CISA

CISA released five Industrial Control Systems (ICS) advisories on May 8, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-128-01 Horner Automation Cscape
• ICSA-25-128-02 Hitachi Energy RTU500 series
• ICSA-25-128-03 Mitsubishi Electric CC-Link IE TSN
   
• ICSA-25-093-01 Hitachi Energy RTU500 Series (Update A)
   
• ICSMA-25-128-01 Pixmeo OsiriX MD

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.2
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Hitachi Energy
• Equipment: RTU500 series
• Vulnerabilities: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'), Improper Validation of Specified Index, Position, or Offset in Input

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to execute cross-site scripting or trigger a denial-of-service condition on the affected device.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Hitachi Energy reports the following products are affected:

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.4
• ATTENTION: Low attack complexity
• Vendor: Horner Automation
• Equipment: Cscape
• Vulnerability: Out-of-bounds Read

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to disclose information and execute arbitrary code.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Horner Automation Cscape, a control system application programming software, are affected:

• Cscape: Version 10.0 (10.0.415.2) SP1

3.2 VULNERABILITY OVERVIEW

3.2.1 OUT-OF-BOUNDS READ CWE-125

Horner Automation Cscape version 10.0 (10.0.415.2) SP1 is vulnerable to an out-of-bounds read vulnerability that could allow an attacker to disclose information and execute arbitrary code on affected installations of Cscape.

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.2
• ATTENTION: Exploitable remotely
• Vendor: Mitsubishi Electric
• Equipment: CC-Link IE TSN Remote I/O module, CC-Link IE TSN Analog-Digital Converter module, CC-Link IE TSN Digital-Analog Converter module, CC-Link IE TSN FPGA module, CC-Link IE TSN Remote Station Communication LSI CP620 with GbE-PHY
• Vulnerability: Improper Validation of Specified Quantity in Input

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to cause a denial-of-service condition on the affected products.

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Pixmeo
• Equipment: OsiriX MD
• Vulnerabilities: Use After Free, Cleartext Transmission of Sensitive Information

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause memory corruption, resulting in a denial-of-service condition or to steal credentials.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following Pixmeo products are affected:

• OsiriX MD: Versions 14.0.1 (Build 2024-02-28) and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 USE AFTER FREE CWE-416

The affected product is vulnerable to a use after free scenario, which could allow an attacker to upload a crafted DICOM file and cause memory corruption leading to a denial-of-service condition.

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2024-6047 GeoVision Devices OS Command Injection Vulnerability
• CVE-2024-11120 GeoVision Devices OS Command Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 8.5
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: BrightSign
• Equipment: Brightsign Players
• Vulnerabilities: Execution with Unnecessary Privileges

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow for privilege escalation on the device, easily guessed passwords, or for arbitrary code to be executed on the underlying operating system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Products using the following versions of BrightSign OS are affected:

CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.

• CVE-2025-27363 FreeType Out-of-Bounds Write Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA released three Industrial Control Systems (ICS) advisories on May 6, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-126-01 Optigo Networks ONS NC600
• ICSA-25-126-02 Milesight UG65-868M-EA
• ICSA-25-126-03 BrightSign Players

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 6.1
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Milesight
• Equipment: UG65-868M-EA
• Vulnerability: Improper Access Control for Volatile Memory Containing Boot Code

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow any user with admin privileges to inject arbitrary shell commands.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of UG65-868M-EA, an industrial gateway, are affected:

• UG65-868M-EA: Firmware versions prior to 60.0.0.46

3.2 VULNERABILITY OVERVIEW

3.2.1 Improper Access Control for Volatile Memory Containing Boot Code CWE-1274

An admin user can gain unauthorized write access to the /etc/rc.local file on the device, which is executed on a system boot.