Four new Industrial Control Systems (ICS) advisories from the Cybersecurity and Infrastructure Security Agency (CISA) on September 2, 2025, highlight severe vulnerabilities in energy and manufacturing devices, including a critical flaw in SunPower PVS6 inverters that could allow an attacker within Bluetooth range to take full control of the device.
The advisories—identified as ICSA-25-245-01, ICSA-25-245-02, ICSA-25-245-03, and an Update A to ICSA-25-182-06—cover products from Delta Electronics, Fuji Electric, SunPower, and Hitachi Energy. Each advisory carries CVSS v4 scores ranging from 6.7 to a critical 9.4, signaling risks that span information disclosure, remote code execution, and denial of service. For Windows administrators managing engineering workstations that bridge corporate IT and operational technology (OT), these vulnerabilities demand immediate inventory checks and layered mitigations.
Background: Why ICS Advisories Matter Now
ICS advisories are CISA’s primary mechanism for alerting operators to vulnerabilities in industrial devices that—if exploited—can disrupt physical processes. The September 2 bundle exposes a pattern: parsing logic in engineering tools remains a favorite target, embedded Bluetooth interfaces widen the attack surface, and vendor coordination gaps force defenders to rely on compensating controls.
Engineering software like Delta’s EIP Builder and Fuji’s FRENIC-Loader typically run on Windows machines that double as configuration gateways to field equipment. A compromised workstation can become a launchpad for lateral movement into control networks. Meanwhile, the SunPower flaw underscores how hard-coded credentials in field devices create proximity-based threats with outsized impact—firmware replacement, grid setting manipulation, or complete production shutdown.
The Four Advisories at a Glance
| Advisory | CVE | CVSS v4 | Vulnerability Type | Affected Product |
|---|---|---|---|---|
| ICSA-25-245-01 | CVE-2025-57704 | 6.7 | XXE | Delta Electronics EIP Builder |
| ICSA-25-245-02 | CVE-2025-9365 | 8.4 | Deserialization of Untrusted Data | Fuji Electric FRENIC-Loader 4 |
| ICSA-25-245-03 | CVE-2025-9696 | 9.4 | Hard-Coded Credentials | SunPower PVS6 |
| ICSA-25-182-06 Update A | CVE-2025-2403 | 8.7 | Resource Allocation Without Limits/Throttling | Hitachi Energy Relion 670/650, SAM600-IO |
Detailed Breakdown
Delta Electronics: EIP Builder XXE (CVE-2025-57704)
Delta’s EIP Builder versions 1.11 and earlier contain an XML External Entity (XXE) processing flaw. Researcher Kimiya, working with Trend Micro’s Zero Day Initiative, reported the vulnerability, which CISA assessed with a CVSS v4 base score of 6.7. The attack vector is local—a user must open a maliciously crafted XML project file—but the consequences can be severe. Successful exploitation could exfiltrate sensitive files from the engineering workstation, including credentials or configuration data, enabling further compromise.
Delta has released version 1.12 to address the issue and recommends standard ICS hygiene: avoid untrusted files, isolate engineering networks, and use VPNs for remote access. The vendor advisory (Delta-PCSA-2025-00013) contains deployment guidance. The CVE is indexed in NVD and aggregators, confirming consistency with CISA’s report.
Risk for defenders: XXE bugs in engineering tools often go unpatched because workstations are overlooked in patch cycles. A single malicious project file opened by an engineer could leak Active Directory hashes or proprietary logic, turning a tool into an insider threat vector.
Fuji Electric: FRENIC-Loader 4 Deserialization (CVE-2025-9365)
FRENIC-Loader 4 versions prior to 1.4.0.1 suffer from a deserialization of untrusted data vulnerability. CISA assigns a CVSS v4 score of 8.4 and warns that convincing a user to import a specially crafted file could lead to arbitrary code execution. The attack complexity is low, and while exploitation requires local interaction, the impact allows an attacker to run code on the Windows host with the privileges of the loader application.
At publication time, third-party indexing of CVE-2025-9365 was limited, making CISA’s advisory and direct vendor communication the authoritative sources. Fuji Electric’s loader utilities have a history of parsing-related flaws, suggesting that thorough fuzzing of project files is overdue.
