Full Report
IT and ICS vulnerabilities " data-image-caption="" data-medium-file="https://cyble.com/wp-content/uploads/2025/12/IT-and-ICS-vulnerabilities-2-300x150.webp" data-large-file="https://cyble.com/wp-content/uploads/2025/12/IT-and-ICS-vulnerabilities-2.webp" title="The Week in Vulnerabilities: Cyble Urges D-Link, React Server Fixes 1"> Cyble Vulnerability Intelligence researchers tracked 591 vulnerabilities in the last week, and more than 30 already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks on those vulnerabilities. A total of 69 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 26 received a critical severity rating based on the newer CVSS v4.0 scoring system. Here are some of the more critical IT and ICS vulnerabilities flagged by Cyble in recent reports to clients. The Week’s Top IT Vulnerabilities CVE-2025-60854 is a critical command injection vulnerability found in the D-Link R15 (AX1500) router firmware 1.20.01 and below. The flaw has a severity score of 9.8 and requires no authentication or user interaction to exploit, making it highly dangerous for affected systems. CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in the last week: CVE-2025-55182 is a critical pre-authentication remote code execution (RCE) vulnerability in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0, including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerability has been reportedly targeted by China-linked threat groups. CVE-2021-26829 is a cross-site scripting (XSS) vulnerability affecting OpenPLC ScadaBR that was targeted in recent attacks by the pro-Russian hacktivist group TwoNet on a honeypot simulating a water treatment facility, where the threat actors used default credentials for initial access, exploited the flaw to deface the HMI login page, and disabled logs and alarms in a little more than a day. Five days after adding CVE-2021-26829 to the KEV catalog, CISA added CVE-2021-26828, a high-severity Unrestricted Upload of File with Dangerous Type vulnerability affecting OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows. The flaw could allow remote authenticated users to upload and execute arbitrary JSP files via view_edit.shtm. CISA also added two Android vulnerabilities to the KEV catalog, both high-severity Android framework vulnerabilities. CVE-2025-48572 is a Privilege Escalation vulnerability, while CVE-2025-48633 is an Information Disclosure vulnerability. Neither vulnerability has been added to the National Vulnerability Database (NVD) yet. Notable vulnerabilities discussed in open-source communities included: CVE-2025-13223, a type confusion vulnerability in Google Chrome's V8 JavaScript and WebAssembly engine, allowing remote attackers to exploit heap corruption via a crafted HTML page, potentially leading to arbitrary code execution. CVE-2025-11001, a directory traversal remote code execution vulnerability in 7-Zip, stemming from improper handling of symbolic links in ZIP files, potentially allowing attackers to escape extraction directories and execute arbitrary code in the context of a service account upon user interaction with crafted archives. CVE-2025-58034, an OS command injection vulnerability in Fortinet FortiWeb web application firewalls. CVE-2025-41115, a critical privilege escalation and user impersonation vulnerability in Grafana Enterprise's SCIM provisioning feature, which could allow attackers to create accounts impersonating privileged users, modify dashboards, access databases, alter alerts, and pivot to connected systems. CVE-2025-59366, a critical authentication bypass vulnerability in ASUS AiCloud routers, potentially allowing unauthorized execution of specific router functions via path traversal and OS command injection. Vulnerabilities Under Discussion on the Dark Web Cyble dark web researchers observed multiple threat actors (TA) on dark web and cybercrime forums discussing various exploits and weaponizing multiple vulnerabilities, including: CVE-2025-60709: A Windows Common Log File System (CLFS) Driver elevation of privilege vulnerability that could allow an authorized attacker to elevate privileges locally through an out-of-bounds read flaw. The specific flaw exists within the clfs.sys driver and results from improper validation of user-supplied data, which can lead to a read past the end of an allocated memory region. Local attackers can disclose sensitive information on affected Microsoft Windows installations and potentially exploit this vulnerability