorization / OS Command Injection
- **CVE ID:** CVE-2025-24480
- **CVSS Score:** 9.8 (CVSS v3.1) / 9.3 (CVSS v4) (Critical)
- **CWE:** Improper Neutralization of Special Elements used in OS Command ('OS Command Injection')
## Affected Systems
| Vendor | Product | Vulnerable Versions | Configurations |
| :--- | :--- | :--- | :--- |
| **B&R Automation** | Automation Runtime | Earlier than 6.1 | N/A |
| **B&R Automation** | mapp View | Earlier than 6.1 | N/A |
| **Schneider Electric** | Power Logic | N/A (Specific versions not detailed for all flaws) | N/A |
| **Rockwell Automation** | FactoryTalk View ME | Prior to 15.0 | N/A |
| **Rockwell Automation** | FactoryTalk (Specific resources not detailed) | Prior to 15.0 | N/A |
| **BD (Becton Dickinson)** | Synapsys Informatics Solution | Default credentials for the service | Only when installed on a NUC server. Not affected if installed on a user-provided VM or BD Kiestra SCU hardware. |
## Vulnerability Description
1. **B&R Automation (CVE-2024-8603):** A "Use of a Broken or Risky Cryptographic Algorithm" vulnerability exists in the SSL/TLS component. An unauthenticated network-based attacker can exploit this to masquerade as legitimate services on the impacted devices.
2. **Schneider Electric Power Logic (CVE-2024-10497, CVE-2024-10498):**
* **CVE-2024-10497 (Authorization Bypass):** An authorized attacker sending modified HTTPS requests can bypass authorization checks, leading to an Elevation of Privilege (EoP) and modification of values outside their granted privileges via the web interface.
* **CVE-2024-10498 (Buffer Overflow):** An unauthorized attacker sending specific Modbus write packets can cause buffer boundary violations, potentially leading to data modification outside the normal range, invalid data, or loss of web interface functionality.
3. **Rockwell Automation FactoryTalk (CVE-2025-24479, CVE-2025-24480):** Vulnerabilities stemming from incorrect authorization and lack of input sanitation lead to OS Command Injection. An attacker (local or remote, depending on the specific sub-flaw) can execute code with elevated privileges on the device.
## Exploitation
- **Status:** PoC availability is not explicitly confirmed for all, but exploitation conditions are straightforward (network-based for B&R, specific requests/packets for Schneider/Rockwell).
- **Complexity:**
* CVE-2024-8603: Low (Unauthenticated, network-based).
* CVE-2024-10497: Medium (Authorizing attacker required, but leads to high impact EoP).
* CVE-2025-24480: Likely Low/Medium (Remote Code Execution via command injection).
- **Attack Vector:** Network (for B&R, Schneider Electric) and Local/Network (for Rockwell OS Command Injection).
## Impact
| CVE | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| CVE-2024-8603 | High (Masquerading) | High (Masquerading) | Low/Medium |
| CVE-2024-10497 | Low | High (Data Modification/EoP) | Medium |
| CVE-2024-10498 | Low | High (Data Corruption/Control) | High (Loss of interface) |
| CVE-2025-24479/24480 | High (Code Execution leads to full compromise) | High (Code Execution) | High (Code Execution leading to DoS) |
## Remediation
### Patches
- **B&R Automation:** Update to **B&R Automation Runtime version 6.1** or later; Update to **B&R mapp View version 6.1** or later.
- **Rockwell Automation FactoryTalk:** Update to **version 15.0 or later**.
- **Schneider Electric / BD:** Specific fixed versions were not detailed in the summary for these advisories, but patching/updates are required.
### Workarounds
- **B&R Automation:** B&R advises customers to **generate self-signed certificates on production machines** as a mitigation until the update can be applied.
- **Schneider Electric:** Specific workarounds and mitigations identified by CPCERT should be consulted via the vendor advisory.
- **BD Synapsys Informatics Solution:** Users must **strengthen controls around logical/physical access** and ensure **default credentials are changed**.
## Detection
- **Indicators of Compromise (BD):** Look for unauthorized access activity using default or service credentials on NUC-based installations of Synapsys Informatics Solution.
- **Detection Methods:**
* Monitor network traffic for anomalous HTTPS requests (Schneider Electric EoP) or unexpected Modbus write packets (Schneider Electric Buffer Overflow).
* Monitor for unusual command execution attempts on Rockwell Automation FactoryTalk devices, especially those suggesting remote execution attempts or utilizing default Windows path settings.
* For BD devices, monitor for RDP port activity (which should be disabled) and suspicious network traffic targeting medical device management environments.
## References
- CISA ICS Advisory ICSA-25-028-01 (B&R)
- CISA ICS Advisory ICSA-25-028-02 (Schneider Electric)
- CISA ICS Advisory ICSA-25-028-03 (Rockwell Automation)
- CISA ICS Advisory for BD Products (Details truncated but referenced)