Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released seven new ICS advisories, each highlighting cybersecurity vulnerabilities in key Industrial Control Systems across energy, communications, emergency response, and manufacturing sectors. The alerts shed light on remotely exploitable flaws discovered in devices and software produced by CyberData, Hitachi Energy, and Mitsubishi Electric—names synonymous with modern operational technology (OT). A Breakdown of the Latest ICS Advisories The first advisory, ICSA-25-155-01, addresses multiple high-impact issues in CyberData’s 011209 SIP Emergency Intercom. With a CVSS v4 severity score of 9.3, this vulnerability, reported by Claroty researcher Vera Mens, enables authentication bypass, SQL injection, and path traversal. Affected systems using firmware versions prior to 22.0.1 are vulnerable to remote code execution and denial-of-service attacks. CISA recommends upgrading to version 22.0.1 and advises isolating the intercoms from public networks using firewalls and VPNs. The second alert, ICSA-25-155-02, involves a critical integer overflow in Hitachi Energy’s Relion 670, 650 series, and SAM600-IO devices. The flaw resides in the VxWorks OS memory allocator and holds a CVSS v3 score of 9.8. Exploitation could lead to memory corruption, potentially crippling protective relays in power systems. Multiple firmware subversions across series 1.1 to 2.2.5 are affected. Mitigation entails upgrading to version 2.2.5.2 or applying interim workarounds provided by Hitachi. ICSA-21-049-02 (Update H) highlights vulnerabilities in Mitsubishi Electric’s broad range of FA Engineering Software, such as GX Developer, GT Designer3, and RT ToolBox2. With a CVSS v4 score of 8.7, attackers can exploit heap-based buffer overflows to crash the software or interfere with PLC diagnostics in factory automation environments. Users are advised to install the latest updates—e.g., GX Developer version 8.507D+ and RT ToolBox2 version 3.74C+. Continued Focus on Hitachi Energy’s Industrial Control Systems CISA’s June release includes updates to prior ICS advisories concerning Hitachi Energy’s Relion products and IEC 61850 MMS Server implementations. Notable among them: ICSA-25-133-02 details CVE-2023-4518, where malformed GOOSE messages could cause vulnerable Relion firmware versions to reboot, creating a denial-of-service condition. Firmware series 2.2.0.x to 2.2.5.6 are affected, and the agency recommends upgrading to secure versions such as 2.2.2.6 or 2.2.3.7. ICSA-23-068-05 (CVE-2022-3864) uncovers weaknesses in firmware signature validation. If exploited by an authenticated attacker, this vulnerability could lead to unauthorized firmware uploads. Affected firmware spans across versions 2.2.0 to 2.2.5.5. ICSA-21-336-05 is about outdated VxWorks boot components in the Relion series. CVE-2021-35535, with a CVSS v4 score of 8.9, references known “Urgent/11” vulnerabilities that could allow TCP session hijacking or packet injection. Users must patch to at least version 2.2.2.5 or apply physical and network isolation strategies. ICSA-23-089-01 points to a medium-severity issue (CVE-2022-3353) in Hitachi’s IEC 61850 MMS Server, where malformed client requests can block new connections. Though scoring a 5.9, it could still disrupt operations under targeted conditions. Conclusion CISA’s latest ICS advisories highlight the urgent need for critical infrastructure operators to secure vulnerable systems against remote exploitation. With many legacy ICS components lacking basic protections, the risks are growing, but so are the tools. CISA’s guidance offers a clear roadmap: patch systems, segment networks, restrict access, monitor threats, and train staff.
Analysis Summary
# Vulnerability: Multiple ICS Vulnerabilities in CyberData, Hitachi, and Mitsubishi Components
## CVE Details
The provided text mentions several CVEs associated with CISA ICS Advisories.
- **CVE ID:** CVE-2022-3864 (ICSA-23-068-05)
- **CVSS Score:** Not explicitly provided for 3864 in the text, but the associated advisory is listed.
- **CWE:** Weaknesses in firmware signature validation.
- **CVE ID:** CVE-2021-35535 (ICSA-21-336-05, referencing "Urgent/11")
- **CVSS Score:** 8.9 (CVSS v4)
- **CWE:** Not explicitly provided (related to VxWorks boot components).