Risk for defenders: Deserialization vulnerabilities are classic gateways. An attacker who phishes an engineer with a fake drive configuration file could gain a foothold on the workstation, then pivot to OT management consoles. Immediate steps include sandboxing project file imports and applying the vendor patch when available.
SunPower: PVS6 Hard-Coded Credentials (CVE-2025-9696)
The most alarming of the four advisories involves the SunPower PVS6 inverter/controller. According to CISA, the device’s Bluetooth Low Energy (BLE) servicing interface uses hard-coded credentials and encryption parameters. An unauthenticated attacker within Bluetooth range (typically 10–100 meters) can gain full device control, replace firmware, alter grid interface settings, or shut down production entirely. The CVSS v4 score is a critical 9.4.
Critically, SunPower did not respond to CISA’s coordination attempts. With no vendor fix available, CISA emphasizes compensating controls: network segmentation, disabling Bluetooth when feasible, and restricting physical access. Independent vulnerability databases confirm the CVE and severity, underscoring the urgency.
Risk for defenders: Hard-coded credentials in energy field gear are a nightmare scenario. A malicious actor with proximity could weaponize the device, causing power fluctuations or using it as a pivot point into broader grid management systems. Windows administrators must treat PVS6 units as high-risk endpoints, isolating them behind firewalls and disabling all unneeded wireless interfaces immediately.
Hitachi Energy: Relion/SAM600-IO Denial of Service (CVE-2025-2403)
CISA’s Update A to advisory ICSA-25-182-06 addresses an uncontrolled resource consumption flaw (CWE-770) in Hitachi Energy’s Relion 670/650 series protection relays and SAM600-IO modules. The vulnerability, tracked as CVE-2025-2403 with a CVSS v4 score of 8.7, can be triggered remotely to cause a denial-of-service condition that disrupts line distance protection and communication—potentially leading to grid instability.
The update clarifies fixed firmware versions referenced in Hitachi’s PSIRT notice. NVD and other aggregators corroborate the technical details, giving operators confidence in the remediation path.
Risk for defenders: Protection relays are the last line of defense in electrical substations. A remote DoS attack that mutes teleprotection signals could cascade into a larger outage. Hitachi’s fixed firmware must be applied during coordinated maintenance windows, with redundant protection schemes in place during the update.
What These Advisories Mean for Windows Administrators
Windows-based engineering workstations and HMIs are the most common bridges between IT and OT. The tools listed in these advisories—EIP Builder, FRENIC-Loader, and management consoles for Hitachi and SunPower devices—typically run on Windows. A successful exploit on any of these machines can hand an attacker privileged access to both corporate information and field control networks.
Key implications:
- Engineering workstations are now high-value targets. Treat them with the same rigor as servers: enforce endpoint detection and response (EDR), application allow-listing, and least-privilege user accounts.
- Network segmentation is mandatory. Isolate OT management networks from business LANs. Use jump servers and strict firewall rules to limit lateral movement.
- Bluetooth and wireless interfaces expand the attack surface. SunPower’s case proves that even short-range protocols can become global risks when devices are networked. Inventory all wireless-capable ICS assets and disable radios where possible.
- Vendor coordination gaps force operational burden. When a vendor doesn’t engage, as with SunPower, you must assume full mitigation responsibility until a tested patch appears.
Actionable Remediation Checklist
- Inventory immediately: Identify every instance of Delta EIP Builder, Fuji FRENIC-Loader 4, SunPower PVS6, and Hitachi Relion/SAM600-IO in your environment. Record exact software and firmware versions.
- Apply vendor fixes where available:
- Delta: Update EIP Builder to V1.12 or later.
- Fuji: Monitor Fuji Electric security channels; apply FRENIC-Loader 4 update when published.
- Hitachi: Update to the fixed firmware versions listed in Hitachi PSIRT and CISA’s Update A.
- SunPower: No patch exists; proceed immediately to compensating controls. - Deploy compensating controls for SunPower PVS6:
- Disable Bluetooth on all PVS6 units (via dip switch or configuration if possible).
- Place PVS6 devices behind a dedicated management VLAN with ingress/egress filtering.
- Block unused ports (e.g., HTTP, Telnet) at the firewall.
- Restrict physical access to PVS6 hardware and monitor for unexpected Bluetooth pairing events. - Harden engineering workstations:
- Enable EDR and application control (e.g., Windows Defender Application Control).
