Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued ten industrial control systems (ICS) advisories, highlighting current... The post CISA issues new advisories on exploitable flaws in industrial systems from Siemens, AVEVA, PTZOptics appeared first on Industrial Cyber.
Analysis Summary
# Vulnerability: Multiple CISA ICS Advisories Summary (Siemens, AVEVA, PTZOptics, and others)
This summary synthesizes key vulnerabilities disclosed by CISA across various Industrial Control System (ICS) advisories.
## CVE Details
| CVE ID | CVSS v3.1/v4 Score | Severity (Based on CVSS v4) | CWE |
| :--- | :--- | :--- | :--- |
| CVE-2025-32454 | 7.8 / 7.3 | High (7.3) | Out-of-bounds Read |
| CVE-2025-0133 | 4.3 / 5.1 | Medium (5.1) | Cross-Site Scripting (Reflected) |
| CVE-2024-41797 | 4.3 / 5.3 | Medium (5.3) | Improper Privilege Management |
| CVE-2025-4417 | 5.5 / 6.9 | Medium (6.9) | Cross-Site Scripting |
| CVE-2025-4418 | 4.4 / 6.7 | Medium (6.7) | Improper Validation of Integrity Check Value |
*Note: Multiple vulnerabilities were listed for Siemens SIMATIC S7-1500 CPU line without specific CVE mapping in the text provided.*
## Affected Systems
| CVE ID | Products | Versions | Configurations |
| :--- | :--- | :--- | :--- |
| CVE-2025-32454 | Siemens Tecnomatix Plant Simulation | All versions before V2404.0013 | Processing specially crafted WRL files. |
| CVE-2025-0133 | Siemens RUGGEDCOM APE1808 (Note: Description mentions Palo Alto Networks PAN-OS features) | N/A | Captive Portal use (especially with Clientless VPN enabled). |
| CVE-2024-41797 | Siemens SCALANCE and RUGGEDCOM equipment | N/A | Authenticated remote access with 'guest' role. |
| CVE-2025-4417 | PI Connector for CygNet | Versions 1.6.14 and prior | Access to the connector admin portal. |
| CVE-2025-4418 | PI Connector for CygNet | Versions 1.6.14 and prior | N/A |
| General | PTZOptics, ValueHD, multiCAM Systems, SMTAV Cameras | Undisclosed vulnerable versions | N/A |
## Vulnerability Description
**CVE-2025-32454 (Siemens Tecnomatix Plant Simulation):** An Out-of-bounds Read vulnerability exists while parsing specially crafted WRL files. Successful exploitation could allow an attacker to execute code in the context of the current process.
**CVE-2025-0133 (Siemens RUGGEDCOM APE1808 / PAN-OS XSS):** A reflected Cross-Site Scripting (XSS) vulnerability exists in the GlobalProtect gateway and portal features. An authenticated user clicking a specially crafted link could execute malicious JavaScript in their browser context, often used for credential theft if Clientless VPN is enabled.
**CVE-2024-41797 (Siemens SCALANCE/RUGGEDCOM):** An Improper Privilege Management flaw exists due to an incorrect authorization check. An authenticated remote attacker using the 'guest' role can invoke an internal 'do system' command, such as clearing the local system log, exceeding their intended permissions.
**CVE-2025-4417 (PI Connector for CygNet XSS):** An attacker with local access to the connector admin portal can persist arbitrary JavaScript code. This code executes when other users (likely administrators) visit affected pages.
**CVE-2025-4418 (PI Connector for CygNet Integrity Check):** An Improper Validation of Integrity Check Value vulnerability allows an elevated privilege attacker to modify local data files (cache/buffers), causing the connector service to become unresponsive (DoS).
**PTZOptics/Camera Vulnerabilities:** Various flaws including improper authentication, OS command injection, and use of hard-coded credentials allow attackers to leak data, execute arbitrary commands, or access the admin web interface.
## Exploitation
**Status:** The advisory implies active exploitation or high potential, mentioning CISA updates and urging immediate review. Specific exploits mentioned are:
* CVE-2025-32454: Potential for Code Execution (RCE).
* CVE-2025-0133: Phishing attacks leading to credential theft.
* Other Siemens/Camera flaws: Arbitrary command execution, unauthorized access.
**Complexity:** Varies, with some requiring authentication (Medium) and others relying on file processing (Medium/High).
**Attack Vector:** Primarily Network (remote file parsing, web portal access) and Adjacent (authenticated access).
## Impact
| Vulnerability | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| CVE-2025-32454 | High (Code Execution) | High (Code Execution) | High (Code Execution) |
| CVE-2025-0133 | Medium (Credential Theft) | Low | None |
| CVE-2024-41797 | Medium (Log Clearing/Info Leak) | Medium (Unauthorized Actions) | Low |
| CVE-2025-4417 | Medium (Session Hijacking) | Medium | None |
| CVE-2025-4418 | None | High (Data Modification) | High (DoS) |
| Camera Flaws | High (Data Leakage, Admin Access) | High (Command Execution) | Medium |
## Remediation
### Patches
* **Siemens Tecnomatix Plant Simulation (CVE-2025-32454):** Update to **V2404.0013 or later**.
* **Siemens RUGGEDCOM APE1808 (CVE-2025-0133):** Contact Siemens customer support to obtain and apply the necessary patch.
* **PI Connector for CygNet (CVE-2025-4417, CVE-2025-4418):** Patches are implied via vendor updates for versions 1.6.14 and prior.
* **PTZOptics Cameras:** Patches are available on the vendor's Known Vulnerabilities and Fixes site.
### Workarounds
* **CVE-2025-32454:** Administrators should **avoid opening untrusted WRL files** in affected Tecnomatix Plant Simulation versions.
* **CVE-2025-0133:** Administrators are advised to **disable the Clientless VPN feature** on the RUGGEDCOM APE1808. Consult Palo Alto Networks’ Security Advisory for additional guidance regarding analogous PAN-OS features.
* **General:** For ValueHD, multiCAM Systems, and SMTAV, users must **contact the vendors directly** for guidance as they did not respond to coordination efforts.
## Detection
* **Indicators of Compromise:** High volume/unusual network traffic to/from ICS assets, unexpected system log clearing (CVE-2024-41797), or unexpected script execution alerts in user workstations interacting with web interfaces (XSS).
* **Detection Methods and Tools:** Network monitoring for anomalous file submissions/parsing activity involving WRL files, and IDS/IPS rules tailored to detect known XSS attack patterns against web interfaces. Organizations should prioritize patching based on CISA advisories (icsa-25-162-01 through icsa-25-162-10).
## References
* CISA ICS Advisory ICSA-25-162-01 (Tecnomatix)
* CISA ICS Advisory ICSA-25-162-02 (RUGGEDCOM/PAN-OS)
* CISA ICS Advisory ICSA-25-162-03 (SCALANCE/RUGGEDCOM Privilege)
* CISA ICS Advisory ICSA-25-162-05 (SIMATIC S7-1500)
* CISA ICS Advisory ICSA-25-162-10 (PTZOptics/ValueHD etc.)