(Eduard Kovacs – SecurityWeek) – Industrial giants Siemens and Schneider Electric have released their March 2025 Patch Tuesday ICS security advisories. The cybersecurity agency CISA has also published two advisories.
Schneider Electric has published three new advisories to inform customers about three vulnerabilities affecting EcoStruxure products.
The most serious is a critical issue in Power Automation System User Interface and Microgrid Operation Large that can be exploited by an attacker to execute commands when the default password has not been changed.
The other vulnerabilities are a high-severity authentication bypass that can allow an attacker to take control of the EcoStruxure Power Automation System User Interface, and a medium-severity sensitive information disclosure issue in EcoStruxure Panel Server.
Siemens has published 11 new advisories, including several that describe critical vulnerabilities.
One of them is CVE-2024-56336, which is related to an unlocked bootloader in the Sinamics S200 servo drive system. It allows an attacker to inject malicious code or install untrusted firmware on a device.
A critical vulnerability has also been patched in the SiPass controller, which can be exploited to escalate privileges and execute arbitrary commands with root permissions. A high-severity privilege escalation flaw has also been patched in this product.
Critical and high-severity vulnerabilities that can allow authentication bypass have been fixed in Simatic, Industrial Edge for Machine Tools, Simit, and other products that use OPC UA.
Several OpenVPN issues, including critical flaws that allow arbitrary code execution, have been addressed in Sinema Remote Connect Client. A less serious OpenVPN issue has been addressed in Scalance devices.
Siemens has also informed customers about high-severity BIOS vulnerabilities in Simatic devices, and multiple potentially serious issues in Scalance LPE9403 products. Several high-severity vulnerabilities related to file parsing have been patched in Teamcenter Visualization and Tecnomatix Plant Simulation.
CISA published two new ICS advisories on Tuesday. One of them describes three vulnerabilities in two Optigo Networks capture tools. They include a critical authentication bypass flaw, and two high-severity issues that can allow an attacker to generate JWT sessions and impersonate the web application service and mislead victim clients.
The second advisory describes a Schneider Electric Uni-Telway Driver vulnerability that the vendor patched in February.
ICS Patch Tuesday March 2025: Security Advisories by CISA, Schneider Electric, Siemens
Industrial giants Siemens and Schneider Electric have released March 2025 Patch Tuesday ICS security advisories.
ICS Patch Tuesday September 2024: Advisories Published by ABB, Siemens, Schneider, CISA
For September 2024, two dozen ICS Patch Tuesday advisories were published by Siemens, Schneider Electric, CISA and ABB.
Siemens Warns Customers of New Meltdown, Spectre Variants
(Eduard Kovacs - SecurityWeek) - Siemens recently updated its security bulletin for the Meltdown and Spectre vulnerabilities to inform customers of the latest variants, specifically the ones known as LazyFP and Spectre 1.1. Several industrial control systems (ICS) vendors published security advisories for the CPU flaws shortly after they were disclosed in early January. Siemens published a bulletin on speculative side-channel vulnerabilities on January 11. In late May, the company updated its bulletin to include information about Variant 3a and Variant 4,
Vulnerabilities Expose Siemens Central Plant Clocks to Attacks
(SecurityWeek - Eduard Kovacs) Siemens informed customers on Tuesday that some of its SICLOCK central plant clocks are affected by several vulnerabilities, including ones that have been rated “critical.” Siemens SICLOCK devices are used to synchronize time in industrial plants. The central plant clock ensures stability in case of a failure or loss of reception at the primary time source. According to the German industrial giant, SICLOCK systems are affected by a total of six vulnerabilities. The security holes have been assigned
Critical Vulnerabilities Found in Siemens Building Automation, Telecontrol Products
(Eduard Kovacs / SecurityWeek) - Industrial giant Siemens this week warned that critical vulnerabilities have been found in some of its telecontrol and building automation products, and revealed that some SIMATIC systems are affected by a high severity flaw. One advisory published by the company describes several critical and high severity flaws affecting Siveillance and Desigo building automation products. The security holes exist due to the use of a vulnerable version of a Gemalto license management system (LMS). The bugs affect Gemalto