Industrial giants Siemens, Schneider Electric, Aveva, and Phoenix Contact have published Patch Tuesday advisories informing customers about vulnerabilities found in their ICS/OT products.
Siemens has published eight new advisories. The company has released patches and mitigations for high-severity issues in Desigo CC, Sentron Powermanager, Simcenter Femap and Nastran, NX, Sinec NMS, Solid Edge, and Polarion products. A medium-severity flaw has been found in Siveillance Video Management Servers.
Exploitation of the vulnerabilities can lead to unauthorized access, XSS, DoS, code execution, and privilege escalation.
Siemens has also released an advisory that describes the lack of anti-tamper protections and modern exploit mitigation controls in the Siport desktop client application. “As a result, the application is susceptible to unauthorized modification and potential abuse,” the company explained.
Schneider Electric published two new advisories. One describes two high-severity flaws that can lead to DoS, information disclosure, or code execution in EcoStruxure Building Operation Workstation and WebStation.
The second advisory describes a critical issue that can result in DoS or code execution on SCADAPack RTUs.
Aveva has informed customers about a high-severity DoS vulnerability in PI Data Archive and a medium-severity unauthorized access issue in PI to Connect Agent.
Phoenix Contact has released an advisory to address a 2024 OpenSSL vulnerability. The advisory was also picked up by Germany’s VDE CERT, which also published an advisory for Wago managed switch flaws.
CISA published five new advisories on Patch Tuesday. They describe vulnerabilities in Yokogawa Fast/Tools, Zlan ZLAN5143D, and the Zoll ePCR mobile application, as well as the Aveva issues disclosed on Tuesday
In the days leading up to Patch Tuesday, advisories were published by Mitsubishi Electric for vulnerabilities in Freqship-mini for Windows and Melsec iQ-R, and by Moxa for security holes in industrial computers and switches.
Related: Default ICS Credentials Exploited in Destructive Attack on Polish Energy Facilities
Related: ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Aveva, Phoenix Contact
Related: ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Rockwell, Schneider
