Security

Delta Electronics ISPSoft

CISA
Security
link

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.4
  • ATTENTION: Low attack complexity
  • Vendor: Delta Electronics
  • Equipment: ISPSoft
  • Vulnerabilities: Stack-based Buffer Overflow, Out-of-bounds Write

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could result in an attacker executing arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ISPSoft are affected:

  • ISPSoft: Versions 3.19 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

Delta Electronics ISPSoft Versions 3.19 and prior are vulnerable to a stack-based buffer overflow vulnerability that could allow an attacker to leverage debugging logic to execute arbitrary code when parsing CBDGL files.

Rockwell Automation ThinManager

CISA
Security
link

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Rockwell Automation
  • Equipment: ThinManager
  • Vulnerabilities: Improper Restriction of Operations within the Bounds of a Memory Buffer, Incorrect Default Permissions

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to escalate privileges and cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of ThinManager, a software management platform, are affected:

CISA Adds Three Known Exploited Vulnerabilities to Catalog

CISA
Security
link

CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

  • CVE-2025-1976 Broadcom Brocade Fabric OS Code Injection Vulnerability
  • CVE-2025-42599 Qualitia Active! Mail Stack-Based Buffer Overflow Vulnerability
  • CVE-2025-3928 Commvault Web Server Unspecified Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

ALBEDO Telecom Net.Time - PTP/NTP Clock

CISA
Security
link

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.5
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: ALBEDO Telecom
  • Equipment: Net.Time - PTP/NTP clock
  • Vulnerability: Insufficient Session Expiration

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to transmit passwords over unencrypted connections, resulting in the product becoming vulnerable to interception.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following version of Net.Time - PTP/NTP clock is affected:

  • Net.Time - PTP/NTP clock (Serial No. NBC0081P): Software release 1.4.4

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENT SESSION EXPIRATION CWE-613

The affected product is vulnerable to an insufficient session expiration vulnerability, which could permit an attacker to transmit passwords over unencrypted connections, resulting in the product becoming vulnerable to interception.

CISA Releases Seven Industrial Control Systems Advisories

CISA
Security
link

CISA released seven Industrial Control Systems (ICS) advisories on April 24, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

Johnson Controls Software House iSTAR Configuration Utility (ICU) Tool

CISA
Security
link

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Johnson Controls Inc.
  • Equipment: iSTAR Configuration Utility (ICU)
  • Vulnerability: Stack-based Buffer Overflow

2. RISK EVALUATION

Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Johnson Controls reports the following versions of ICU are affected:

  • ICU: Versions prior to 6.9.5

3.2 VULNERABILITY OVERVIEW

3.2.1 STACK-BASED BUFFER OVERFLOW CWE-121

Under certain circumstances, the ICU tool can have a buffer overflow issue.

Nice Linear eMerge E3

CISA
Security
link

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Nice
  • Equipment: Linear eMerge E3
  • Vulnerability: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary OS commands.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Nice Linear eMerge E3 are affected:

  • Linear eMerge E3: Versions 1.00-07 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-78

The Linear eMerge e3-Series through version 1.00-07 is vulnerable to an OS command injection vulnerability. A remote and unauthenticated attacker can execute arbitrary OS commands via the login_id parameter when invoking the forgot_password functionality over HTTP.

Planet Technology Network Products

CISA
Security
link

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/Low attack complexity
  • Vendor: Planet Technology
  • Equipment: Planet Technology Network Products
  • Vulnerabilities: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Use of Hard-coded Credentials, Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to read or manipulate device data, gain administrative privileges, or alter database entries.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Planet Technology products are affected:

Schneider Electric Modicon Controllers

CISA
Security
link

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 10.0
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Schneider Electric
  • Equipment: Modicon M580, Modicon M340, Modicon Premium, and Modicon Quantum
  • Vulnerabilities: Trust Boundary Violation, Uncaught Exception, Exposure of Sensitive Information to an Unauthorized Actor, Authentication Bypass by Spoofing, Improper Access Control, Reliance on Untrusted Inputs in a Security Decision, Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of these vulnerabilities may risk execution of unsolicited command on the PLC, which could result in a loss of availability of the controller.

Vestel AC Charger

CISA
Security
link

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 8.7
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Vestel
  • Equipment: AC Charger
  • Vulnerability: Exposure of Sensitive System Information to an Unauthorized Control Sphere

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker access to sensitive information, such as credentials which could subsequently enable them to cause a denial of service or partial loss of integrity of the charger.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of AC Charger are affected: