CISA Sounds Alarm with Eight New ICS Vulnerability Advisories

Washington D.C. - The Cybersecurity and Infrastructure Security Agency (CISA) issued a series of eight Industrial Control Systems (ICS) advisories on June 24, 2025, highlighting significant vulnerabilities in products from major vendors including Kaleris, Delta Electronics, Schneider Electric, ControlID, Parsons, MICROSENS, and Mitsubishi Electric. The alerts underscore the persistent and evolving cyber threats facing critical infrastructure sectors and the urgent need for robust security measures.

The advisories detail a range of flaws from remote code execution and authentication bypass to cross-site scripting and the use of hard-coded credentials, affecting systems crucial to transportation, manufacturing, energy, and communications. CISA's role in disseminating this information is vital, serving as an early warning system for public and private sector defenders of operational technology (OT). The potential consequences of these vulnerabilities being exploited are severe, ranging from operational disruptions and data theft to physical damage to assets.

Detailed Breakdown of the Advisories:

Kaleris Navis N4 Terminal Operating System: A cornerstone in container and cargo terminal management, the Navis N4 system was found to have two critical vulnerabilities. One allows for unauthenticated remote code execution through unsafe Java deserialization (CVE-2025-2566), while the other involves the cleartext transmission of sensitive information, including credentials (CVE-2025-5087). A successful exploit could lead to significant supply chain disruptions. Kaleris has released patches and urges users to update to the latest versions of the software.

Delta Electronics CNCSoft: This software, used for programming and managing CNC machines in the manufacturing sector, contains multiple out-of-bounds write vulnerabilities (CVE-2025-47724, CVE-2025-47725, CVE-2025-47726, CVE-2025-47727). These flaws could allow an attacker to execute arbitrary code if a user opens a malicious file. Notably, Delta Electronics does not plan to patch these vulnerabilities as the supported products have been discontinued. Users are advised to migrate to newer products.

Schneider Electric Modicon Controllers: Foundational to many industrial automation processes, several Modicon controller models are affected by vulnerabilities that could lead to denial-of-service, arbitrary code execution, or unauthorized data manipulation. The flaws include improper input validation (CVE-2025-3898, CVE-2025-3116), cross-site scripting (CVE-2025-3899, CVE-2025-3905, CVE-2025-3117), and uncontrolled resource consumption (CVE-2025-3112). Schneider Electric has released firmware updates for some of the affected models and is developing remediation plans for others.

Schneider Electric EVLink WallBox: With the growth of the electric vehicle sector, this advisory highlights path traversal and command injection vulnerabilities in the EVLink WallBox charging station. These could be exploited by an attacker to disrupt charging operations or manipulate data. As the product is discontinued, Schneider Electric recommends upgrading to the EVLink Pro AC.

ControlID iDSecure On-Premises: This physical access control system has three significant vulnerabilities: improper authentication (CVE-2025-49851), server-side request forgery (CVE-2025-49852), and SQL injection (CVE-2025-49853). Successful exploitation could allow attackers to bypass authentication, access sensitive data, and potentially compromise physical security. ControlID has released a patched version to address these issues.

Parsons AccuWeather Widget: A cross-site scripting vulnerability (CVE-2025-5015) was identified in the AccuWeather and Custom RSS widgets used in utility portals. This could allow an attacker to insert malicious links into the RSS feed. Parsons has already patched this vulnerability in all its managed instances.

MICROSENS NMP Web+: Used for environment monitoring and facility automation, this platform was found to have vulnerabilities including the use of hard-coded credentials (CVE-2025-49151), insufficient session expiration (CVE-2025-49152), and path traversal (CVE-2025-49153). These could allow an attacker to bypass authentication and gain system access. MICROSENS has released an updated version to mitigate these risks.

Mitsubishi Electric MELSEC-Q Series PLCs: This advisory is an update to a previous one, highlighting the ongoing risks associated with legacy Programmable Logic Controllers (PLCs). The update signals that these older systems, if unpatched, remain a viable target for attackers.

CISA's Recommendations and the Broader Context

Across all advisories, CISA strongly encourages users and administrators to review the technical details and apply the recommended mitigations without delay. General guidance includes:
* Minimizing network exposure for all control system devices and ensuring they are not accessible from the internet.
* Isolating control system networks from business networks using firewalls.
* Using secure remote access methods, such as Virtual Private Networks (VPNs), when necessary.

These advisories are a stark reminder of the expanding attack surface in an era of increasing digitalization. The convergence of IT and OT environments, coupled with the continued use of legacy systems, presents a complex challenge for defenders of critical infrastructure. Proactive vulnerability management, robust network defense, and collaboration between vendors, researchers, and asset owners are essential to mitigating these critical risks.