in conjunction with other vulnerabilities to execute arbitrary code in the context of the kernel, resulting in privilege escalation. CVE-2025-5931: A high-severity privilege escalation vulnerability in the Dokan Pro WordPress plugin, which stems from improper user identity validation during the staff password reset procedure, allowing attackers with vendor-level access to escalate their privileges to staff member level and then change arbitrary user passwords, including those of administrators, potentially leading to a full account takeover. CVE-2025-64446: A critical unauthenticated path traversal vulnerability in Fortinet FortiWeb WAF that could allow full administrative compromise of affected appliances via crafted HTTP(S) requests. The flaw is a relative path traversal (sometimes called “path confusion”) issue in the FortiWeb GUI / management API that could let an attacker reach an internal CGI handler and execute privileged operations without valid credentials. In practice, this becomes an authentication bypass that enables remote admin‑level control and, effectively, remote code execution on the WAF. ICS Vulnerabilities In addition to the OpenPLC ScadaBR vulnerabilities noted by CISA, Cyble threat intelligence researchers flagged four additional industrial control system (ICS) vulnerabilities in recent reports to clients. CVE-2024-3871 is a critical Stack-Based Buffer Overflow vulnerability affecting Emerson Appleton UPSMON-PRO, versions 2.6 and prior. Successful exploitation of the vulnerability could allow remote attackers to execute arbitrary code on affected installations of Appleton UPSMON-PRO. CVE-2025-13483 is a Missing Authentication for Critical Function vulnerability affecting SiRcom SMART Alert (SiSA), version 3.0.48. Successful exploitation of the vulnerability could enable an attacker to remotely activate or manipulate emergency sirens. CVE-2025-13658 is a Command Injection vulnerability affecting Longwatch versions 6.309 to 6.334. Successful exploitation could allow an unauthenticated attacker to gain remote code execution with elevated privileges. CVE-2025-13510 is a Missing Authentication for Critical Function vulnerability affecting Iskra iHUB and iHUB Lite, all versions. Successful exploitation could allow a remote attacker to reconfigure devices, update firmware, and manipulate connected systems without any credentials. Conclusion The wide range of critical and exploited vulnerabilities in this week’s report highlights the breadth of threats faced by security teams, who must respond with rapid, well-targeted actions to successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. The post The Week in Vulnerabilities: Cyble Urges D-Link, React Server Fixes appeared first on Cyble.
Analysis Summary
# Vulnerability: D-Link R15 Critical Command Injection
## CVE Details
- CVE ID: CVE-2025-60854
- CVSS Score: 9.8 (Critical)
- CWE: Command Injection
## Affected Systems
- Products: D-Link R15 (AX1500) router firmware
- Versions: 1.20.01 and below
- Configurations: N/A
## Vulnerability Description
A critical command injection vulnerability exists in the D-Link R15 router firmware. Successful exploitation allows an attacker to execute arbitrary commands on the system.
## Exploitation
- Status: PoC available (Implied by high public risk and tracked by researchers)
- Complexity: Low (Requires no authentication or user interaction)
- Attack Vector: Network
## Impact
- Confidentiality: High (Likely)
- Integrity: High (Likely)
- Availability: High (Likely)
## Remediation
### Patches
- Version information for the fix is not provided in the context. Users are urged to update to firmware version 1.20.02 or later, or consult the vendor advisory.
### Workarounds
- No specific workarounds are detailed in the text, but reducing external exposure of the router is recommended.
## Detection
- Detection methods are not specified, but monitoring unexpected outbound network connections or newly created system processes originating from the router is advised.
## References
- Vendor advisory: Search D-Link security bulletins for CVE-2025-60854.
***
# Vulnerability: React Server Components Pre-Authentication RCE
## CVE Details
- CVE ID: CVE-2025-55182
- CVSS Score: N/A (Rated Critical)
- CWE: N/A (RCE)
## Affected Systems
- Products: React Server Components
- Versions: 19.0.0, 19.1.0, 19.1.1, and 19.2.0
- Configurations: Affecting packages: `react-server-dom-parcel`, `react-server-dom-turbopack`, and `react-server-dom-webpack`.
