March brings a broad set of disclosures across a wide range of vendors and operational environments. Siemens leads with twelve advisories, several at critical severity. Schneider Electric’s set spans the EcoStruxure portfolio alongside a carried-forward critical update for ProLeiT infrastructure. CISA covers building automation, refrigeration, energy infrastructure, industrial serial gateways, and SCADA platforms, with several entries carrying no patch at time of publication. 

Two patterns define this month’s risk landscape. Pre-authentication vulnerabilities dominate the most severe entries, where network placement is the deciding factor for exploitability. Separately, the number of advisories with no available firmware fix is higher than in recent months, shifting the immediate burden to exposure control and architectural discipline rather than patch deployment. 

Note on CVSS Scores: March advisories reference a mix of CVSS v3.1 and CVSS v4.0 ratings. Where both are published, we’ve included both. Base scores alone don’t determine priority—reachability, authentication requirements, and the operational role of the affected asset matter at least as much. 

Schneider Electric 

Schneider Electric released seven advisories this month, including a carried-forward critical update for ProLeiT infrastructure and a set of new high-severity disclosures across the EcoStruxure platform: 

• SEVD-2026-013-01 – Multiple Third-Party Vulnerabilities in ProLeiT Plant iT/Brewmaxx 
  CVE: CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819 | CVSS v3.1: 10.0 (CVE-2025-49844); no v4.0 score published 
  A Use After Free vulnerability in the Redis component of ProLeiT Plant iT/Brewmaxx v9.60 and above could allow remote code execution with elevated privileges. Additional CVEs cover integer overflow, code injection, and out-of-bounds read conditions. 
  Recommendation: Install patch ProLeiT-2025-001 on all Application Servers, VisuHubs, Engineering Workstations, and emergency-mode Workstations. Force secure Redis configuration templates and restart all patched systems. Patch available via ProLeiT Support. 

• SEVD-2026-069-04 – Code Injection Vulnerability in EcoStruxure Automation Expert 
  CVE: CVE-2026-2273 | CVSS v3.1: 8.2 | CVSS v4.0: 7.2 
  An authenticated user opening a malicious project file could trigger arbitrary command execution on the engineering workstation, potentially resulting in full system compromise. 
  Recommendation: Update to EcoStruxure Automation Expert v25.0.1 or later. Until patched, store solution and archive files only in directories protected by Windows file-system access controls and verify file authenticity before opening. 

• SEVD-2026-069-06 – Deserialization of Untrusted Data in EcoStruxure Power Monitoring Expert and Power Operation 
  CVE: CVE-2025-11739 | CVSS v3.1: 7.8 | CVSS v4.0: 8.5 
  A locally authenticated attacker sending a crafted data stream can trigger unsafe deserialization, leading to arbitrary code execution with administrative privileges. Affects PME versions 2022–2024 R2 and EPO Advanced Reporting and Dashboards Module versions 2022 and 2024. 
  Recommendation: Apply available hotfixes for PME 2023 R2 and 2024 R2, or upgrade to PME 2024 R3. For end-of-life versions (PME 2022, EPO 2022), enforce network isolation, Windows firewall rules, complex password policies, and least privilege access controls. Contact Schneider Electric Customer Care for hotfixes. 

• SEVD-2025-014-07 – FlexNet Publisher Local Privilege Escalation Affecting Multiple EcoStruxure Products 
  CVE: CVE-2024-2658 | CVSS v3.1: 7.8 | CVSS v4.0: 8.5 
  An uncontrolled search path element in the Revenera FlexNet Publisher component affects a wide range of EcoStruxure products including Control Expert, Process Expert, Machine Expert, OPC UA Server Expert, and Vijeo Designer. A local attacker could exploit this to execute a malicious DLL with elevated privileges. This update adds remediations for EcoStruxure Machine Expert and Machine Expert Twin. 
  Recommendation: Update to fixed versions per product where available. Where no fix exists yet, limit authenticated user access to the workstation and enforce User Account Control practices. 

• SEVD-2026-013-04 – Multiple Vulnerabilities in EcoStruxure Power Build Rapsody 
  CVE: CVE-2025-13845, CVE-2025-13844 | CVSS v3.1: 7.8 (CVE-2025-13845) | CVSS v4.0: 8.4 
  A Use After Free vulnerability (CVE-2025-13845) allows remote code execution when importing a malicious SSD project file. A related Double Free (CVE-2025-13844) can cause heap memory corruption under the same conditions. 
  Recommendation: Update to the fixed regional versions listed in the advisory. Until patched, restrict project files to trusted sources and scan externally created files before opening. 

• SEVD-2026-069-05 – Hard-coded Credentials in EcoStruxure IT Data Center Expert 
  CVE: CVE-2025-13957 | CVSS v3.1: 7.2 | CVSS v4.0: 7.5 
  When the SOCKS Proxy feature is enabled and administrator credentials are known, hard-coded PostgreSQL credentials in EcoStruxure IT Data Center Expert v9.0 and prior could be exploited for information disclosure and remote code execution. 
  Recommendation: Upgrade to v9.1. If immediate patching isn’t possible, ensure SOCKS Proxy remains disabled and follow the hardening guidelines in the EcoStruxure IT Data Center Expert Security Handbook. 

• SEVD-2026-069-03 – Deserialization of Untrusted Data in EcoStruxure Foxboro DCS 
  CVE: CVE-2026-1286 | CVSS v3.1: 6.5 | CVSS v4.0: 7.0 
  An admin-authenticated user opening a malicious project file in EcoStruxure Foxboro DCS versions prior to CS8.1 could trigger loss of confidentiality and integrity, with potential for remote code execution on the compromised workstation. 
  Recommendation: Upgrade to Foxboro DCS CS8.1 (free upgrade for existing customers with FX-V3 license—contact your Schneider Electric Field Service Representative). Until patched, open only trusted project files, hash-verify regularly, encrypt at rest, and use secure protocols for file transfer. 

Foxguard Insight: The EcoStruxure portfolio’s attack surface extends well beyond the controller, and this month’s Schneider advisories reflect that clearly. Project file handling, deserialization paths, and third-party components like FlexNet and Redis keep surfacing as pressure points across the portfolio. Most of these advisories require either local access or a user interaction step, which makes controlling what enters the engineering environment as important as patching it. Engineering workstations should be treated as privileged assets—file intake paths restricted, project repositories access-controlled and auditable, and informal transfer routes closed off. 

Siemens 

Siemens published thirteen advisories this month, with significant concentration around FortiGate NGFW components on RUGGEDCOM hardware, SINEC OS third-party vulnerabilities across three separate OS branches, and a no-fix-available stored XSS in the S7-1500: 

• SSA-212953 – Multiple Vulnerabilities in COMOS 
  CVE: Multiple (see advisory) | CVSS v3.1: 10.0 | CVSS v4.0: 9.2 
  Multiple issues in COMOS could allow arbitrary code execution, denial of service, data infiltration, and access control violations depending on the affected component and deployment scenario. 
  Recommendation: Update to fixed releases and apply Siemens hardening guidance for COMOS engineering environments. 

• SSA-089022 – Multiple Vulnerabilities in Third-Party Components in SINEC OS before V3.3 
  CVE: Multiple (see advisory) | CVSS v3.1: 10.0 | CVSS v4.0: 8.2 
  SINEC OS versions prior to V3.3 include third-party components with critical vulnerabilities affecting RUGGEDCOM and SCALANCE product families, including paths to unauthenticated remote code execution. 
  Recommendation: Upgrade to SINEC OS V3.3 or later per Siemens remediation guidance. 

• SSA-430425 – Multiple Vulnerabilities in SINEC Security Monitor before V4.9.0 
  CVE: Multiple including CVE-2026-27661 (see advisory) | CVSS v3.1: 9.9 | CVSS v4.0: 9.4 
  The most critical vulnerability allows an authenticated low-privileged remote attacker to execute arbitrary code with root privileges via improper validation of user input to the ssmctl-client command. A second issue allows privileged OS command execution locally. Additional weaknesses include path traversal and permissive input validation. 
  Recommendation: Update to SINEC Security Monitor V4.9.0 or later and restrict network access to the SINEC Security Monitor server. 

• SSA-975644 – Multiple Vulnerabilities in FortiGate NGFW on RUGGEDCOM APE1808 Devices 
  CVE: Multiple (see advisory) | CVSS v3.1: 9.8 (no v4.0 score published) 
  The most severe vulnerability is an authentication bypass (CWE-288) that could allow unauthenticated remote attackers to gain access. Additional CVEs cover HTTP request/response smuggling, improper verification of communication source, and use of externally-controlled format strings. 
  Recommendation: Consult and implement the workarounds provided in Fortinet’s upstream security notifications for each CVE. 

• SSA-770770 – Multiple Vulnerabilities in FortiGate NGFW Before V7.4.7 on RUGGEDCOM APE1808 Devices 
  CVE: Multiple (see advisory) | CVSS v3.1: 9.8 | CVSS v4.0: 9.1 
  An accumulation of FortiGate NGFW vulnerabilities affecting RUGGEDCOM APE1808 deployments, spanning heap-based buffer overflows, missing authentication for critical functions, and SSL-VPN weaknesses. 
  Recommendation: Upgrade FortiGate NGFW to V7.4.7 or later. Apply Fortinet upstream workarounds for CVEs where no firmware fix is yet available. 

• SSA-082556 – Vulnerabilities in the Additional GNU/Linux Subsystem of SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1.5 
  CVE: Multiple (see advisory) | CVSS v3.1: 9.8 | CVSS v4.0: 8.7 
  The most critical vulnerability is a heap-based buffer overflow in the curl SOCKS5 proxy handshake. Additional high-severity CVEs cover stack-based buffer overflows, out-of-bounds writes, and use-after-free conditions across Linux kernel, OpenSSL, curl, glibc, and systemd components. 
  Recommendation: Apply available firmware updates per the advisory and restrict network access to the affected CPU. Refer to upstream CVE advisories for component-specific workarounds. 

• SSA-613116 – Multiple Vulnerabilities in Third-Party Components in SINEC OS before V3.1 
  CVE: Multiple (see advisory) | CVSS v3.1: 9.8 (no v4.0 score published) 
  Third-party component vulnerabilities in SINEC OS prior to V3.1 affect RUGGEDCOM and SCALANCE product families, with paths to unauthenticated remote code execution. 
  Recommendation: Update to SINEC OS V3.1 or later per Siemens remediation guidance. 

• SSA-452276 – Stored Cross-Site Scripting Vulnerability in SIMATIC S7-1500 
  CVE: CVE-2025-40943 | CVSS v3.1: 9.6 | CVSS v4.0: 9.4 
  An unauthenticated attacker who can upload a malicious trace file can inject persistent JavaScript into the S7-1500 web interface, executing in the browser of any authenticated user who views the affected page. No firmware fix is currently available. 
  Recommendation: Disable the PLC web server where not required and restrict access to TCP ports 80 and 443 to trusted IP addresses. Only upload trace files from trusted sources. 

• SSA-355557 – Multiple Vulnerabilities in Third-Party Components in SINEC OS before V3.2 
  CVE: Multiple (see advisory) | CVSS v3.1: 9.1 | CVSS v4.0: 6.9 
  Third-party component vulnerabilities in SINEC OS prior to V3.2 affect RUGGEDCOM and SCALANCE product families across high and critical severity outcomes. 
  Recommendation: Update to SINEC OS V3.2 or later per Siemens remediation guidance. 

• SSA-485750 – Multiple Vulnerabilities in SIDIS Prime Before V4.0.800 
  CVE: Multiple (see advisory) | CVSS v3.1: 8.7 | CVSS v4.0: 9.4 
  Multiple third-party component vulnerabilities in SIDIS Prime, including use of insufficiently random values enabling HTTP Parameter Pollution (CWE-330), cross-site scripting, OS command injection, uncontrolled recursion leading to denial of service, and information disclosure. 
  Recommendation: Update SIDIS Prime to V4.0.800 or later and restrict network access to SIDIS Prime deployments. 

• SSA-201595 – Privilege Escalation in WIBU CodeMeter Runtime Affecting Desigo CC and SENTRON Powermanager 
  CVE: CVE-2025-40937 | CVSS v3.1: 8.2 | CVSS v4.0: 8.2 
  A Least Privilege Violation in WIBU CodeMeter Runtime could allow a local attacker with high privileges to escalate to SYSTEM-level, resulting in full host compromise across affected Desigo CC and SENTRON Powermanager deployments. 
  Recommendation: Update WIBU CodeMeter Runtime to a version later than V8.30a (currently V8.40) per Siemens’ update instructions and restart affected services. 

• SSA-868571 – Missing Server Certificate Validation in IAM Client 
  CVE: CVE-2025-27406 | CVSS v3.1: 7.4 | CVSS v4.0: 9.1 
  Missing server certificate validation in the Siemens IAM Client affects a broad range of products including NX, Simcenter X, Solid Edge, and SiemensIQ platform products. An unauthenticated attacker in a man-in-the-middle position could intercept and manipulate communications between client and IAM server. 
  Recommendation: Update to fixed versions per product as listed in the advisory. Where fixes are not yet available, restrict network access to IAM communication paths. 

• SSA-903736 – Multiple Vulnerabilities in SICAM SIAPP SDK before V2.1.7 
  CVE: CVE-2026-25569, CVE-2026-25570, CVE-2026-25571, CVE-2026-25572, CVE-2026-25573, CVE-2026-25605 | CVSS v3.1: 7.4 (CVE-2026-25573) | CVSS v4.0: 8.6 
  A relative path traversal vulnerability (CVE-2026-25573) allows an authenticated remote attacker to read arbitrary files from the underlying Linux file system of SICAM A8000 series devices. A secondary improper input validation issue (CVE-2026-25571) allows authenticated file writes to arbitrary locations. 
  Recommendation: Update SICAM SIAPP SDK to V2.1.7 or later. Restrict network access to SICAM A8000 devices and limit authenticated access to trusted users. 

Foxguard Insight: Three separate SINEC OS advisories covering V3.1, V3.2, and V3.3 branches in one month reflects how third-party component debt accumulates in complex platforms over time. If your RUGGEDCOM or SCALANCE deployments are not on the latest SINEC OS branch, known-exploitable vulnerabilities are present in devices that frequently sit at critical network boundaries. The two FortiGate NGFW advisories on APE1808 devices warrant separate attention—these are the firewall and VPN components operators rely on for zone separation, and an authentication bypass at that layer has direct implications for everything behind it. On SSA-452276: with no firmware fix available for the S7-1500 stored XSS, disabling the web server on PLCs that don’t need it removes the attack surface entirely and requires no maintenance window. 

ABB 

ABB published two advisories this month, both affecting the AC500 V3 PLC platform and its associated engineering software. 

• 3ADR011524 – AC500 V3 PLC Multiple Vulnerabilities 
  CVE: CVE-2025-2595, CVE-2025-41659, CVE-2025-41691 | CVSS v3.1: 8.3 | CVSS v4.0: 8.7 (CVE-2025-41659) 
  Three vulnerabilities affect all AC500 V3 PLC products (PM5xxx series) running firmware prior to v3.9.0. CVE-2025-41659 allows a low-privileged remote attacker to access the PKI folder via CODESYS protocol, enabling read and write access to certificates and cryptographic keys. CVE-2025-41691 allows an unauthenticated attacker to cause denial-of-service via a NULL pointer dereference. CVE-2025-2595 allows unauthenticated read of static visualization files via forced browsing. 
  Recommendation: Update AC500 V3 PLC firmware to version 3.9.0 via Automation Builder 2.9.0. No workarounds are available; patching is the only remediation. 

• 3ADR011525 – ABB Automation Builder Gateway for Windows with Insecure Defaults 
  CVE: CVE-2024-41975 | CVSS v3.1: 5.3 | CVSS v4.0: 6.9 
  The Automation Builder Windows gateway component listens on all network adapters on port 1217 by default, allowing unauthenticated remote attackers to discover connected AC500 PLCs. While PLC user management prevents direct access if enabled, this exposes PLC network topology to potential attackers. 
  Recommendation: Upgrade to Automation Builder 2.9.0 or later, which defaults the gateway to local access only. As an immediate workaround, set LocalAddress=127.0.0.1 in the [CmpGwCommDrvTcp] section of the gateway configuration file and restart the gateway service. 

Foxguard Insight: The higher-severity AC500 V3 finding involves CODESYS protocol access to PKI key material. If an attacker can read and write certificates and keys on a PLC, they undermine trust in everything that depends on those credentials—a consequence that goes beyond simple availability impact. The gateway discovery issue is lower-scored but operationally significant; topology exposure is frequently the groundwork for targeted attacks on OT infrastructure. Both issues are resolved by the same firmware update. 

Mitsubishi Electric 

Mitsubishi Electric published two advisories this month affecting Ethernet modules and CNC controllers. 

• Multiple Denial-of-Service Vulnerabilities in MELSEC iQ-F Series EtherNet/IP Module and Ethernet Module 
  CVE: CVE-2026-1874, CVE-2026-1875, CVE-2026-1876 | CVSS v4.0: 8.7 (no v3.1 score published) 
  Three denial-of-service vulnerabilities in the Ethernet function of MELSEC iQ-F Series modules allow a remote unauthenticated attacker to trigger uncontrolled receive buffer consumption via continuous UDP packets, causing a denial-of-service condition that requires a manual system reset to recover. Affects FX5-ENET/IP and FX5-EIP variants. 
  Recommendation: Update FX5-ENET/IP firmware to v1.107 or later for CVE-2026-1874. Fixed versions for FX5-EIP are scheduled for future release; no fix is planned for CVE-2026-1876. For all affected products: deploy firewalls or VPNs to prevent unauthorized access, apply IP filter functions to restrict access to trusted hosts, and restrict physical access to the hardware. 

• Denial-of-Service Vulnerability in Mitsubishi Electric CNC Series 
  CVE: CVE-2025-2399 | CVSS v3.1: 5.9 (no v4.0 score published) 
  A remote unauthenticated attacker can send specially crafted packets to TCP port 683, causing an out-of-bounds memory read and triggering an emergency shutdown on affected CNC controllers. A system reset is required for recovery. Affects M800V/M80V, M800/M80/E80, C80, M700V/M70V/E70 Series, and NC Trainer2 products. 
  Recommendation: Apply fixed firmware where available (M800V/M80V: version BC or later; M800/M80/E80: version FN or later). No fix is currently available for C80, M700V/M70V/E70, or NC Trainer2. For all products: deploy firewalls and VPNs, apply IP filtering on supported models, and restrict physical access. 

Foxguard Insight: Both advisories describe denial-of-service conditions that require manual recovery—in a production environment, that means unplanned downtime and a field visit. Several CNC product families have no fix available, and reachability of TCP port 683 from untrusted systems is the full extent of the exposure. Verify firewall rules are actively enforced rather than assumed and confirm IP filtering is applied on models that support it. 

Rockwell Automation 

Rockwell published one advisory this month—a carried-forward update to a long-standing critical vulnerability on the CISA Known Exploited Vulnerabilities catalog. 

• PN1550 – Authentication Bypass Vulnerability in Logix Controllers 
  CVE: CVE-2021-22681 | CVSS v3.1: 10.0 (no v4.0 score published) 
  A private key used by Studio 5000 Logix Designer to verify authenticity of Logix controller communications can be extracted, allowing a remote unauthenticated attacker to bypass authentication and make unauthorized changes to controller configuration and application code. No patch is available. Affects CompactLogix, ControlLogix, GuardLogix, DriveLogix, FlexLogix, SoftLogix, and associated RSLogix 5000 / Studio 5000 software. 
  Recommendation: Deploy CIP Security where supported; block TCP port 44818 from outside the ICS network; isolate controllers behind firewalls; use VPNs for remote access; monitor for unauthorized controller changes via FactoryTalk AssetCentre. 

Foxguard Insight: CVE-2021-22681 has been on the CISA KEV catalog since 2022 and remains unpatched. Its continued presence in monthly updates is a prompt to verify—not assume—that mitigations are still active. CIP Security deployment and TCP port 44818 restriction are the primary controls, but both need to be confirmed on live assets. If the affected Logix families in your environment haven’t been audited recently for network access paths, that work belongs on the list. 

CISA 

CISA released twelve ICS advisories this month, spanning building automation, SCADA platforms, industrial serial gateways, refrigeration systems, power monitoring, and energy infrastructure. 

• ICSA-26-069-03 – Honeywell IQ4x BMS Controller 
  CVE: CVE-2026-3611 | CVSS v3.1: 10.0 (no v4.0 score published) 
  When no user accounts have been created on Honeywell IQ4x BMS controllers, the full web HMI is accessible without authentication, allowing any remote attacker to create administrator accounts, gain full read/write control of HVAC systems, access sensitive configuration data, and cause denial-of-service conditions. A public proof-of-concept exploit exists. No patch is currently available. 
  Recommendation: Create a web user account via the U.htm interface immediately to force-enable authentication. Isolate all BMS devices in firewalled, segmented networks; disable remote access unless strictly necessary; audit for any internet-exposed IQ4x devices. 

• ICSA-26-055-01 – InSAT MasterSCADA BUK-TS 
  CVE: CVE-2026-21410, CVE-2026-22553 | CVSS v3.1: 9.8 (no v4.0 score published) 
  SQL injection (CVE-2026-21410) and OS command injection (CVE-2026-22553) vulnerabilities in InSAT MasterSCADA BUK-TS are both remotely exploitable without authentication, providing separate paths to arbitrary code execution on the SCADA platform. 
  Recommendation: Apply updates from InSAT. Restrict web interface access to trusted IP addresses; isolate MasterSCADA systems behind firewalls; disable web interface access where not required; monitor for unauthorized access attempts. 

• ICSA-26-069-02 – Lantronix EDS3000PS and EDS5000 
  CVE: CVE-2025-67039, CVE-2025-70082, CVE-2025-67041 (EDS3000PS); CVE-2025-67034 through CVE-2025-67038 (EDS5000) | CVSS v3.1: 9.8 (no v4.0 score published) 
  Hard-coded passwords, missing authentication for critical functions, and relative path traversal in Lantronix EDS3000PS and EDS5000 industrial serial-to-Ethernet device servers could allow an unauthenticated remote attacker to gain full device access, traverse file systems, or cause denial-of-service conditions. 
  Recommendation: Apply available firmware updates from Lantronix. Restrict network access, place devices behind firewalls and segment from IT networks, disable unused services, and change default credentials immediately. 

• ICSA-26-057-01 – Johnson Controls Frick Controls Quantum HD 
  CVE: CVE-2026-21654, CVE-2026-21656, CVE-2026-21657, CVE-2026-21658, CVE-2026-21659, CVE-2026-21660 | CVSS v3.1: 9.1 (no v4.0 score published) 
  Six vulnerabilities in Frick Controls Quantum HD firmware v10.22 and earlier can lead to pre-authentication remote code execution, information leakage, or denial of service. Vulnerability types include OS command injection, code injection, relative path traversal, and plaintext storage of a password. 
  Recommendation: Update firmware to version 10.23 or later. Minimize network exposure; isolate refrigeration control systems behind firewalls; use VPNs for any required remote access. 

• ICSA-26-050-02 – Valmet DNA Engineering Web Tools 
  CVE: CVE-2025-15577 | CVSS v3.1: 8.6 (no v4.0 score published) 
  A path traversal vulnerability in Valmet DNA Engineering Web Tools versions C2022 and earlier allows an unauthenticated remote attacker to manipulate the web maintenance service URL and read arbitrary files from the server, potentially exposing credentials and configuration data from the Valmet DNA automation platform. 
  Recommendation: Contact Valmet automation customer service for the available fix. Minimize network exposure of DNA Engineering Web Tools; ensure the web maintenance service is not internet-accessible; restrict to trusted hosts via firewall rules and use VPNs for remote access. 

• ICSA-26-050-01 – EnOcean SmartServer IoT 
  CVE: CVE-2026-20761, CVE-2026-22885 | CVSS v3.1: 8.1 (CVE-2026-20761); no v4.0 score published 
  A command injection vulnerability in EnOcean SmartServer IoT v4.60.009 and prior allows a remote unauthenticated attacker to achieve arbitrary OS command execution via crafted LON IP-852 management messages. A secondary memory corruption/leak vulnerability provides a further path to device compromise via malformed IP-852 messages. 
  Recommendation: Update SmartServer IoT firmware to v4.70 or later. Isolate devices behind firewalls; restrict LON IP-852 management interface access to trusted hosts; use VPNs for any required remote access. 

• ICSA-26-048-03 – GE Vernova Enervista UR Setup 
  CVE: Multiple (see advisory) | CVSS v3.1: 7.8 (no v4.0 score published) 
  Multiple vulnerabilities in GE Vernova Enervista UR Setup engineering software could allow a local attacker to execute arbitrary code via a malicious configuration file, potentially enabling unauthorized modification of relay protection settings in energy infrastructure. 
  Recommendation: Update to the latest available version. Only open configuration files from trusted sources. Restrict access to relay engineering workstations and apply network segmentation between engineering and protection relay networks. 

• ICSA-26-048-02 – Delta Electronics ASDA-Soft 
  CVE: Multiple (see advisory) | CVSS v3.1: 7.8 (no v4.0 score published) 
  Out-of-bounds read/write and heap-based buffer overflow conditions in Delta Electronics ASDA-Soft servo drive configuration software could allow an attacker to execute arbitrary code on the engineering workstation via a malicious project file. 
  Recommendation: Update ASDA-Soft to the latest available version. Only open project files from trusted sources. Restrict access to engineering workstations and apply standard OT network segmentation. 

• ICSA-26-064-01 – Delta Electronics CNCSoft-G2 
  CVE: CVE-2026-3094 | CVSS v3.1: 7.8 (no v4.0 score published) 
  An out-of-bounds write vulnerability (CWE-787) in Delta Electronics CNCSoft-G2 could allow arbitrary code execution when a user opens a malicious project file. This vulnerability requires local user interaction and is not remotely exploitable. 
  Recommendation: Update CNCSoft-G2 to the latest available version. Only open project files from trusted sources. Isolate engineering workstations from business networks. 

• ICSA-26-062-03 – Hitachi Energy RTU500 Product 
  CVE: CVE-2026-1773 and additional CVEs (see advisory) | CVSS v3.1: 7.5 (no v4.0 score published) 
  The most severe vulnerability (CVE-2026-1773, CWE-184) could allow a remote unauthenticated attacker to cause a denial-of-service condition or exploit memory corruption in RTU500 series devices used in critical energy infrastructure. Additional CVEs affect IEC 60870-5-104 and IEC 61850 communication functionality. 
  Recommendation: Apply firmware updates per RTU500 model as listed in the Hitachi Energy advisory. Restrict management interface access; use IEC 62351-3 TLS for secure communications where supported; apply network segmentation and firewall rules. 

• ICSA-26-057-09 – Yokogawa CENTUM VP R6, R7 CVE: CVE-2025-1924, CVE-2025-48023 | CVSS v3.1: 6.9 (CVE-2025-1924); 6.5 (CVE-2025-48023); no v4.0 score published 
  Two vulnerabilities in the Vnet/IP Interface Package for Yokogawa CENTUM VP R6 and R7 (versions R1.07.00 and earlier). CVE-2025-1924 could allow a remote attacker to cause denial-of-service or execute arbitrary programs via maliciously crafted packets. CVE-2025-48023 could allow process termination of the Vnet/IP software stack via crafted packets. 
  Recommendation: Update the Vnet/IP Interface Package to R1.08.00 or later. Apply network segmentation to isolate CENTUM VP systems; restrict access to Vnet/IP communication paths; monitor for abnormal DCS network traffic. 

• ICSA-26-062-02 – Hitachi Energy Relion REB500 Product 
  CVE: CVE-2026-2459, CVE-2026-2460 | CVSS v3.1: 6.8 (no v4.0 score published) 
  Two privilege-related vulnerabilities (CWE-267) in Hitachi Energy Relion REB500 protection relay versions up to 8.3.3.0 allow a remote authenticated attacker to leverage elevated privileges to perform unsafe actions, potentially disrupting protection functions in energy grid deployments. 
  Recommendation: Apply Hitachi Energy firmware updates as listed in the advisory. As a workaround, disable the Installer role and enable it only during firmware update processes. Restrict network access to protection relay management interfaces. 

Foxguard Insight: This month’s CISA list is operationally varied—building automation, refrigeration, power monitoring, energy protection relays, and industrial serial infrastructure all appear together. Three advisories have no patch available, and the Honeywell IQ4x carries a public proof-of-concept. For that advisory, creating a web user account is a single action that removes the unauthenticated access condition immediately. The cluster of project-file vulnerabilities across GE Vernova, Delta ASDA-Soft, and Delta CNCSoft-G2 is worth treating as a category: the trust model around how files enter engineering environments deserves the same attention as the software running them. 

Actionable Recommendations 

March’s disclosures span controllers, engineering software, network infrastructure, building automation, refrigeration systems, and energy protection devices. Several have no available patch, which shifts the immediate priority to exposure control alongside scheduled remediation. To reduce risk and maintain operational stability, Foxguard recommends: 

• Close pre-authentication exposure first. Honeywell IQ4x (CVSS 10.0, public PoC, no patch), InSAT MasterSCADA (CVSS 9.8), Lantronix EDS (CVSS 9.8), and the Johnson Controls Frick Quantum HD all present unauthenticated remote attack paths. Verify network placement and isolation for each. For IQ4x specifically, creating a web user account via U.htm removes the exposure immediately. 

• Verify Rockwell PN1550 mitigations are still active. CVE-2021-22681 has no patch and sits on the CISA KEV catalog. Confirm TCP port 44818 is blocked from outside the ICS network and CIP Security is deployed where supported. Confirm on live assets, not change records. 

• Work through the Siemens SINEC OS backlog across all three branches. Three separate advisories covering V3.1, V3.2, and V3.3 appeared in one month. Treat them as a coordinated remediation effort. A prior update to one branch doesn’t cover the others. Prioritize devices at network boundaries first. 

• Treat the FortiGate NGFW advisories on APE1808 as firewall-class risk. SSA-975644 and SSA-770770 affect zone separation devices. Apply Fortinet upstream workarounds now and schedule firmware upgrade to V7.4.7. 

• Restrict file intake paths into engineering environments. GE Vernova Enervista, Delta ASDA-Soft, Delta CNCSoft-G2, Schneider Automation Expert, and Power Build Rapsody all involve malicious project file exploitation this month. Access-controlled repositories, integrity checking, and removing informal transfer routes are practical controls that apply across all of them. 

• Patch and verify across the Schneider EcoStruxure set. ProLeiT-2025-001 is the only remediation for a CVSS 10.0 vulnerability. The FlexNet Publisher update now includes Machine Expert and Machine Expert Twin. Verify deployment against actual assets. 

During rollout, confirm patch versions on live assets rather than relying on change records alone, watch for unexpected service disruptions after restart, and keep segmentation controls in place until remediation is confirmed complete. 

How Foxguard Can Help 

March covers a lot of ground—protection relays, CNC controllers, engineering workstations, serial gateways, and building automation systems all in one month. Translating that into a working remediation plan means knowing which assets are actually in your environment, which patches are ready to deploy, and how to sequence the work without creating operational risk in the process. 

Foxguard works with operators to assess vulnerability impact against real asset inventories, build remediation plans that fit operational windows, and put interim controls in place where patching has to wait. Our solutions are built around the practical constraints of ICS and OT environments—where an unplanned outage has direct operational consequences and patch deployment rarely follows a straight line. 

FOXGUARD DISCOVER: Asset and network visibility solution for ICS and OT environments, providing real-time visibility of critical assets, detecting vulnerabilities, and offering actionable insights to enhance security posture. 

FOXGUARD CYBERWATCH: Asset and vulnerability management platform that monitors, manages, and remediates security risks across ICS and OT environments, ensuring compliance and reducing overall cyber risk. 

FOXGUARD PATCHINTEL: Patch intelligence service that provides patch availability reports to identify available security updates, and a secure supply chain to acquire and validate patch binaries for improved patch management and compliance. 

FOXGUARD DEPLOY: Patch distribution and deployment solution that securely applies validated patches across ICS and OT systems, ensuring timely and effective patch management to maintain security. 

FOXGUARD MANAGED SERVICES: Provides Patch Management as a Service (PMaaS) and Vulnerability Management as a Service (VMaaS) to continuously assess, prioritize, and address security risks in ICS and OT environments, helping maintain security compliance and operational integrity. 

Foxguard works alongside operators to make sense of a patch landscape that can quickly become overwhelming, providing analysis and context so teams can prioritize patching and hardening efforts effectively. 

Stay Ahead of Threats 

March’s advisories are a practical test of how well an organization knows its own environment. A BMS controller with a public exploit and no patch, a four-year-old authentication bypass still sitting open, a PLC web server with no firmware fix on the horizon—taken individually, none of these are new categories of risk. Taken together, they put real pressure on asset visibility and network boundary discipline. 

The teams that handle this well have done the groundwork: they know what’s deployed, what’s reachable, and they make deliberate calls about what gets patched in the current window versus what gets mitigated until the next. Consistent execution of that process is what stops risk from stacking up. 

If your team needs support turning this month’s advisories into a prioritized, defensible action plan, reach out to our experts today. 

Your security is our priority. Stay vigilant and stay protected. 

The post ICS Critical Patch Updates: March 2026  appeared first on Foxguard.

Together, those discussions illustrate how patch management is not a single activity, but a connected process that spans accurate asset identification, vulnerability intelligence, trusted patch sources, sandbox testing, documentation, and compliance alignment. These topics build on the earlier posts in this series—Asset Identification and OT Patching Solution Challenges—showing how foundational processes and risk awareness set the stage for effective supply chain management. 

In this post, we shift focus to one of the most frequently misunderstood areas of that process—the patch supply chain. Using a question-and-answer format, we address how Responsible Entities can verify patch authenticity, align patching practices with CIP-013 supply chain risk management requirements, and demonstrate compliance with CIP-010 when verification methods are limited or inconsistent. 

Best Practices for NERC CIP Patch Verification

What if a software vendor or device manufacturer does not provide a signature or hash for a patch or other update?  

How can a Responsible Entity verify integrity and authenticity? 

This situation occurs frequently, particularly in OT environments. One way to gain reasonable assurance that a patch is authentic and has not been tampered with in transit is to always download patches from a verified provider source. This includes bookmarking or otherwise preserving known, trusted URLs—whether they are the vendor’s official site or a managed patch aggregation service—rather than typing the URLs by hand or clicking search-engine results. 

If the patch source is a managed service (often referred to as a patch aggregator), the Responsible Entity should understand how the service verifies its sources. Where possible, source validation practices should be documented and included in contractual language or service-level agreements (SLAs). 

Examples of OT-focused patch aggregation tools include services such as Foxguard Patchintel, which centralizes vendor patch information, tracks OT-relevant updates, and provides visibility into patch availability across diverse environments. 

Patches should also be tested thoroughly in a sandbox or test environment, where anomalous behavior that might indicate compromise can be observed. In practice, this testing should occur regardless of whether the vendor provides a signature or a hash value. For organizations that want to maintain direct control over deployment while improving consistency and auditability, controlled patch deployment tools like Foxguard Deploy can help ensure patches are installed in a repeatable manner and aligned with approved change workflows. 

It is important to keep in mind the lessons learned from supply chain attacks such as SolarWinds: malware can be delivered through trusted, verified patches when upstream controls fail. This risk is explored in more detail in our previous blog post in the series, titled Choose your patch source(s) carefully!. Verification helps establish authenticity and integrity, but it does not guarantee that a patch is safe. 

How can patch supply chain security align with a CIP-013 supply chain risk management plan? 

Patch management is an important component of supply chain cyber security risk management. As a result, a NERC entity’s CIP-007 R2 patch management plan can reasonably be viewed as a subset of its CIP-013 supply chain cyber security risk management plan. 

The two plans should be aligned in several ways. 

1. Risk identification (CIP-013-2 R1) 

CIP-013-2 Requirement R1 requires the Responsible Entity to identify risks to the BES associated with “procuring and installing vendor equipment and software”. These risks should include patch-related risks, such as: 

1. Applying a patch without verifying identity, integrity, or both. 

2. A vendor’s software build environment being compromised, resulting in malware embedded in a signed patch (this is what happened in the SolarWinds attacks, described in our previous post, Choose your patch source(s) carefully!). 

3. A supplier failing to release a patch for a severe vulnerability before exploitation occurs. 

4. A vendor never developing a patch for a significant vulnerability. 

5. Failure to implement compensating controls for vulnerabilities that cannot be patched. 

2. Risk assessment (CIP-013-2 R1.1) 

Requirement R1.1 requires the Responsible Entity to assess risks to the BES from “procuring and installing vendor equipment and software”. The CIP-013 plan should describe how questionnaires or other evaluation methods are used to determine whether vendors have mitigated identified risks (listed above).  

Vendor questionnaires should be focused and intentional. Questions should only address risks the organization considers worth mitigating, and responses should be used to drive decisions or follow-up actions. 

3. Verification of software integrity and authenticity (CIP-013-2 R1.2.5) 

Requirement R1.2.5 requires “Verification of software integrity and authenticity of all software and patches provided by the vendor for use in the BES Cyber System and their associated EACMS and PACS.”  

Responsible Entities should document how they verify signatures and hash values when provided, as well as the steps taken to mitigate risk when vendors do not provide signatures or hashes. 

4. Risk mitigation and follow-through (CIP-013-2 R2) 

CIP-013-2 Requirement R2 requires the Responsible Entity to “…implement its supply chain cyber security risk management plan(s) specified in Requirement R1.” Identifying and assessing vendor risk is not sufficient; Responsible Entities must document the steps taken to mitigate identified risks. 

How do we prove verification of patch identity and integrity for CIP-010 R1.6? 

Although it is strongly recommended to include identity and integrity verification in a NERC entity’s CIP-007 R2 patch management plan, it is not explicitly required. However, verification is required under CIP-010 Requirement R1 Part 1.6.  

This requirement applies to all software added to systems in scope for R1 and states that, prior to a baseline change—and when the method to do so is available from the software source—the Responsible Entity must:  

• 1.6.1. Verify the identity of the software source; and  

• 1.6.2. Verify the integrity of the software obtained from the software source. 

The phrase “when the method to do so is available” makes it clear that Responsible Entities are not strictly required to take alternative verification steps when vendors do not provide signatures or hashes. However, as discussed earlier in the series, it is highly recommended to implement additional controls. 

From an audit perspective, there are two primary ways to provide evidence of compliance. The first is shown in the example in the Measures section, which reads: 

“An example of evidence may include, but is not limited to, a change request record that demonstrates the verification of identity of the software source and integrity of the software was performed prior to the baseline change or a process which documents the mechanisms in place that would automatically ensure the identity of the software source and integrity of the software.” 

This approach does not require documentation of every individual instance of verification. Instead, it allows the Responsible Entity to demonstrate compliance using either of the following approaches: 

a) a change request record that shows verification of identity and integrity before the software (or patch) was installed, or  

b) documented mechanisms that automatically ensure verification of the software source and software integrity.  

The second approach is to provide evidence similar to what would be required if this requirement were part of CIP-007 R2. This typically includes screenshots or other records showing that identity and integrity were verified for each patch prior to installation, consistent with CIP-007 Requirement R2 Part 2.2.  

The specific evidence retained will depend on how the supplier publishes hash values. Some suppliers include hashes in release notes, while others publish them on the same webpage where the patch is downloaded. In either case, Responsible Entities should retain the release notes or screenshots, along with documentation showing that the hash value was verified. 

If no hash is provided, a screenshot of the download site should be retained. The URL should match the documented update source, and the Responsible Entity should be prepared to demonstrate how the legitimacy of the site was verified. If a patch aggregation service is used, documentation describing how the service provider verifies the legitimacy of its download sources and files should also be retained. 

Moving forward together 

Understanding and documenting patch supply chains is a critical step toward NERC CIP compliance, but it does not, by itself, ensure complete security. Responsible Entities need to pair patch verification with broader supply chain risk management, clear asset visibility, and ongoing vulnerability monitoring to maintain a patch management program that is repeatable, auditable, and resilient. 

Even when vendors provide digital signatures or hash values, organizations still face practical questions. How do you verify identity when standard methods aren’t available? How do you evaluate the reliability of patch aggregation services? And how do you ensure that patch management aligns with CIP‑013 and CIP‑010 requirements? Addressing these demands successfully requires teams to work together, follow clear procedures, and validate every step. 

Tools and services that support patch intelligence, controlled deployment, and ongoing monitoring can help organizations operationalize these practices, whether implemented directly by internal teams or supported through managed services. 

In the next installment of the Decoding NERC CIP series, we will focus on vendor-approved patching. We will explore why OT systems require validated patches, how patch approval processes vary among OEMs, and practical strategies to ensure that every patch applied is traceable, consistent, and compliant. 

Taken together, these discussions move the series from verifying patch authenticity to ensuring that every patch applied is approved, safe, and aligned with operational and regulatory expectations. 

The post Decoding NERC CIP Series | Q&A: Secure Supply Chain for Patches  appeared first on Foxguard.

The post ICS Critical Patch Updates: February 2026  appeared first on Foxguard.

In earlier posts, we explored foundational topics such as asset identification under NERC CIP, the operational realities of patching OT systems, and risk-based approaches to patch prioritization. These posts build toward a holistic view of the NERC CIP compliance cycle, or “Virtuous Loop,” as discussed in “The Virtuous Loop & NERC CIP.” 

This post builds on that foundation by addressing a critical next question: where patches should come from, and why patch source selection matters for both compliance and operational safety. 

As always, you can listen to this discussion on our Decoding NERC CIP podcast, where we explore the same topics with OT and cyber security experts sharing real-world lessons. 

Why do we need to identify patch sources?  

Among cyber security regulations and compliance frameworks, NERC CIP is somewhat unique in explicitly requiring entities to identify their patch source. This was not always the case.  

In CIP versions 1-4, the patch management requirement did not address patch sources at all. At this time, it was implicitly assumed that patches would come directly from the software developer or hardware manufacturer. In the electric power industry, however, that assumption often does not hold. 

Electric utilities and Independent Power Producers (IPPs) frequently purchase “turnkey” systems that include preconfigured hardware and software. Before allowing a utility to apply a patch for software or firmware included in such a system, the systems integrator typically tests and approves the patch. Only after confirming that the patch will not affect overall system operation does the integrator release it to customers. In practice, this means that a Windows patch may come from the integrator rather than directly from Microsoft, even though the patch itself is unchanged.  

This reality created compliance challenges under CIP versions 1-4. CIP-007 R3 required patches to be assessed for applicability within 30 days of “availability”. Because integrators might not approve patches until weeks or months after the original vendor release, many entities could not strictly comply. From their perspective, a patch was not truly “available” until the integrator released it.  

Recognized NERC CIP Patch Sources and Requirements

When CIP version 5 was developed beginning in 2010 (and implemented in 2016), the drafting team addressed this issue directly. They allowed Responsible Entities to designate the source or sources from which they would obtain patches for specific software or hardware products. These sources could include the software developer, a systems integrator, or a qualified third-party patch provider.  

Today, CIP-007-6 Requirement R2 Part 2.1 requires Responsible Entities to identify “a source or sources for the release of cyber security patches for applicable Cyber Assets.”  This gives entities the flexibility to align their patching processes with how their systems are actually supported in practice.  

For example, an entity operating multiple systems built by different integrators may only apply a Windows patch to a given system once that system’s integrator has approved it, even if the same operating system is used elsewhere.  

This flexibility has also enabled the use of OT patch aggregation services. Many Responsible Entities now identify these organizations as patch sources for certain software products within their Electronic Security Perimeters (ESPs). Patch aggregators collect updates from multiple vendors and make them available through a single platform. In some cases, they also assist with validating patch provenance and integrity, which can support compliance with CIP-010-4 Requirement R1 Part 1.6.  Examples include tools such as Foxguard’s Patchintel, which aggregates and tracks OT-relevant patches, and Foxguard Deploy, which supports controlled, auditable patch deployment. 

These tools can be used independently by Responsible Entities that retain hands-on control of patch assessment and deployment, or as part of broader managed services where patch monitoring, validation, and execution are handled on the entity’s behalf. The distinction is important from both an operational and compliance perspective, as entities remain responsible for defining patch sources and maintaining evidence regardless of how the work is performed. 

What can happen if we apply an unverified patch?  

As discussed earlier in this series, OT environments amplify the consequences of patch-related failures due to availability and safety constraints. 

A vivid example of the risks associated with unverified patches is the Dragonfly attack. In 2022, the U.S. Department of Justice indicted ”three officers of Russia’s Federal Security Service (FSB)” for their involvement in Dragonfly, a supply chain attack that targeted updates to ICS and SCADA systems.   

According to reporting by The Register, “Legitimate updates to that software were infected with malware named ‘Havex’ that allowed the attackers to create back doors and scan networks for more targets. Over 17,000 devices were infected in the US alone. The indictment states that their efforts gave Russia the chance to ‘damage such computer systems at a future time of its choosing.’”  

Dragonfly was one of the first supply chain attacks on critical infrastructure. While it did not lead to any known physical damage to ICS or SCADA systems, it could easily have done so, had it not been detected so quickly.   

Importantly, Dragonfly involved tampered updates. If requirements like CIP-010-4 Requirement R1 Part 1.6 had been in effect at the time, verification of patch integrity through hash comparison likely would have revealed that the updates had been altered. From a NERC CIP perspective, incidents like this show us why patch source identification and verification are treated as formal requirements rather than best practices.  

Clearly, a lot of bad things (including, but not limited to, non-compliance) can happen if a NERC entity doesn’t verify the identity and integrity of software patches. 

Why verification alone isn’t enough  

While Dragonfly shows the risks of tampered delivery channels, SolarWinds demonstrates that even verified updates can be compromised. 

In December 2020, the world learned the hard way that verifying every patch or software update you receive is not enough to protect you from a breach. The SolarWinds attack (along with Stuxnet) ranks among the most complex cyberattacks in recent history.  

Approximately 18,000 organizations worldwide were compromised by this attack, including NATO, the European Parliament, the U.S. Department of Commerce, the Treasury Department, the National Nuclear Safety Agency, Microsoft, and VMWare. Sensitive data and emails were exfiltrated from about 200 of these organizations.  

The success of the attack stemmed from the perpetrators—assumed to be Russian—ability to insert the Sunburst malware into seven software updates for the SolarWinds Orion platform. This occurred during the software build process, undetected, so the malware became part of the official updates. Like all Orion updates, these were digitally signed by SolarWinds, and a SolarWinds-generated hash confirmed their integrity.   

As a result, customer systems automatically verified and installed the updates without suspicion. Unlike the Havex malware in the Dragonfly attack, which compromised the delivery channel, the Orion updates were authentic and untampered in transit. The identity of the source was confirmed, and the integrity of the software was intact. Since SolarWinds had no prior history of major cyber incidents and had successfully released hundreds of updates without issue, there was no reason for customers to suspect that seven updates were malicious.  

In retrospect, SolarWinds’ internal security program was seriously deficient, yet there was no practical way for customers to detect the compromise without a comprehensive third-party security audit. Because updates were applied automatically after verification, customers had little ability to prevent network compromise.  

Because SolarWinds themselves were unaware of the breach, customers could neither detect nor suspect it. Given the extraordinary efforts of the attackers, even the software developer may never fully know the extent of the compromise. Incidents like these reinforce a theme introduced earlier in this series: compliance-aligned patch processes reduce risk but cannot eliminate it entirely. 

So, what’s Plan B?  

From both a cyber security and compliance standpoint, the focus shifts from prevention alone to early detection, containment, and documented response. This approach echoes the Virtuous Loop concept, where continuous monitoring, threat detection, and timely remediation close the gap between patch deployment and operational resilience, as highlighted in “The Virtuous Loop & NERC CIP.” 

While end users cannot fully prevent sophisticated supply chain attacks like SolarWinds, they can take steps to detect compromise as early as possible. These include:  

• If the supplier of a software product you use announces they have been compromised and customers may be affected, follow their instructions to determine whether your organization has been impacted.  

• Best practices for detecting a compromise include:  

• Monitor for anomalous outbound network traffic from your networks, especially to unknown external domains or IP addresses.  

• Monitor inbound traffic for access attempts or network activity from unexpected locations or countries.  

• Watch for unusual activity by privileged accounts, such as attempts to escalate privileges, access multiple systems in a short time, or log in from unusual locations.  

• Be alert for unusual or high volumes of DNS requests.  

• Watch for unauthorized changes to system configurations, services being disabled (especially in security software), or new unknown local user accounts.   

• Steps to take if you suspect your network has been compromised:  

• Immediately power down compromised devices or disconnect them from the network.  

• Examine system and network logs to determine the extent of the compromise and to identify any lateral movement by the attackers.  

• Reset all credentials.  

• Engage your organization’s incident response team—or a qualified outside team—to manage containment and recovery efforts.  

What compliance evidence do auditors expect?  

For CIP-007-6 Requirement R2 Parts 2.1 and 2.2, auditors typically expect clear, dated documentation showing how patch sources are identified and monitored. Common practices include:  

1. Most entities use an Excel spreadsheet. All you need is a list of software from your system baselines, which should be readily available. Include operating systems, commercially available software, and any custom software. These baselines should already exist if asset identification has been performed in line with earlier CIP requirements discussed in this series. 

2. For each software item, identify the provider of any updates and the URL where patch information can be found. Note that not every item will necessarily have a URL, especially custom or home-grown software.    

3. SCADA/EMS vendors typically include the Windows or Linux operating system as part of an integrated delivery. Customers of the SCADA/EMS vendor do not get OS updates directly from the operating system provider; they wait for the SCADA/EMS vendor to test and certify compatibility with their application software.  

4. The SCADA/EMS vendor then packages the operating system into their product release. The 35-day clock for Requirement Part 2.2 starts when the identified provider announces the availability of the release package. 

5. Many NERC entities use commercially available patch management software, such as Foxguard. The patch management system identifies the applicable updates, which starts the 35-day install-or-mitigate clock in Part 2.2. As described in “Vulnerability Tools to Simplify Patching,” such tools not only track patch availability but also integrate with software inventories and vulnerability databases to streamline compliance and reduce manual effort.  

6. Auditors will normally request documentation of the patch sources and evidence that these sources are being monitored for updates. Evidence could include a patch management software report, vendor notices, or manual checks. All evidence must be dated.  

Moving forward together 

Identifying and documenting your NERC CIP patch sources is a critical foundation for compliance, but it does not eliminate all risk associated with software updates. Building on the Virtuous Loop framework, organizations can integrate patch source management with asset awareness, vulnerability tracking, and compliance reporting to create a repeatable, auditable, and resilient patch management program. 

Even when patch sources are well defined, Responsible Entities still face practical questions about verification, supplier practices, and how patch management fits into broader supply chain risk programs. 

In the next post in the Decoding NERC CIP series, we’ll take a question-and-answer approach to these challenges. We’ll address what to do when vendors do not provide signatures or hash values, how to evaluate the practices of patch aggregation services, and how patch management responsibilities align with CIP-013 supply chain security and CIP-010 verification requirements. 

Together, these discussions move the series from where patches come from to how organizations build confidence in the entire patch supply chain—from procurement through installation and audit. 

The post Decoding NERC CIP Series | Choose Your Patch Source(s) Carefully!  appeared first on Foxguard.

January’s cycle includes multiple critical disclosures affecting industrial edge platforms, engineering environments, controllers, and OT network infrastructure. Siemens reported two separate 10.0 authorization-bypass advisories tied to Industrial Edge, while Schneider Electric’s January set spans controller communications risks, third-party component exposure, and workstation-side project-file attack paths. ABB and Phoenix Contact advisories this month also reinforce a recurring theme: engineering tools and network devices remain high-value targets because they sit at pivotal trust boundaries in OT environments. 

Note on CVSS Scores: January’s advisories include a mix of CVSS v3.1 and CVSS v4.0 ratings. Where both scores are available, we’ve referenced them as published. Use these base scores to guide remediation priority alongside your site-specific exposure (reachable interfaces, trust zones, and operational criticality). 

Siemens 

Siemens released multiple high-severity advisories in January affecting Industrial Edge deployments, SCADA/telecontrol server software, and distributed I/O, along with an updated COMOS advisory that remains highly severe: 

• SSA-001536 – Authorization Bypass Vulnerability in Siemens Industrial Edge Devices 
  CVE: CVE-2025-40805 | CVSS v4.0: 10.0 (v3.1: 10.0) 
  An authorization bypass could allow an unauthenticated remote attacker to circumvent authentication and impersonate a legitimate user. 
  Recommendation: Update to fixed versions where available; where fixes are not yet available, apply Siemens’ advisory countermeasures (segmentation and limiting exposure of management interfaces). 

• SSA-014678 – Authorization Bypass Vulnerability in Industrial Edge Device Kit 
  CVE: CVE-2025-40805 | CVSS v4.0: 10.0 (v3.1: 10.0) 
  A related authorization bypass could enable an unauthenticated attacker to bypass authentication and impersonate a legitimate user. 
  Recommendation: Update to fixed versions where available; where “no fix planned” is stated, follow Siemens’ mitigation guidance (hardening and restricting exposure/administrative access). 

• SSA-192617 – Local Privilege Escalation Vulnerability in TeleControl Server Basic (before V3.1.2.4) 
  CVE: CVE-2025-40942 | CVSS v4.0: 7.3 (v3.1: 8.8) 
  A local privilege escalation could allow an attacker to run arbitrary code with elevated privileges. 
  Recommendation: Update TeleControl Server Basic to V3.1.2.4 or later. 

• SSA-674753 – Denial-of-Service Vulnerability in ET 200SP 
  CVE: CVE-2025-40944 | CVSS v4.0: 8.7 (v3.1: 7.5) 
  A crafted S7 Disconnect Request may render the device unresponsive, requiring a power cycle. 
  Recommendation: Apply Siemens guidance to restrict access to affected interfaces/protocol paths, enforce segmentation, and apply product updates when available. 

• SSA-212953 – Multiple Vulnerabilities in COMOS (Update) 
  CVE: CVE-2024-47875, CVE-2025-2783, CVE-2025-40800, CVE-2025-40801, CVE-2024-11053, CVE-2025-10148 | CVSS v4.0: 9.2 (v3.1: 10.0) 
  Multiple vulnerabilities affecting COMOS could enable outcomes including code execution, denial-of-service, data infiltration, and access control violations. 
  Recommendation: Update to Siemens’ fixed releases and apply Siemens hardening guidance for engineering environments. 

Foxguard Insight: Siemens’ Industrial Edge advisories this month are a reminder that edge platforms often sit in a privileged position between IT and OT. An authorization bypass at that layer can undermine other controls quickly if management interfaces are reachable from broad networks. Prioritize remediation and, in parallel, tighten exposure of edge management services, restrict administrative access paths, and confirm segmentation is enforced as designed. 

Schneider Electric 

Schneider Electric’s January disclosures span third-party component exposure, controller communications risks, and engineering workstation attack paths involving project files: 

• SEVD-2026-013-01 – Multiple Third-Party Vulnerabilities on ProLeiT Plant iT/Brewmaxx 
  CVE: CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819 | CVSS v3.1: 10.0 (CVE-2025-49844) 
  Multiple third-party issues (including Redis-related exposure) could enable privilege escalation leading to remote code execution. 
  Recommendation: Apply Patch ProLeiT-2025-001 (disables Redis eval commands) on Application Server/VisuHub/Engineering workstations and restart systems; follow Schneider hardening guidance. 

• SEVD-2024-317-03 (v3.0.0) – Modicon Controllers M340 / Momentum / MC80 (Update) 
  CVE: CVE-2024-8937, CVE-2024-8938, CVE-2024-8936 | CVSS v4.0: up to 9.2 
  Modbus-related issues could allow loss of confidentiality/integrity and potentially arbitrary code execution under specific conditions. 
  Recommendation: Upgrade firmware (M340 SV3.65, Momentum SV2.80, MC80 SV2.1); segment networks; restrict TCP/502; apply ACL and hardening guidance. 

• SEVD-2025-014-06 (v2.0.0) – RemoteConnect and SCADAPack™ x70 Utilities (Update) 
  CVE: CVE-2024-12703 | CVSS v4.0: 8.5 (v3.1: 7.8) 
  Deserialization of untrusted data could lead to loss of confidentiality/integrity and potential workstation-side code execution when opening a malicious project file. 
  Recommendation: Update RemoteConnect to R3.4.2; until other remediation is available, only open trusted project files, verify hashes, encrypt and restrict access, and use secure transfer protocols. 

• SEVD-2026-013-04 – Multiple Vulnerabilities on EcoStruxure Power Build Rapsody 
  CVE: CVE-2025-13845, CVE-2025-13844 | CVSS v4.0: 8.4 (v3.1: 7.8) 
  Memory corruption issues could allow code execution when importing a malicious Rapsody project (SSD) file. 
  Recommendation: Upgrade to fixed versions listed in the advisory and restart services; if not patched, restrict project files to trusted sources and scan for malware. 

• SEVD-2026-013-02 – Incorrect Default Permissions Vulnerability on EcoStruxure™ Process Expert 
  CVE: CVE-2025-13905 | CVSS v3.1: 7.3 (v4.0: 7.0) 
  Incorrect default permissions could enable privilege escalation through modification of service binaries (triggered on restart). 
  Recommendation: Apply Schneider remediation steps/upgrades and enforce workstation hardening and least privilege. 

• SEVD-2025-189-03 – EcoStruxure™ Power Operation (PostgreSQL-related) 
  CVE: CVE-2023-50447, CVE-2024-28219, CVE-2022-45198, CVE-2023-5217, CVE-2023-35945, CVE-2023-44487 | CVSS v3.1: 7.5 (per NVD for CVE-2023-44487) 
  Multiple PostgreSQL dependency CVEs impacting EcoStruxure Power Operation; remediation centers on updating the bundled PostgreSQL version. 
  Recommendation: Upgrade to EPO 2024 CU2; otherwise restrict PostgreSQL to localhost/uninstall if unused or manually upgrade PostgreSQL per advisory guidance. 

• SEVD-2026-013-03 – Multiple Third-Party Vulnerabilities on Zigbee ProductsCVE: CVE-2024-6350 (also: CVE-2024-6351, CVE-2024-6352, CVE-2024-10106, CVE-2024-7322) | CVSS v3.1: 6.5 
  Silicon Labs EmberZNet Zigbee issues could enable denial-of-service, causing products to become unavailable. 
  Recommendation: Tighten network joining controls, use install codes where possible, avoid well-known keys, and replace defaults with unique keys. 

• SEVD-2025-042-02 (v3.0.0) – Improper Input Validation Vulnerability in Uni-Telway Driver (Update) 
  CVE: CVE-2024-10083 | CVSS v4.0: 6.8 (v3.1: 5.5) 
  Improper input validation could cause local DoS on an engineering workstation when invoked with crafted input. 
  Recommendation: Apply mitigations and hardening if needed; otherwise uninstall the Uni-Telway driver where it is not required. 

Foxguard Insight: Schneider’s January set shows how frequently OT risk comes from supporting components and engineering workflows rather than the controller alone. Third-party services, controller protocols, and project-file handling all appear as recurring pressure points. Focus on patching where fixes exist and treat engineering workstations and project repositories as controlled assets with strict trust rules, integrity checks, and least-privilege access. 

ABB 

ABB published a January advisory impacting ABB RobotStudio: 

• ABB RobotStudio – Multiple Vulnerabilities 
  CVE: CVE-2025-4676: CVSS v3.1 8.8; CVSS v4.0 8.4. CVE-2025-4675 and CVE-2025-4677: CVSS v4.0 7.1 (v3.1: 6.5) 
  Multiple issues in RobotStudio could impact engineering environments and downstream workflows depending on how systems are used and exposed. 
  Recommendation: Apply ABB’s recommended remediation/updated versions and enforce defense-in-depth controls around engineering workstations. 

Foxguard Insight: Engineering tools like RobotStudio are often trusted by default because they are part of standard operational workflows. When weaknesses exist in those tools, the risk is less about the workstation in isolation and more about what the workstation is allowed to touch. Patch promptly, limit local admin rights, and keep engineering environments separated from production networks with monitored, intentional pathways. 

Phoenix Contact 

Phoenix Contact (via CERT@VDE) released two January advisories affecting switching and routing components: 

• VDE-2025-071 – Multiple Vulnerabilities in FL SWITCH 2xxx Firmware 
  CVE: Multiple CVEs – see advisory for details | CVSS v3.1: up to 8.8 
  Multiple vulnerabilities affect FL SWITCH 2xxx firmware prior to v3.50, including file system access issues and additional impacts such as disclosure, integrity compromise, or denial-of-service. 
  Recommendation: Upgrade to firmware v3.50 or later, restrict management access to trusted networks, disable unused services/protocols, and enforce segmentation. 

• VDE-2025-073 – Code Injection Vulnerability in TC ROUTER and CLOUD CLIENT 
  CVE: CVE-2025-41717 | CVSS v3.1: 8.8 
  Code injection in the configuration upload interface could allow an authenticated attacker to execute arbitrary commands and fully compromise the device. 
  Recommendation: Upgrade to fixed firmware versions (e.g., TC ROUTER ≥ 3.08.8, CLOUD CLIENT ≥ 3.07.7), restrict administrative access, only upload trusted configuration files, and segment networks. 

Foxguard Insight: These Phoenix Contact advisories reinforce that network infrastructure is not neutral plumbing in OT environments. Switches and routers shape reachability and trust boundaries, and faults in their management or configuration interfaces can have outsized impact. Prioritize updates for devices that bridge zones, then verify management access is restricted to a dedicated administrative network with strong authentication and logging. 

Mitsubishi Electric 

Mitsubishi Electric’s January-relevant advisories focus on ICONICS/GENESIS product families, including one high-severity update and one lower-scored but still operationally meaningful tampering issue: 

• Mitsubishi Electric PSIRT – Multiple Vulnerabilities in GENESIS, GENESIS64, ICONICS Suite, MC Works64, GENESIS32, and BizViz (Update) 
  CVE: CVE-2024-8299, CVE-2024-8300, CVE-2024-9852 | CVSS v3.1: 7.8 / 7.0 / 7.8 
  Malicious code execution vulnerabilities may allow arbitrary code execution when a crafted DLL is placed in the application environment. 
  Recommendation: Update products to the versions listed in the advisory, restrict installation environments, and apply Mitsubishi Electric hardening guidance. 

• Mitsubishi Electric – Information Tampering Vulnerability in Multiple Services of GENESIS64, ICONICS Suite, MC Works64, GENESIS, GENESIS32, and BizViz (Update) 
  CVE: CVE-2025-0921 | CVSS v3.1: 6.5 
  A local attacker could use a symbolic link technique to redirect writes and tamper with arbitrary files, potentially destroying required files and causing a denial-of-service condition on the host PC. 
  Recommendation: Restrict logins to administrators, block remote login from untrusted networks and non-admin users, enforce firewall/VPN controls if Internet-connected, restrict physical access, and avoid interacting with untrusted emails/attachments. 

Foxguard Insight: Mitsubishi’s advisories are a useful reminder that local-access issues can still matter in OT, especially where a small number of servers support multiple functions and teams. If an engineering or SCADA host is shared, local tampering can become an availability problem quickly. Keep patching aligned to maintenance windows, but also reduce day-to-day risk through access controls, admin separation, and tighter host hardening on systems that run these suites. 

CISA 

CISA’s January ICS advisories span asset management platforms, monitoring devices, and industrial analytics environments, and includes one lower-scored advisory that is still relevant in environments where IoT and OT networks intersect: 

• ICSA-26-008-01 – Hitachi Energy Asset Suite 
  CVE: CVE-2025-10492 | CVSS v3.1: 9.8 (v4.0: 8.7) 
  A critical third-party component vulnerability (JasperReports) may enable remote code execution in affected deployments. 
  Recommendation: Apply Hitachi Energy remediation/updates for the impacted component; restrict server access and limit exposure of management interfaces. 

• ICSA-26-006-01 – Columbia Weather Systems MicroServer 
  CVE: CVE-2025-61939, CVE-2025-66620, CVE-2025-64305 | CVSS v3.1: up to 8.8 (v4.0: up to 8.7) 
  Multiple issues could enable disruptive outcomes depending on attacker position and system configuration. 
  Recommendation: Update/mitigate per vendor guidance; restrict administrative access and management exposure; segment networks to reduce attack paths. 

• ICSA-26-013-02 – Rockwell Automation FactoryTalk® DataMosaix™ Private Cloud 
  CVE: CVE-2025-12807 | CVSS v4.0: 8.7 
  Exposed API paths may allow low-privilege users to perform sensitive database operations. 
  Recommendation: Apply the vendor fix/updated version; enforce least privilege and restrict service/API access. 

• ICSA-26-013-01 – Rockwell Automation 432ES-IG3 Series A 
  CVE: CVE-2025-9368 | CVSS v4.0: 8.7 (v3.1: 7.1) 
  A denial-of-service condition can require a manual power cycle for recovery. 
  Recommendation: Apply firmware/update guidance; isolate affected devices from untrusted networks and restrict exposed interfaces. 

• ICSA-26-013-03 – YoSmart YoLink Smart Hub 
  CVE: CVE-2025-59452, CVE-2025-59448, CVE-2025-59449, CVE-2025-59450, CVE-2025-59451 | CVSS v3.1: up to 5.8  Multiple issues could enable unauthorized access or information exposure depending on CVE and threat position. 
  Recommendation: Apply vendor patches where available; minimize exposure and strictly segregate IoT systems from OT/ICS networks; monitor for abnormal access patterns. 

Foxguard Insight: The CISA advisories this month point to familiar failure modes: exposed services, vulnerable third-party components, and weak boundaries between systems with different trust expectations. Where patching is in progress or delayed, exposure control usually makes the difference. Reduce direct reachability to affected platforms, confirm that management interfaces are not internet-facing, and keep IoT and OT separated with clear policy and enforcement. 

Actionable Recommendations 

January’s advisories include critical authorization bypass issues in Siemens Industrial Edge, high-severity Schneider updates affecting controller communications and engineering utilities, and firmware issues in OT network devices. Several items also highlight the continuing risk from third-party components and project-file workflows.  

The priorities for most environments remain consistent: patch what is exposed or high-privilege first, restrict management-plane reachability, and use segmentation and monitoring to reduce risk while remediation is underway.  

To reduce exposure and maintain operational stability, Foxguard recommends: 

• Prioritize Siemens Industrial Edge remediation immediately: Patch/upgrade affected Industrial Edge Devices and Industrial Edge Device Kit deployments and restrict management-plane exposure where fixes are not available. 

• Harden controller communications and OT access paths: Apply Schneider Modicon firmware updates, restrict Modbus exposure (TCP/502), and enforce ACLs and segmentation. 

• Treat project files and engineering workflows as high-risk inputs: Apply Schneider RemoteConnect and Rapsody remediations; enforce “trusted files only,” integrity checking, and least privilege on engineering workstations. 

• Patch OT network infrastructure first where it bridges zones: Update Phoenix Contact FL SWITCH and TC ROUTER/CLOUD CLIENT firmware and lock down device management interfaces to trusted admin networks. 

• Reduce blast radius while patching: Segment networks, limit remote access, verify patch deployment success, and monitor for anomalous access attempts across ICS/OT and supporting systems. 

How Foxguard Can Help 

January’s disclosures show how broad the patching problem is in real environments. The work is not only applying updates, but also deciding what to prioritize, validating versions, and reducing exposure where patching cannot be immediate. Foxguard supports operators by helping them assess impact across ICS and OT assets, plan remediation that fits operational constraints, and implement practical controls that reduce risk without adding unnecessary complexity. 

Our services include: 

• FOXGUARD DISCOVER: Asset and network visibility solution for ICS and OT environments, providing real-time visibility of critical assets, detecting vulnerabilities, and offering actionable insights to enhance security posture. 

• FOXGUARD CYBERWATCH: Asset and vulnerability management platform that monitors, manages, and remediates security risks across ICS and OT environments, ensuring compliance and reducing overall cyber risk. 

• FOXGUARD PATCHINTEL: Patch intelligence service that provides patch availability reports to identify available security updates, and a secure supply chain to acquire and validate patch binaries for improved patch management and compliance. 

• FOXGUARD DEPLOY: Patch distribution and deployment solution that securely applies validated patches across ICS and OT systems, ensuring timely and effective patch management to maintain security. 

• FOXGUARD MANAGED SERVICES: Provides Patch Management as a Service (PMaaS) and Vulnerability Management as a Service (VMaaS) to continuously assess, prioritize, and address security risks in ICS and OT environments, helping maintain security compliance and operational integrity. 

Foxguard works alongside operators to make sense of a patch landscape that can quickly become overwhelming, providing analysis and context so teams can prioritize patching and hardening efforts effectively. 

Stay Ahead of Threats 

January’s advisories highlight a pattern that will be familiar to most OT teams. The most serious risks are not limited to controllers alone, but often sit in edge platforms, engineering tools, management services, and the network infrastructure that connects them. When those systems are exposed or overly trusted, a single weakness can have operational consequences well beyond the affected product. 

Staying ahead of this risk is less about reacting to individual CVEs and more about maintaining discipline over patching, access control, and network boundaries. Knowing which systems matter most, limiting who and what can reach them, and verifying that controls continue to work over time remains the most effective way to reduce exposure. 

If your organization needs support prioritizing remediation, validating patch status, or reducing risk while updates are staged, Foxguard works alongside OT and ICS teams to help turn advisory information into practical, defensible action. Reach out to our team today, and let us know how we can help you. 

Your security is our priority. Stay vigilant and stay protected. 

The post ICS Critical Patch Updates: January 2026  appeared first on Foxguard.

The post Global Oil & Gas Company – Cyber Security appeared first on Foxguard.

This month, Siemens, Schneider Electric, Rockwell Automation, and CISA reported high-severity issues spanning engineering software, industrial controllers, Ruggedcom devices, and OT monitoring platforms. Several advisories describe remote code execution, denial-of-service conditions, and privilege escalation, which could impact grid operations, industrial network stability, or access to sensitive OT systems. 

Vulnerabilities are not limited to core controllers—supporting software and cloud services remain frequent targets. Siemens COMOS and SICAM T devices, Schneider EcoStruxure™ Foxboro DCS Advisor services, and Rockwell FactoryTalk® DataMosaix™ Private Cloud are examples of systems requiring prompt patching and careful configuration to prevent unauthorized actions or operational disruption. 

Note on CVSS Scores: All vulnerabilities this month are reported using CVSS v4.0. Vendor-reported base scores are included where available, providing operators with clear visibility of each issue’s severity to guide remediation priorities.  

Siemens  

Siemens released multiple high-severity advisories this month affecting engineering software, rugged networking platforms, grid devices, and supporting authentication components:  

• SSA-212953 – Multiple Vulnerabilities in COMOS 

CVE: Multiple | CVSS v4.0: 10.0 

COMOS engineering software contains several critical flaws that may allow remote code execution, privilege escalation, or denial-of-service. Compromise could impact engineering workflows and system integrity. 

Recommendation: Update to the latest COMOS release. Restrict access to COMOS servers, avoid untrusted project files, and apply Siemens’ hardening guidance. 

• SSA-471761 – Multiple Vulnerabilities in SICAM T (Before V3.0) 

CVE: Multiple | CVSS v4.0: 9.9 

SICAM T devices prior to V3.0 contain vulnerabilities enabling remote code execution, denial of service, or unauthorized access to sensitive functions. 

Recommendation: Update to firmware V3.0 or later, restrict interface access, enforce firewall rules, and monitor for suspicious activity. 

• SSA-202008 – Multiple Vulnerabilities in RUGGEDCOM ROX (Before V2.17.0) 

CVE: Multiple | CVSS v4.0: 9.8 

RUGGEDCOM ROX devices running firmware before V2.17.0 contain improper input validation and buffer overflows that may allow remote code execution or denial of service. 

Recommendation: Update to firmware V2.17.0 or later, isolate management interfaces, and apply strict firewall rules. 

• SSA-912274 – Multiple Vulnerabilities in RUGGEDCOM ROX (Before V2.17) 

CVE: Multiple | CVSS v4.0: 8.8 

Additional vulnerabilities affect ROX-based devices prior to V2.17 that are not addressed by SSA-202008, allowing potential remote code execution or system disruption. 

Recommendation: Install firmware V2.17 or later and isolate administrative interfaces. 

• SSA-416652 – Multiple Vulnerabilities in SIMATIC CN 4100 (Before V4.0.1) 

CVE: Multiple | CVSS v4.0: 8.3 

Flaws in SIMATIC CN 4100 could allow remote code execution, denial of service, or unauthorized access, affecting network communications. 

Recommendation: Update to V4.0.1 or later and restrict management access. 

• SSA-710408 – Missing Server Certificate Validation in Siemens Advanced Licensing Toolkit (SALT) 

CVE: CVE-2025-40801 | CVSS v4.0: 8.1 

SALT fails to validate server certificates, enabling possible MITM attacks. 

Recommendation: Apply updated SALT components and restrict access to licensing servers. 

• SSA-915282 – Denial-of-Service Vulnerability in Interniche IP-Stack Devices 

CVE: CVE-2025-40820 | CVSS v4.0: 7.5 

Crafted packets could trigger denial of service in devices using the Interniche IP-Stack. 

Recommendation: Update to patched firmware and apply segmentation and IDS monitoring. 

• SSA-868571 – Missing Server Certificate Validation in IAM Client 

CVE: CVE-2025-40802 | CVSS v4.0: 7.4 

IAM Client does not properly validate certificates, potentially enabling MITM attacks. 

Recommendation: Update to the latest IAM Client version and enforce TLS best practices. 

Foxguard Insight: Siemens’ December advisories illustrate that even foundational engineering systems can become operational risks if management interfaces or network boundaries are inadequately protected. Prioritizing patching while enforcing access controls and network segmentation is essential to reduce exposure.  

Schneider Electric  

Schneider released one critical advisory this month affecting Foxboro DCS Advisor services:  

• SEVD-2025-343-02 – EcoStruxure™ Foxboro DCS Advisor Services 

CVE: Not individually listed | CVSS v4.0: 9.8 (estimated) 

Foxboro DCS Advisor services are exposed via underlying Microsoft Server 2016/2022 WSUS patches (KB5066836 and KB5066782). Exploitation may allow privilege escalation or bypass update validation. 

Recommendation: Apply Microsoft’s December updates and follow Schneider’s hardening guidance for Advisor services. 

Foxguard Insight: Vulnerabilities in supporting software such as WSUS can propagate risk to industrial systems. Operators should confirm patch application and monitor downstream systems to prevent privilege misuse or update validation bypass.  

Rockwell Automation  

Rockwell issued two high-severity advisories impacting cloud environments and industrial hardware:  

• SD1765 – FactoryTalk® DataMosaix™ Private Cloud SQL Injection  
  CVE: CVE-2025-12807 | CVSS v4.0: 8.7 

A SQL injection vulnerability may allow an authenticated attacker to manipulate database queries, potentially leading to unauthorized data access or modification. 

Recommendation: Update to the patched DataMosaix release and enforce least-privilege database access.  

• SD1764 – 432ES-IG3 Series A Denial-of-Service Vulnerability  
  CVE: CVE-2025-9368 | CVSS v4.0: 8.7 

Crafted packets could crash affected devices, disrupting industrial network communications. 

Recommendation: Install updated firmware and isolate devices from untrusted networks.  

Foxguard Insight: SQL injection in FactoryTalk DataMosaix Private Cloud and a DoS in 432ES-IG3 Series A devices show Cloud and industrial endpoints both present risk vectors. Exploitation could expose or manipulate data and disrupt network communications. Patch promptly, or isolate devices and monitor closely to prevent exploitation and maintain network stability.  

CISA  

CISA released multiple high-severity advisories this month spanning video systems, access control equipment, collaboration tools, and network monitoring platforms: 

• ICSA-25-343-03 – India-Based CCTV Cameras 

CVE: CVE-2025-13607 | CVSS v4.0: 9.3 

Vulnerabilities allow attackers to bypass authentication, access video feeds, or disrupt surveillance. 

Recommendation: Apply vendor firmware updates and restrict remote access.  

• ICSA-25-336-02 – Iskra iHUB and iHUB Lite 

CVE: CVE-2025-13510 | CVSS v4.0: 9.0 

Authentication bypass and privilege escalation vulnerabilities affect all versions. 

Recommendation: Install vendor patches or restrict access. 

• ICSA-25-336-01 – Industrial Video & Control Longwatch 

CVE: CVE-2025-13658 | CVSS v4.0: 8.8 

Vulnerabilities may allow remote code execution or denial of service. 

Recommendation: Update to the latest Longwatch release and restrict network access. 

• ICSA-25-338-07 – Advantech iView 

CVE: CVE-2025-13373 | CVSS v4.0: 8.7 

Network management flaws may allow remote code execution or denial of service. 

Recommendation: Update to the latest iView version and restrict management access. 

• ICSA-25-338-02 – MAXHUB Pivot 

CVE: CVE-2025-53704 | CVSS v4.0: 8.7 

Vulnerabilities could allow remote code execution or privilege escalation. 

Recommendation: Update to the patched release and restrict access to collaboration servers. 

• ICSA-25-343-01 – Universal Boot Loader (U-Boot) 

CVE: CVE-2025-24857 | CVSS v4.0: 8.6 

Secure boot bypass, privilege escalation, or code execution may be possible. 

Recommendation: Apply patched U-Boot versions and enforce secure boot configurations. 

• ICSA-25-338-05 – Sunbird DCIM dcTrack & Power IQ 

CVE: CVE-2025-66237/66238 | CVSS v4.0: 8.4 

Flaws may allow unauthorized access or arbitrary code execution. 

Recommendation: Update to the latest releases and apply segmentation controls. 

• ICSA-25-338-06 – SolisCloud Monitoring Platform 

CVE: CVE-2025-13932 | CVSS v4.0: 8.3 

Vulnerabilities may allow manipulation of solar monitoring data or service disruption. 

Recommendation: Update to patched SolisCloud releases and restrict monitoring access. 

• ICSMA-25-336-01 – Mirion Medical EC2 NMIS BioDose 

CVE: CVE-2025-64642 | CVSS v4.0: 7.5 

Flaws could allow unauthorized access to sensitive medical data. 

Recommendation: Update to the latest Mirion Medical release. 

Foxguard Insight: CISA flags multiple remote code execution and privilege escalation risks across Longwatch, iHUB, MAXHUB, Advantech iView, Sunbird DCIM, and U-Boot. Patching high-risk systems, maintaining strict segmentation and access controls, and careful monitoring while updates are applied is advised. These advisories remind operators that even peripheral systems can be pivot points if ignored.  

Actionable Recommendations  

December’s advisories include critical vulnerabilities in Siemens engineering and grid devices, Schneider Foxboro DCS services, Rockwell cloud and industrial systems, and multiple CISA-flagged OT platforms. To reduce exposure and maintain operational stability, Foxguard recommends:  

• Patch high-severity Siemens devices immediately: Apply updates for COMOS, SICAM T, and RUGGEDCOM ROX to mitigate remote code execution, privilege escalation, and denial-of-service risks.  

• Update supporting software and cloud platforms: Apply Microsoft updates for EcoStruxure Foxboro DCS Advisor services and Rockwell FactoryTalk DataMosaix Private Cloud patches to prevent privilege escalation and SQL injection attacks.  

• Secure OT network interfaces: Isolate management ports, enforce firewall rules, and segment networks for Siemens, Rockwell, and CISA-flagged devices to limit lateral movement and reduce attack surfaces.  

• Enforce secure communications: Update Siemens IAM Client and SALT Toolkit, validate certificates, and maintain logging to detect and prevent man-in-the-middle attacks or abnormal access attempts.  

• Patch peripheral and monitoring systems: Update CISA-flagged devices including Longwatch, iHUB, MAXHUB, Advantech iView, Sunbird DCIM, U-Boot, and Mirion Medical NMIS BioDose to prevent unauthorized access and operational disruption.  

How Foxguard Can Help  

This month’s advisories show that attackers exploit both primary ICS devices and ancillary software components, leveraging multiple types of vulnerabilities—from SQL injection to certificate validation failures. This environment demands strategic patch prioritization, network hardening, and continuous monitoring.  

Foxguard’s team of ICS and OT security experts help operators to simplify the process and focus on actionable risk reduction. We help organizations prioritize patches, enforce strong controls, and keep watch over critical infrastructure, so teams can focus on running their systems safely and without disruption.  

Our services include:   

• FOXGUARD DISCOVER: Asset and network visibility solution for ICS and OT environments, providing real-time visibility of critical assets, detecting vulnerabilities, and offering actionable insights to enhance security posture.    

• FOXGUARD CYBERWATCH: Asset and vulnerability management platform that monitors, manages, and remediates security risks across ICS and OT environments, ensuring compliance and reducing overall cyber risk.    