- **CVE ID:** CVE-2022-3353 (ICSA-23-089-01)
- **CVSS Score:** 5.9 (Medium)
- **CWE:** Not explicitly provided (related to malformed client requests in MMS Server).
## Affected Systems
- **Products:** Components from CyberData (implied, based on the general advisory topic), Hitachi (IEC 61850 MMS Server), and systems using VxWorks boot components (Relion series).
- **Versions:**
- CyberData (Implied): Firmware series 2.2.0.x to 2.2.5.6 affected by a DoS vulnerability related to an unmentioned CVE. Firmware versions 2.2.0 to 2.2.5.5 are affected by CVE-2022-3864.
- Relion series (VxWorks): Versions prior to 2.2.2.5 (patched versions include 2.2.2.6, 2.2.3.7, or 2.2.2.5+).
- Hitachi IEC 61850 MMS Server: Affected by CVE-2022-3353.
- **Configurations:** Specific configurations relate to needing physical or network isolation if patching is not immediately possible for the VxWorks component.
## Vulnerability Description
The advisory highlights several distinct flaws:
1. **Denial of Service (Unspecified CVE):** Affecting certain CyberData firmware versions, an issue allows an attacker to cause a denial-of-service condition by forcing system reboots.
2. **CVE-2022-3864 (ICSA-23-068-05):** Weaknesses in firmware signature validation. An **authenticated attacker** can exploit this to upload unauthorized firmware.
3. **CVE-2021-35535 (ICSA-21-336-05):** Outdated VxWorks boot components in the Relion series resulting in "Urgent/11" type vulnerabilities, potentially allowing TCP session hijacking or packet injection.
4. **CVE-2022-3353 (ICSA-23-089-01):** In Hitachi’s IEC 61850 MMS Server, sending malformed client requests can lead to the blocking of new connections (Denial of Service for new clients).
## Exploitation
- **Status:** The context implies active risks to critical infrastructure, suggesting real-world applicability, though specific exploitation status (in the wild) is not detailed for every CVE. CVE-2022-3864 requires an authenticated attacker. CVE-2021-35535 (Urgent/11) is generally known exploitation vector.
- **Complexity:** Low to Medium, depending on the specific vulnerability (e.g., authenticated access required for 3864; network attack possible for 35535).
- **Attack Vector:** Network (for firmware upload and TCP session hijacking/DoS).
## Impact
- **Confidentiality:** Potential impact due to unauthorized firmware upload (CVE-2022-3864) or packet injection (CVE-2021-35535).
- **Integrity:** High potential impact due to unauthorized firmware uploads, potentially leading to system compromise.
- **Availability:** Direct impact due to DoS conditions related to forced reboots or blocking new connections (unnamed CVE and CVE-2022-3353).
## Remediation
### Patches
- **CyberData (DoS/Firmware Validation):** Upgrade or apply vendor-specific patches to move off the affected version ranges. For the DoS vulnerability, specific patches are implied by the upgrade recommendations below.
- **Relion (VxWorks/CVE-2021-35535):** Patch to at least version 2.2.2.5 or later. Specific secure versions mentioned are 2.2.2.6 or 2.2.3.7 for related components.
- **Hitachi MMS Server (CVE-2022-3353):** Apply the patch released by the vendor for this specific medium-severity issue.
### Workarounds
- Apply **physical and network isolation strategies** for components running vulnerable VxWorks versions (Relion series) if immediate patching is impossible.
## Detection
- **Indicators of Compromise:** Look for evidence of unauthorized firmware uploads or configuration changes, and anomalous network traffic indicative of TCP session hijacking or a flood of malformed client requests targeting the MMS Server.
- **Detection Methods and Tools:** Network monitoring tools should be configured to look for traffic patterns matching known exploitation attempts for Urgent/11 vulnerabilities or abnormally high request rates against the IEC 61850 MMS service.
## References
- ICSA-23-068-05: hxxps://www.cisa.gov/news-events/ics-advisories/icsa-23-068-05
- ICSA-21-336-05: hxxps://www.cisa.gov/news-events/ics-advisories/icsa-21-336-05
- ICSA-23-089-01 (Hitachi): hxxps://www.cisa.gov/news-events/ics-advisories/icsa-23-089-01