## Vulnerability Description
A critical pre-authentication Remote Code Execution (RCE) vulnerability exists in React Server Components. This flaw has been added to CISA's KEV catalog and is reportedly targeted by China-linked threat groups.
## Exploitation
- Status: Exploited in the wild (Added to CISA KEV and discussed as "React2Shell")
- Complexity: Low (Pre-authentication)
- Attack Vector: Network
## Impact
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
- Users must upgrade to React Server Components versions beyond 19.2.0, or consult official React documentation for patched versions.
### Workarounds
- No specific workarounds are detailed in the text. Implement strict network segmentation and access controls for servers running these components.
## Detection
- Detection signatures should focus on patterns associated with the React2Shell exploitation attempts.
## References
- CISA KEV Catalog entry for CVE-2025-55182.
***
# Vulnerability: OpenPLC ScadaBR Cross-Site Scripting (XSS)
## CVE Details
- CVE ID: CVE-2021-26829
- CVSS Score: N/A (High severity, added to KEV)
- CWE: Cross-Site Scripting (XSS)
## Affected Systems
- Products: OpenPLC ScadaBR
- Versions: N/A (General affecting older installations)
- Configurations: Targeted in a water treatment facility honeypot simulation. Threat actors used default credentials for initial access.
## Vulnerability Description
An XSS vulnerability in OpenPLC ScadaBR that was recently exploited by the pro-Russian hacktivist group TwoNet. Exploitation allowed defacement of the HMI login page and disabling of logs/alarms.
## Exploitation
- Status: Exploited in the wild (Targeted TwoNet attacks)
- Complexity: Low (Initial access gained via default credentials)
- Attack Vector: Network (Requires authentication, though default credentials were used)
## Impact
- Confidentiality: Medium (HMI page defacement)
- Integrity: High (Disabling logs and alarms)
- Availability: Medium
## Remediation
### Patches
- Users should apply the latest security updates for OpenPLC ScadaBR or migrate to versions addressing this flaw.
### Workarounds
- **CRITICAL:** Immediately change all default or weak credentials on OpenPLC ScadaBR deployments.
## Detection
- Monitor for unauthorized modifications to HMI pages, log clearing events, or alarm suppression activities.
## References
- CISA KEV Catalog entry for CVE-2021-26829.
***
# Vulnerability: OpenPLC ScadaBR Unrestricted File Upload
## CVE Details
- CVE ID: CVE-2021-26828
- CVSS Score: N/A (High Severity, added to KEV)
- CWE: Unrestricted Upload of File with Dangerous Type
## Affected Systems
- Products: OpenPLC ScadaBR
- Versions: Through 0.9.1 on Linux, and through 1.12.4 on Windows.
- Configurations: Requires remote authenticated user access. Exploitation occurs via `view_edit.shtm`.
## Vulnerability Description
This vulnerability allows remote authenticated users to upload and execute arbitrary JSP files by exploiting an unrestricted file upload flaw via the `view_edit.shtm` interface.
## Exploitation
- Status: Added to CISA KEV (Implies active exploitation concern)
- Complexity: Medium (Requires authentication)
- Attack Vector: Network
## Impact
- Confidentiality: High
- Integrity: High (Arbitrary code execution)
- Availability: High
## Remediation
### Patches
- Upgrade OpenPLC ScadaBR to versions beyond 0.9.1 (Linux) or 1.12.4 (Windows).
### Workarounds
- Restrict access to the `view_edit.shtm` interface to only necessary, highly trusted administrative accounts.
## Detection
- Monitor web server logs for uploads of `.jsp` files to unexpected directories, especially those executed shortly thereafter.
## References
- CISA KEV Catalog entry for CVE-2021-26828.
***
# Vulnerability: Android Framework Privilege Escalation
## CVE Details
- CVE ID: CVE-2025-48572
- CVSS Score: N/A (High Severity, added to KEV)
- CWE: Privilege Escalation
## Affected Systems
- Products: Android framework
- Versions: Unspecified (Requires vendor patch)
- Configurations: N/A
## Vulnerability Description
A high-severity privilege escalation vulnerability affecting the Android framework.