- Sandbox or quarantine engineering project files before opening them in EIP Builder or FRENIC-Loader.
- Use dedicated, up-to-date virtual machines for maintenance tasks. - Segment and monitor:
- Enforce jump-server architectures for all OT access.
- Configure SIEM rules to alert on unusual firmware write operations, unauthorized SSH connections, or configuration changes on relays and inverters.
- Deploy OT-specific IDS signatures where available. - Engage vendors:
- Contact SunPower support directly to demand a firmware roadmap and mitigation update.
- Subscribe to all vendor PSIRT mailing lists for future notices.
Strengths and Limitations of the Advisories
Strengths:
- CISA’s advisories are concise and actionable, providing CVEs, CVSS v4 scores, affected version ranges, and direct links to vendor patches or PSIRT pages. This accelerates triage for security teams.
- The inclusion of mitigation guidance—even when a vendor fix is unavailable—gives operators a starting point for defense-in-depth.
Limitations:
- Vendor coordination was entirely absent in the SunPower case, leaving operators with no official patch and forcing heavy reliance on network controls.
- Some CVEs (notably Fuji’s CVE-2025-9365) had not yet propagated to all public aggregators at the time of release, which could delay automated scanning or asset correlation. Defenders must treat CISA and vendor bulletins as authoritative when third-party data is incomplete.
Critical Analysis: Why These Flaws Are a Big Deal Now
Industrial systems are no longer air-gapped. The convergence of IT and OT through remote maintenance, cloud telemetry, and wireless servicing features has expanded the attack surface dramatically. A Bluetooth exploit on a solar inverter today can lead to firmware replacement tomorrow—and that rewrite could introduce persistent backdoors or sabotage grid stability.
Attack economics favor low-complexity vectors. All four vulnerabilities require either local file interaction or adjacent network access, but social engineering and proximity alone can be trivial to achieve. The SunPower flaw, in particular, lowers the bar for kinetic impact: no malware needed, just BLE.
Finally, the patch cycle gap endures. Even with clear remedies from Delta and Hitachi, industrial environments demand careful maintenance scheduling. The window between patch release and deployment often spans weeks, during which attackers can weaponize the published details. Operators must compress that window wherever possible through pre-approved change windows and redundant system design.
Practical Recommendations for WindowsForum Readers
For IT professionals straddling the IT/OT divide, the September 2 advisories are not someone else’s problem. You own the tools that configure these devices, and you likely manage the Windows servers that aggregate their data. Here’s where to start:
- Run a targeted discovery scan using your endpoint management or OT asset platforms to pinpoint affected versions. If you lack an OT asset inventory, manually audit engineering workstations and known device firmware repositories.
- Prioritize by CVSS and attack vector. Begin with SunPower (CVSS 9.4) and Hitachi (CVSS 8.7) due to remote or proximity-based exploitation and potential operational impact.
- Treat Bluetooth as a critical vulnerability. Survey all field assets for BLE interfaces. If you cannot disable them, monitor for unexpected connections and enforce just-in-time servicing procedures.
- Assume file-based threats are inbound. For Delta and Fuji tools, train engineering staff to never open unverified project files and enforce application sandboxing on workstations.
- Integrate OT alerts into your SIEM. Many Windows security teams already correlate server and endpoint logs; extend that visibility to relay status changes, firmware uploads, and unusual authentication attempts on field devices.
Conclusion
The September 2, 2025 CISA ICS advisory release is a concentrated reminder that industrial security depends on a chain of software, firmware, and human practices—and each link is under active scrutiny by adversaries. Delta’s XXE flaw, Fuji’s deserialization bug, Hitachi’s resource exhaustion, and SunPower’s hard-coded BLE credentials form a portfolio of risk that spans the IT/OT spectrum.
Patch where you can, isolate where you cannot, and lock down every engineering workstation that touches these systems. The consequences of inaction range from stolen credentials to manipulated power grids, and the time to harden your posture is before exploitation shifts from proof-of-concept to campaign.
Treat these advisories as the operational priority they are. Inventory now, patch this week if possible, and enforce compensating controls for every device that lacks a vendor fix. In a converged IT/OT world, rigorous defense is not optional—it’s the only viable path.