Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued new ICS (industrial control systems) advisories on Tuesday, highlighting... The post New CISA advisories urge swift action on ICS flaws impacting energy, manufacturing, transportation systems appeared first on Industrial Cyber.
Analysis Summary
# Vulnerability: Critical Vulnerabilities in Kaleris Navis N4 (Deserialization & Cleartext Transmission)
## CVE Details
- CVE ID: CVE-2025-2566
- CVSS Score: 9.8 (Critical) (CVSS v3.1) | 9.3 (Critical) (CVSS v4)
- CWE: Deserialization of Untrusted Data
- CVE ID: CVE-2025-5087
- CVSS Score: 5.9 (Medium) (CVSS v3.1) | 6.0 (Medium) (CVSS v4)
- CWE: Cleartext Transmission of Sensitive Information (Implied)
## Affected Systems
- Products: Kaleris Navis N4 (Terminal Operating System) and Navis N4 ULC (Ultra Light Client)
- Versions: Versions before 4.0 (for CVE-2025-2566); unspecified versions (for CVE-2025-5087, impacting ULC communication)
- Configurations: Applicable to Kaleris Navis N4 ULC components.
## Vulnerability Description
**CVE-2025-2566 (Deserialization of Untrusted Data):** The Kaleris NAVIS N4 ULC contains an unsafe Java deserialization vulnerability. An unauthenticated attacker can send specially crafted requests to achieve remote code execution (RCE) on the server.
**CVE-2025-5087 (Cleartext Transmission):** The Kaleris NAVIS N4 ULC communicates insecurely by using zlib-compressed data over HTTP, exposing sensitive information, including plaintext credentials, to anyone observing network traffic between the ULC and N4 servers.
## Exploitation
- Status: Implied potential for remote exploitation of the operating system and RCE (CVE-2025-2566). Traffic observation is possible for CVE-2025-5087.
- Complexity: Low (implied for RCE via deserialization; network sniffing required for cleartext exposure).
- Attack Vector: Network
## Impact
- Confidentiality: High (RCE allows data access; cleartext exposure leaks credentials)
- Integrity: High (RCE allows arbitrary code execution)
- Availability: High (RCE could lead to system denial)
## Remediation
### Patches
Users must upgrade to one of the following Navis N4 versions or later:
* 3.1.44
* 3.2.26
* 3.3.27
* 3.4.25
* 3.5.18
* 3.6.14
* 3.7.0
* 3.8.0
**Long-Term Solution:** Upgrade to N4 version 4.0 or later, which replaces the Ultra Light Client with an HTML-based UI.
### Workarounds
If immediate upgrading is not possible:
1. **Network Segmentation:** Place N4 behind a firewall if it does not require internet access.
2. **Disable ULC (If Internet-Facing):** Block Ultra Light Client URLs at the load balancer or firewall.
3. **Disable ULC Endpoint (Local):** Comment out relevant sections in the `web.xml` file on the N4 cluster node and restart the server.
4. **Secure Access (If Internet Exposure is Unavoidable):**
* Set up a secure VPN for authorized external users.
* Deploy an authenticated jump system (e.g., Citrix or VDI).
* **Least Secure:** Whitelist known external IP addresses.
5. **General Security Controls:** Minimize the number of exposed N4 nodes, enable and correctly configure HTTPS on the load balancer/firewall, and use a reliable third-party firewall with DDoS protection and IDS. Ensure TLS implementation is mandatory on the load balancer.
## Detection
- **Indicators of Compromise:** Look for successful deserialization payloads or unexpected code execution on systems running Navis N4 ULC components. Monitor network traffic for unencrypted/zlib-compressed sensitive data transmission over HTTP.
- **Detection Methods and Tools:** Network traffic analysis tools capable of inspecting protocol headers and payload content for cleartext credentials or suspicious serialized Java objects directed at N4 servers.
## References
- Kaleris Security Advisory (Details available to customers)
- CISA Advisory: icsa-25-175-01 (defanged: hXXps://www.cisa.gov/news-events/ics-advisories/icsa-25-175-01)
---
# Vulnerability: Code Execution in Delta Electronics CNCSoft via Untrusted File Input
## CVE Details
- CVE ID: CVE-2025-47724
- CVSS Score: 7.7 (High) (CVSS v3.1) | 7.3 (High) (CVSS v4)
- CWE: Improper Input Validation (Implied, related to file handling)
## Affected Systems
- Products: Delta Electronics CNCSoft (HMI tool)
- Versions: 1.01.34 and earlier
- Configurations: When a user opens a maliciously crafted file.
## Vulnerability Description
Delta Electronics CNCSoft does not properly validate user-supplied files. Opening a malicious file crafted by an attacker allows the attacker to execute arbitrary code within the context of the current process running the software.
## Exploitation
- Status: Not specified whether exploited in the wild, but RCE potential exists upon file opening.