## Exploitation
- Status: Added to CISA KEV (Implies active exploitation concern)
- Complexity: N/A
- Attack Vector: N/A
## Impact
- Integrity: High
## Remediation
### Patches
- Apply relevant Android security updates provided by the device manufacturer.
### Workarounds
- N/A
## Detection
- Monitor for unusual process elevation requests originating from framework components (requires deep endpoint visibility).
## References
- CISA KEV Catalog entry (NVD not yet assigned).
***
# Vulnerability: Android Framework Information Disclosure
## CVE Details
- CVE ID: CVE-2025-48633
- CVSS Score: N/A (High Severity, added to KEV)
- CWE: Information Disclosure
## Affected Systems
- Products: Android framework
- Versions: Unspecified (Requires vendor patch)
- Configurations: N/A
## Vulnerability Description
A high-severity information disclosure vulnerability affecting the Android framework.
## Exploitation
- Status: Added to CISA KEV (Implies active exploitation concern)
- Complexity: N/A
- Attack Vector: N/A
## Impact
- Confidentiality: High
## Remediation
### Patches
- Apply relevant Android security updates provided by the device manufacturer.
### Workarounds
- N/A
## Detection
- Monitor for unexpected data access patterns by low-privilege processes.
## References
- CISA KEV Catalog entry (NVD not yet assigned).
***
# Vulnerability: Google Chrome V8 Type Confusion
## CVE Details
- CVE ID: CVE-2025-13223
- CVSS Score: N/A
- CWE: Type Confusion
## Affected Systems
- Products: Google Chrome V8 JavaScript and WebAssembly engine
- Versions: Unspecified
- Configurations: Exploited via a crafted HTML page.
## Vulnerability Description
A type confusion vulnerability in Chrome's V8 engine that can lead to heap corruption, potentially allowing remote attackers to achieve arbitrary code execution.
## Exploitation
- Status: PoC available (Discussed in open-source communities)
- Complexity: Medium/High (Requires heap exploitation techniques)
- Attack Vector: Network (User interaction required)
## Impact
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
- Update Google Chrome to the latest patched version.
### Workarounds
- Implement strict browser sandboxing policies and consider web filtering.
## Detection
- Monitor endpoints for unexpected process memory corruption or shellcode execution attempts originating from the Chrome renderer process.
## References
- NVD entry for CVE-2025-13223 (Check for vendor advisory).
***
# Vulnerability: 7-Zip Directory Traversal RCE via Symbolic Links
## CVE Details
- CVE ID: CVE-2025-11001
- CVSS Score: N/A
- CWE: Directory Traversal (Path Traversal) / Remote Code Execution
## Affected Systems
- Products: 7-Zip
- Versions: Unspecified
- Configurations: Triggered by user interaction with specially crafted ZIP files containing symbolic links.
## Vulnerability Description
A directory traversal vulnerability in 7-Zip resulting from improper handling of symbolic links within ZIP archives. This can allow an attacker to escape the intended extraction directory and execute arbitrary code under the context of the service account running the extraction process.
## Exploitation
- Status: PoC available (Discussed in open-source communities)
- Complexity: Medium (Requires user interaction)
- Attack Vector: Adjacent/Local (If delivered via email/download)
## Impact
- Integrity: High (Arbitrary code execution)
- Confidentiality: High
## Remediation
### Patches
- Update 7-Zip to the latest version that resolves symbolic link handling issues in ZIP extraction.
### Workarounds
- Do not allow users to extract untrusted archives automatically; implement quarantine and inspection environments for suspicious files.
## Detection
- Monitor file system for creation/modification activities outside of expected extraction paths upon archive decompression.
## References
- NVD entry for CVE-2025-11001.
