Industrial giants Siemens, Schneider Electric, Mitsubishi Electric, and Moxa have published new Patch Tuesday advisories for vulnerabilities found recently in their ICS products.
Siemens and Schneider Electric have each published six new advisories.
Each of Schneider’s new advisories addresses one vulnerability. The company has informed customers about high-severity issues in EcoStruxure IT Data Center Expert (hardcoded credentials), EcoStruxure Power Monitoring Expert and Power Operation (local arbitrary code execution), and EcoStruxure Automation Expert (command execution and full system compromise).
Medium-severity flaws have been patched by the company in Modicon controllers (DoS, account takeover via XSS) and EcoStruxure Foxboro DCS (remote code execution).
Siemens has addressed a critical stored XSS vulnerability in Simatic S7-1500 devices, and a potentially severe misconfiguration in Mendix applications.
Siemens has also informed customers about vulnerabilities introduced by the use of Fortinet, OpenSSL, and other third-party components.
High- and medium-severity issues have been patched by Siemens in the Sicam Siapp SDK, and a low-severity vulnerability has been fixed in Heliox EV chargers.
Mitsubishi Electric has published one new advisory to describe a remotely exploitable DoS vulnerability in its Numerical Control Systems, including C80, M800, M800V and M700V series products.
Earlier this month the company informed customers about multiple remotely exploitable DoS flaws in MELSEC iQ-F Series controllers.
Moxa has published four new advisories, including three describing the impact of vulnerabilities discovered in Intel products. The fourth advisory informs customers that Moxa products are not affected by a recent GNU Inetutils vulnerability.
The cybersecurity agency CISA has also published ICS advisories this Patch Tuesday. The advisories inform the public about vulnerabilities in Ceragon Siklu MultiHaul and EtherHaul, Lantronix EDS3000PS and EDS5000, and Apeman cameras.
CISA has also published an advisory for a recently disclosed Honeywell building controller vulnerability. The vendor and the researcher who found the flaw have clashed over its impact.
Germany’s VDE-CERT has published advisories for Codesys, Janitza, and Weidmueller product vulnerabilities. Some of the Janitza and Weidmueller flaws can be exploited by remote, unauthenticated attackers to fully compromise the targeted system.
Related: ICS Patch Tuesday: Vulnerabilities Addressed by Siemens, Schneider, Aveva, Phoenix Contact
Related: ICS Patch Tuesday: Vulnerabilities Fixed by Siemens, Schneider, Aveva, Phoenix Contact