- Complexity: Medium (Requires user interaction—opening a file).
- Attack Vector: Local (Requires delivery of the malicious file to the user).
## Impact
- Confidentiality: High (Code execution allows data access within the process context)
- Integrity: High (Arbitrary code execution)
- Availability: Medium (Potential process crash or system compromise)
## Remediation
### Patches
Delta Electronics **does not plan to patch** this vulnerability because the A-series CNC products supported by CNCSoft have been discontinued.
**Action Required:** Users are strongly advised to migrate to newer Delta CNC products and their corresponding software as soon as possible. CNCSoft will be removed from the Delta Download Center.
### Workarounds
No specific workarounds were detailed, beyond migration; however, strict control over input files and limiting the privileges of the running CNCSoft process would be standard best practice.
## Detection
- Unknown specific IOCs provided by the advisory summary. Monitor file execution related to CNCSoft manipulation.
## References
- CISA Advisory: icsa-25-175-02 (defanged: hXXps://www.cisa.gov/news-events/ics-advisories/icsa-25-175-02)
---
# Vulnerability: Cross-Site Scripting in Parsons Utility Enterprise Data Management / AclaraONE
## CVE Details
- CVE ID: CVE-2025-5015
- CVSS Score: 8.8 (High) (CVSS v3.1) | 8.7 (High) (CVSS v4)
- CWE: Cross-Site Scripting (XSS)
## Affected Systems
- Products: Parsons Utility Enterprise Data Management (all versions from 4.02 through 4.26, and specific older versions: 5.18, 5.03, 3.30) and AclaraONE Utility Portal (all versions before 1.22).
- Configurations: AccuWeather and Custom RSS widgets.
## Vulnerability Description
A cross-site scripting (XSS) vulnerability exists in the AccuWeather and Custom RSS widgets. An unauthenticated user can replace the legitimate RSS feed URL with a malicious one, leading to script execution when other users view the compromised feed.
## Exploitation
- Status: Not specified whether exploited in the wild.
- Complexity: Low (Unauthenticated user can inject malicious URL).
- Attack Vector: Network
## Impact
- Confidentiality: High (Script execution can steal session tokens or user data)
- Integrity: High (Malicious code execution leads to unauthorized actions)
- Availability: Low
## Remediation
### Patches
- **Parsons Utility Enterprise Data Management:** Patched in all managed instances as of January 7, 2025 (No end-user action needed for managed deployments).
- **AclaraONE (Hosted instances):** Addressed as of February 7, 2025 (No end-user action needed for hosted deployments).
- **AclaraONE (On-Premise users):** A patch and mitigation details are available via the Aclara Connect Customer Portal.
### Workarounds
For on-premise AclaraONE users unable to patch immediately, details are available via the Aclara Connect Customer Portal or by contacting support.
## Detection
- Monitor for changes to RSS feed URLs configured within the affected widgets in the affected products.
## References
- CISA Advisory: icsa-25-175-05 (defanged: hXXps://www.cisa.gov/news-events/ics-advisories/icsa-25-175-05)
---
# Vulnerability: Multiple Flaws in MICROSENS NMP Web+ (Hardcoded Constants, Session Management, Path Traversal)
## CVE Details
*Note: Specific CVE IDs were not detailed in the summary for the MICROSENS findings, only the types of vulnerabilities identified.*
- CVSS Score: Not specified.
- CWE: Use of Hard-coded Security-Relevant Constants, Insufficient Session Expiration, Path Traversal (Improper Limitation of a Pathname to a Restricted Directory).
## Affected Systems
- Products: MICROSENS NMP Web+
- Versions: 3.2.5 and earlier
- Configurations: Affecting systems deployed across the critical manufacturing sector.
## Vulnerability Description
MICROSENS NMP Web+ version 3.2.5 and earlier contain multiple vulnerabilities that could allow an attacker to gain system access, overwrite files, or execute arbitrary code by exploiting hard-coded secrets, weak session controls, or directory traversal flaws.
## Exploitation
- Status: Not specified if exploited in the wild.
- Complexity: Likely Medium to High, depending on the specific flaw exploited.
- Attack Vector: Network (Implied for web-based flaws).
## Impact
- Confidentiality: High (System access, potential file reading)
- Integrity: High (File overwriting, arbitrary code execution)
- Availability: High (System compromise)
## Remediation
### Patches
Users must update to **NMP Web+ Version 3.3.0** for Windows and Linux.
### Workarounds
None specified in this summary beyond immediate patching.
## Detection
- Monitor for abnormal file modifications or unauthorized attempts to access NMP Web+ web interface.
## References
- MICROSENS Advisory: (defanged: hXXps://www.microsens.com/support/downloads/nmp/)
- CISA Advisory: icsa-25-175-07 (defanged: hXXps://www.cisa.gov/news-events/ics-advisories/icsa-25-175-07)