***
# Vulnerability: Fortinet FortiWeb OS Command Injection
## CVE Details
- CVE ID: CVE-2025-58034
- CVSS Score: N/A
- CWE: OS Command Injection
## Affected Systems
- Products: Fortinet FortiWeb web application firewalls
- Versions: Unspecified
- Configurations: N/A
## Vulnerability Description
An OS command injection vulnerability found within the Fortinet FortiWeb WAF.
## Exploitation
- Status: PoC available (Discussed in open-source communities)
- Complexity: N/A
- Attack Vector: Network
## Impact
- Integrity: High
## Remediation
### Patches
- Apply the security update released by Fortinet addressing CVE-2025-58034.
### Workarounds
- Harden WAF configurations and limit input vectors where this injection could occur.
## Detection
- Monitor FortiWeb logs for unusual command executions or parameter inputs containing shell metacharacters.
## References
- NVD entry for CVE-2025-58034.
***
# Vulnerability: Grafana Enterprise SCIM Privilege Escalation/Impersonation
## CVE Details
- CVE ID: CVE-2025-41115
- CVSS Score: N/A (Critical)
- CWE: Privilege Escalation / User Impersonation
## Affected Systems
- Products: Grafana Enterprise
- Versions: Unspecified
- Configurations: Affects the SCIM provisioning feature.
## Vulnerability Description
A critical vulnerability in Grafana Enterprise's SCIM provisioning feature that allows for privilege escalation and user impersonation. Attackers could create accounts impersonating privileged users, modify dashboards, access databases, alter alerts, and pivot to connected systems.
## Exploitation
- Status: Undetermined (High severity suggests active tracking)
- Complexity: N/A
- Attack Vector: Network (Likely requires access token or initial access to provisioning endpoint)
## Impact
- Confidentiality: High
- Integrity: Critical
- Availability: High
## Remediation
### Patches
- Update Grafana Enterprise to a version that addresses the SCIM provisioning flaw.
### Workarounds
- If patching is delayed, restrict access to the SCIM provisioning configuration endpoints strictly to necessary internal services.
## Detection
- Monitor SCIM logs for unusual account creation requests or changes to user roles, especially those involving high-privilege roles.
## References
- NVD entry for CVE-2025-41115.
***
# Vulnerability: ASUS AiCloud Authentication Bypass/RCE
## CVE Details
- CVE ID: CVE-2025-59366
- CVSS Score: N/A (Critical)
- CWE: Authentication Bypass / OS Command Injection
## Affected Systems
- Products: ASUS AiCloud routers
- Versions: Unspecified
- Configurations: N/A
## Vulnerability Description
A critical authentication bypass vulnerability in ASUS AiCloud routers, exploitable via path traversal combined with OS command injection, allowing unauthorized execution of specific router functions.
## Exploitation
- Status: Undetermined (High severity)
- Complexity: N/A
- Attack Vector: Network
## Impact
- Integrity: Critical (RCE possible)
## Remediation
### Patches
- Update ASUS router firmware to the version addressing CVE-2025-59366.
### Workarounds
- Disable the AiCloud feature if updates are not immediately available.
## Detection
- Monitor router command execution logs and configuration changes initiated without proper user authentication.
## References
- NVD entry for CVE-2025-59366.
***
# Vulnerability: Windows CLFS Driver Local Privilege Escalation
## CVE Details
- CVE ID: CVE-2025-60709
- CVSS Score: N/A (Observed on Dark Web)
- CWE: Out-of-bounds Read / Elevation of Privilege
## Affected Systems
- Products: Microsoft Windows (CLFS Driver: `clfs.sys`)
- Versions: All affected Windows installations.
- Configurations: Exploitation requires local access by an authorized attacker.
## Vulnerability Description
An out-of-bounds read flaw in the Windows Common Log File System (CLFS) Driver (`clfs.sys`) due to improper validation of user-supplied data. This vulnerability allows a local, authorized user to disclose sensitive information or potentially achieve kernel-level arbitrary code execution for full privilege escalation.
