ICS/OT

Infinite Automation Patches Flaws in SCADA/HMI Product

Infinite Automation Systems has released a new version of its Mango Automation product to address a series of vulnerabilities that can be leveraged for various types of malicious attacks.

<p><strong><span><span>Infinite Automation Systems has released a new version of its Mango Automation product to address a series of vulnerabilities that can be leveraged for various types of malicious attacks.</span></span></strong></p>

Infinite Automation Systems has released a new version of its Mango Automation product to address a series of vulnerabilities that can be leveraged for various types of malicious attacks.

Infinite Automation is a Lafayette, Colorado-based company that specializes in human-machine interface (HMI) and supervisory control and data acquisition (SCADA) solutions. The company’s flagship product, Mango Automation, is designed to serve as an end-to-end SCADA/HMI solution, and as a platform for building custom applications.

According to ICS-CERT, Gjoko Krstic of Zero Science Lab and Steven Seeley of Source Incite have independently discovered multiple vulnerabilities affecting Mango Automation versions 2.5.0 through 2.6.0 beta.

Based on CVSS scores assigned by ICS-CERT, the most serious issues are an OS command injection and a cross-site request forgery (CSRF) flaw, which have been assigned the CVE-2015-7901 and CVE-2015-6493 identifiers and a score of 6.3.

Interestingly, according to ICS-CERT, Mango Automation 2.6.0 build 430 patches all the vulnerabilities reported by Seeley and Krstic, except for these CSRF and OS command injection flaws. A new variant of the software that should resolve these issues is expected to be released in December. Until then, users are advised to implement mitigations.

The other problems found by the researchers are unrestricted file upload (CVE-2015-7904), information exposure (CVE-2015-7900, CVE-2015-7902), SQL injection (CVE-2015-7903), and cross-site scripting (CVE-2015-6494) vulnerabilities.

Advertisement. Scroll to continue reading.

ICS-CERT says exploits for these vulnerabilities, which can be abused even by an attacker with low skill, are publicly available.

Siemens Patches Flaw in RuggedCom Devices

Siemens has released firmware updates to address a vulnerability affecting RuggedCom devices running the company’s rugged operating systems ROS and ROX. The issue is an improper ethernet frame padding flaw (CVE-2015-7836) that could lead to data leakage.

“IEEE 802 specifies that packets have a minimum size of 56 bytes. The Ethernet driver is expected to fill the data field with octets of zero for padding when packets are less than 56 bytes. Resident memory and other data are used for padding in some implementations that could cause information leakage,” ICS-CERT explained in an advisory. “This attack is passive; the attacker can only see data that the affected device sent out as part of a packet.”

The flaw, reported by David Formby and Raheem Beyah of Georgia Tech, has been patched with the release of firmware version 4.2.1.

Related Reading: Flaws in Rockwell PLCs Expose Operational Networks

Related Content

ICS/OT

The 2026 Industrial Control Systems (ICS) Cybersecurity Conference takes place October 6-8, 2026, at the W Nashville.

ICS/OT

The US government has warned that Iran-linked hackers are manipulating PLCs and SCADA systems to cause disruption.

ICS/OT

Join us as speakers from Cisco outline important steps industrial organizations can take to safeguard operations, achieve compliance, and enable sustainable growth.

ICS/OT

Over 20 advisories have been published by industrial giants this Patch Tuesday.

ICS/OT

Honeywell has patched several critical and high-severity vulnerabilities in its Experion PKS  industrial process control and automation product.

ICS/OT

Industrial solutions providers Siemens, Schneider Electric and Phoenix Contact have released July 2025 Patch Tuesday ICS security advisories.

ICS/OT

Censys researchers follow some clues and find hundreds of control-room dashboards for US water utilities on the public internet.

ICS/OT

More than 100 AutomationDirect MB-Gateway devices may be vulnerable to attacks from the internet due to CVE-2025-36535.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version