## Exploitation
- Status: Discussed on Dark Web (Weaponization observed)
- Complexity: High (Requires local access and deep kernel knowledge)
- Attack Vector: Local
## Impact
- Confidentiality: High (Information Disclosure)
- Integrity: Critical (Kernel RCE potential)
## Remediation
### Patches
- Apply the latest cumulative updates from Microsoft for Windows that address CVE-2025-60709.
### Workarounds
- Restrict local user privileges to the lowest possible level.
## Detection
- Monitor kernel module loading/unloading and look for anomalous memory access patterns within `clfs.sys`.
## References
- NVD entry for CVE-2025-60709.
***
# Vulnerability: Dokan Pro WordPress Plugin Privilege Escalation
## CVE Details
- CVE ID: CVE-2025-5931
- CVSS Score: N/A (High Severity, observed on Dark Web)
- CWE: Improper Identity Validation / Privilege Escalation
## Affected Systems
- Products: Dokan Pro WordPress plugin
- Versions: Unspecified
- Configurations: Exploited during the staff password reset procedure, targeting vendor-level access.
## Vulnerability Description
A high-severity flaw stemming from improper user identity validation during the staff password reset process for vendor-level accounts. This allows an attacker with vendor access to escalate privileges to staff level and subsequently change *any* user password, leading to full account takeover.
## Exploitation
- Status: Discussed on Dark Web
- Complexity: Medium (Requires existing vendor account or access)
- Attack Vector: Network (If used via exposed WordPress site)
## Impact
- Confidentiality: High
- Integrity: Critical (Full administrative takeover)
## Remediation
### Patches
- Update the Dokan Pro WordPress plugin to the patched version.
### Workarounds
- Audit and revoke unnecessary vendor-level permissions; enforce strong, unique passwords for all staff and admin accounts.
## Detection
- Monitor user sessions for unexpected privilege changes following password resets.
## References
- NVD entry for CVE-2025-5931.
***
# Vulnerability: Fortinet FortiWeb Unauthenticated Path Traversal/RCE
## CVE Details
- CVE ID: CVE-2025-64446
- CVSS Score: N/A (Critical, observed on Dark Web)
- CWE: Path Traversal (Relative Path Traversal/Path Confusion) / Authentication Bypass
## Affected Systems
- Products: Fortinet FortiWeb WAF
- Versions: Unspecified
- Configurations: Exploited via crafted HTTP(S) requests targeting the GUI/management API.
## Vulnerability Description
A critical unauthenticated relative path traversal vulnerability in the FortiWeb GUI/management API. An attacker can use this flaw to bypass authentication, reach an internal CGI handler, execute privileged operations, and effectively gain remote code execution with administrative control over the WAF.
## Exploitation
- Status: Discussed and weaponized on Dark Web
- Complexity: High (Potentially complex path confusion payload)
- Attack Vector: Network (Unauthenticated)
## Impact
- Confidentiality: Critical
- Integrity: Critical (Remote admin RCE)
- Availability: Critical
## Remediation
### Patches
- Apply the security update released by Fortinet addressing CVE-2025-64446 immediately.
### Workarounds
- Temporarily place existing FortiWeb appliances behind an access control list (ACL) limiting management interface access strictly to trusted source IPs.
## Detection
- Signatures should look for repeated or malformed path traversals (`../../`, etc.) targeting management endpoints (`/mgr/` or similar API handlers) in WAF logs.
## References
- NVD entry for CVE-2025-64446.
***
# Vulnerability: Emerson Appleton UPSMON-PRO Stack Buffer Overflow (ICS)
## CVE Details
- CVE ID: CVE-2024-3871
- CVSS Score: N/A (Critical, ICS)
- CWE: Stack-Based Buffer Overflow
## Affected Systems
- Products: Emerson Appleton UPSMON-PRO
- Versions: 2.6 and prior
- Configurations: ICS/Operational Technology environment.
## Vulnerability Description
A critical stack-based buffer overflow vulnerability in the software, allowing remote attackers to execute arbitrary code upon successful exploitation.
## Exploitation
- Status: Flagged by Cyble (High Risk)
- Complexity: N/A
- Attack Vector: Network
## Impact
- Integrity: Critical
- Availability: Critical
## Remediation
### Patches
- Upgrade to UPSMON-PRO version 2.7 or later, or consult Emerson advisories.
### Workarounds
- Isolate the affected machinery/network segment from broader networks; strictly limit network access to the UPSMON-PRO service.
## Detection
- Network intrusion detection systems monitoring the OT network should look for malformed protocol traffic directed at the UPSMON-PRO service ports.
## References
- NVD entry for CVE-2024-3871.
***
# Vulnerability: SiRcom SiSA Emergency Siren Remote Activation (ICS)
## CVE Details
- CVE ID: CVE-2025-13483
- CVSS Score: N/A (ICS)
- CWE: Missing Authentication for Critical Function
## Affected Systems
- Products: SiRcom SMART Alert (SiSA)
- Versions: 3.0.48
- Configurations: N/A
## Vulnerability Description
A critical flaw where the system lacks authentication for a critical function, allowing a remote attacker to activate or manipulate emergency sirens without credentials.
## Exploitation
- Status: Flagged by Cyble (High Risk)
- Complexity: Low (Missing authentication)
- Attack Vector: Network
## Impact
- Availability: High (Can cause physical disruption/false alarms)
## Remediation
### Patches
- Apply the fix provided by SiRcom addressing authentication requirements for siren control functions.
### Workarounds
- Implement strict network segregation (ACLs) to ensure only authorized systems can communicate with SiSA devices on the relevant control ports.
## Detection
- Monitor SIEM/logging for any siren activation commands originating from unauthorized IPs.
## References
- NVD entry for CVE-2025-13483.
***
# Vulnerability: Longwatch Command Injection (ICS)
## CVE Details
- CVE ID: CVE-2025-13658
- CVSS Score: N/A (ICS)
- CWE: Command Injection
## Affected Systems
- Products: Longwatch
- Versions: 6.309 to 6.334
- Configurations: N/A
## Vulnerability Description
A command injection vulnerability that allows an unauthenticated attacker to achieve remote code execution with elevated privileges on affected Longwatch systems.
## Exploitation
- Status: Flagged by Cyble (High Risk)
- Complexity: Low (Unauthenticated RCE via injection)
- Attack Vector: Network
## Impact
- Integrity: Critical
- Availability: High
## Remediation
### Patches
- Upgrade Longwatch to the latest version addressing command injection vectors.
### Workarounds
- Restrict network access to the Longwatch management interface via firewall rules.
## Detection
- Look for shell command injection attempts in traffic destined for Longwatch services.
## References
- NVD entry for CVE-2025-13658.
***
# Vulnerability: Iskra iHUB Missing Authentication (ICS)
## CVE Details
- CVE ID: CVE-2025-13510
- CVSS Score: N/A (ICS)
- CWE: Missing Authentication for Critical Function
## Affected Systems
- Products: Iskra iHUB and iHUB Lite
- Versions: All versions
- Configurations: N/A
## Vulnerability Description
All versions of Iskra iHUB/iHUB Lite suffer from a critical missing authentication flaw, allowing remote attackers to reconfigure devices, update firmware, and manipulate connected systems without providing any credentials.
## Exploitation
- Status: Flagged by Cyble (High Risk)
- Complexity: Low (No authentication needed)
- Attack Vector: Network
## Impact
- Integrity: Critical (Firmware manipulation)
- Availability: Critical
## Remediation
### Patches
- Apply any firmware updates from Iskra that implement proper authentication mechanisms for configuration and firmware updates.
### Workarounds
- **Immediate Action:** Isolate all iHUB devices from external network access; place them behind a segmented, monitored DMZ or internal network only accessible by trusted management stations.
## Detection
- Monitor for any administrative commands (reconfiguration, firmware updates) hitting the device management ports that do not include valid authentication tokens.
## References
- NVD entry for CVE-2025-13510.