• FOXGUARD PATCHINTEL: Patch intelligence service that provides patch availability reports to identify available security updates, and a secure supply chain to acquire and validate patch binaries for improved patch management and compliance.    

• FOXGUARD DEPLOY: Patch distribution and deployment solution that securely applies validated patches across ICS and OT systems, ensuring timely and effective patch management to maintain security.    

• FOXGUARD MANAGED SERVICES: Provides Patch Management as a Service (PMaaS) and Vulnerability Management as a Service (VMaaS) to continuously assess, prioritize, and address security risks in ICS and OT environments, helping maintain security compliance and operational integrity.   

Foxguard works alongside operators to make sense of a patch landscape that can quickly become overwhelming, providing analysis and context so teams can prioritize patching and hardening efforts effectively.  

Stay Ahead of Threats  

The initiative behind our monthly patch update stems from years of experience in the field, reflecting a true understanding of what operators need to cut through the noise. December’s advisories certainly remind us of how important these updates are.  

Attackers are leveraging both high-value ICS devices and supporting OT systems as entry points, making it critical to patch, segment, and monitor every device—no matter how peripheral—to reduce operational risk. Consistent verification of patch deployments, proactive network monitoring, and rapid response to anomalous activity are key strategies to maintain secure OT environments.  

If your organization needs tailored support managing this month’s vulnerabilities or building a stronger long-term patch management plan, contact Foxguard today.   

Your security is our priority. Stay vigilant and stay protected.  

The post ICS Critical Patch Updates: December 2025  appeared first on Foxguard.

The post Asset Inventory | The First Step in Securing Your Operational Technology appeared first on Foxguard.

Note on CVSS Scores: November’s advisories include both CVSS v4.0 and select v3.1 ratings. All base scores referenced here follow the vendor-reported severity, providing an accurate snapshot of each vulnerability’s exploitability and potential impact on OT systems. 

Siemens 

Siemens released several advisories affecting grid management, engineering software, and industrial controllers: 

• SSA-682326 – Multiple Vulnerabilities in COMOS Before V10.4.5 

CVE: Multiple | CVSS v3.1: 9.3 

Arbitrary code execution and data infiltration may be possible. Operators should update to COMOS V10.4.5 and follow Siemens’ general security guidance to secure systems. 

• SSA-770770 – Fortigate NGFW Vulnerabilities on RUGGEDCOM APE1808 

CVE: CVE-2022-42475, CVE-2023-27997, CVE-2024-21762 | CVSS v4.0: 9.1 

Remote code execution and unauthorized access are possible through FortiOS flaws. Siemens advises updating Fortigate NGFW to V7.4.7 and following both Fortinet and Siemens mitigation guidance. 

• SSA-522291 – Improper Certificate Validation in Solid Edge 

CVE: CVE-2025-40744 | CVSS v4.0: 8.7 

Solid Edge fails to validate certificates when connecting to the License Service, allowing potential MITM attacks. Siemens advises updating to SE2025 V225.0 Update 11 and securing network configurations to ensure proper certificate validation. 

• SSA-339694 – Multiple Vulnerabilities in Spectrum Power 4 < v4.70 SP12 Update 2 

CVE: CVE-2024-32008 to CVE-2024-32014 | CVSS v4.0: 8.7 

Remote and local code execution vulnerabilities exist due to exposed debug interfaces and misconfigured binaries. Siemens recommends updating to Spectrum Power 4 V4.70 SP12 Update 2 and following mitigation guidance. 

• SSA-267056 – Multiple Vulnerabilities in LOGO! 8 BM Devices 

CVE: CVE-2025-40815, CVE-2025-40816, CVE-2025-40817 | CVSS v4.0: 8.6 

Vulnerabilities could allow remote code execution, denial-of-service, or unauthorized behavior changes. Siemens recommends protecting LSC access with strong passwords, restricting port 10006/udp, and applying firmware updates when available.  

• SSA-514895 – Multiple Vulnerabilities in Altair Grid Engine V2025.1.0  

CVE: CVE-2025-40760, CVE-2025-40763 | CVSS v4.0: 8.5 

Privilege escalation and arbitrary code execution could occur through password hash exposure and path hijacking. Siemens recommends updating to V2026.0.0, removing setuid-root bits, and following Siemens security guidelines to prevent unauthorized system access. 

• SSA-365596 – DLL Hijacking in Siemens Software Center and Solid Edge 

CVE: CVE-2025-40827 | CVSS v4.0: 8.5 

Crafted DLLs could be loaded, enabling arbitrary code execution. Siemens recommends updating Siemens Software Center to V3.5 and Solid Edge to V225.0 Update 10 to prevent exploitation. 

• SSA-216014 – EFI Variable Vulnerabilities in SIMATIC IPCs and PGs 

CVE: CVE-2024-56181, CVE-2024-56182 | CVSS v4.0: 8.4 

Authenticated attackers could manipulate secure boot or password configurations. Updating BIOS versions and following Siemens mitigation guidance are recommended to secure systems. 

Foxguard Insight: Siemens continues to encounter serious vulnerabilities across its software tools and grid hardware. Attackers are targeting often-overlooked areas—specifically operational software and external interfaces—using sophisticated methods like DLL hijacking, EFI manipulation, and third-party firewall flaws. Enforcing strict access controls, timely patching, and network segmentation is essential to contain this risk. 

Schneider Electric 

Schneider’s November advisories focus on SCADA platforms, machine visualization, and power management systems: 

• SEVD-2025-315-02 – EcoStruxure™ Machine SCADA Expert & Pro-face BLUE Open Studio 

CVE: CVE-2025-9317 | CVSS v4.0: 8.3 

Third-party vulnerabilities affect SCADA visualization platforms. Operators should apply Patch 1 for 2023.1 and follow secure deployment practices to prevent exploitation. 

• SEVD-2025-315-01 – PowerChute™ Serial Shutdown 

CVE: CVE-2025-11565, CVE-2025-11566, CVE-2025-11567 | CVSS v4.0: 6.9+ 

Path traversal, incorrect default permissions, and lack of brute-force protection could allow unauthorized access or system compromise. Schneider Electric recommends upgrading to the latest version and restricting access to configuration files and interfaces. 

Foxguard Insight: This month’s Schneider advisories highlight a key danger: third-party components are turning even simple visualization and machine monitoring tools into vectors for remote exploitation within OT environments. To keep operations running smoothly, coordinate patching across both SCADA and machine-level systems. 

Rockwell Automation 

Rockwell advisories continue to expose risks in simulation, cloud platforms, and third-party libraries: 

• Studio 5000® Simulation Interface – Remote Code Execution 
  CVE: CVE-2025-11696, CVE-2025-11697 | CVSS v4.0: 8.9 
  Remote code execution or denial-of-service is possible via the simulation interface. Rockwell advises updating to the latest version and restricting access to simulation components. 
• FactoryTalk® Policy Manager – Third-Party Component 
  CVE: CVE-2024-22019 | CVSS v4.0: 8.7 
  Remote exploitation via third-party libraries is possible. Update third-party components and validate policy configurations. 
• AADvance – SIS Workstation DotNetZip 
  CVE: CVE-2024-48510 | CVSS v4.0: 8.6 
  Directory traversal or file overwrite possible. Update the DotNetZip component and restrict archive handling.

• Verve Asset Manager – Improper Access Control 
  CVE: CVE-2025-11862 | CVSS v4.0: 8.4 
  Unauthorized privilege escalation risk exists. Apply access control patches and enforce least privilege to secure the system. 

• FactoryTalk® DataMosaix™ Private Cloud – Multiple Vulnerabilities 
  CVE: CVE-2025-11084, CVE-2025-11085 | CVSS v4.0: 7.6 & 8.6 
  Could allow unauthorized access or data manipulation. Update cloud services and monitor for abnormal activity to mitigate risk.  

Foxguard Insight: With Rockwell’s software stretching into the cloud and simulation space, the OT environment is now a much bigger target. Attackers are looking for the easiest way in. To prevent them from moving laterally across your network and compromising data, it is critical to enforce strict segmentation and monitor for any unusual access between those cloud, simulation, and operational networks. 

Phoenix Contact 

Phoenix Contact’s advisory addresses network security on firewalls: 

• FL MGUARD Series Firewall Vulnerability 
  CVE: CVE-2025-48291 | CVSS v4.0: 8.6 
  Remote authentication bypass could grant administrative access. Operators should update firmware to 12.3.1 or later, restrict management interface access, and enable logging. 

Foxguard Insight: Phoenix Contact’s FL MGUARD vulnerabilities confirm that perimeter devices become high-value targets for adversaries. Exploiting session validation flaws allows attackers to completely subvert authentication and gain administrative control, ensuring rapid lateral movement across OT networks. Strict segmentation, continuous monitoring of management interfaces, and active logging are essential to contain the risk. 

Eaton 

Eaton reported a high-privilege input validation issue in legacy devices: 

• Network-M2 Security Issue 
  CVE: CVE-2025-22495 | CVSS v3.1: 8.4 
  Improper input validation in the NTP server field could allow arbitrary command execution. Firmware version 3.1.17 or later should be applied, access to management interfaces restricted, and logs monitored. Note: Network-M2 has reached end-of-life; transition to Network-M3 is recommended. 

Foxguard Insight: Eaton’s Network-M2 vulnerabilities are a clear signal of the residual threat from legacy devices. Inadequate input validation on network interfaces allows high-privilege users to execute arbitrary commands, risking the systemic compromise of connected systems. To reduce exposure, operators must strictly enforce access controls, continuously monitor for anomalous activity, and prioritize migration to supported platforms. 

CISA 

CISA highlighted multiple high-severity exposures affecting controllers, HMIs, and video analytics systems. 

• Remote Code Execution – Advantech DeviceOn/iEdge 
  CVE: CVE-2025-12635, CVE-2025-12637, CVE-2025-12638 | CVSS v4.0: Up to 9.8 
  Improper authentication and command injection could allow full device compromise. Update to the latest version, restrict network access, and monitor logs. 
• Buffer Overflow – Fuji Electric Monitouch V-SFT-6 
  CVE: CVE-2025-12641 | CVSS v4.0: 9.8 
  Remote code execution could occur. Update software and restrict engineering port access. 
• Stack-Based Buffer Overflow – Delta Electronics CNCSoft-G2 
  CVE: CVE-2025-12643 | CVSS v4.0: 9.1 
  Update to the latest version and isolate engineering workstations. 

• Remote Control – ABB FLXeon Controllers 
  CVE: CVE-2025-12639 | CVSS v4.0: 8.8 
  Improper access control may permit remote code execution. Apply firmware updates and enforce access restrictions. 

• Hardcoded Credentials – Survision LPR Camera 
  CVE: CVE-2025-12642 | CVSS v4.0: 8.6 
  Default credentials may allow unauthorized access. Change credentials and apply firmware updates. 

• Denial of Service via Input Validation – Radiometrics VizAir 
  CVE: CVE-2025-12644 | CVSS v4.0: 8.2 
  Improper input validation could allow denial of service. Apply the vendor patch and monitor device behavior. 

Foxguard Insight: CISA’s November advisories reveal attackers are systematically exploiting both human and technical weaknesses to circumvent defenses and target critical OT assets. The attack surface spans a wide range of vulnerabilities, from authentication bypasses in Advantech iEdge and buffer overflows in HMI software to the serious risks posed by hardcoded credentials in cameras. This puts controllers, operator interfaces, and auxiliary monitoring systems directly in the crosshairs. Preventing system-wide disruption requires a layered defense strategy, combining timely patching, strong network segmentation, rigorous enforcement of least privilege, and continuous monitoring of operational behavior. 

Actionable Recommendations 

November’s advisories cover a mix of high-severity remote code execution, privilege escalation, and access control flaws. Based on this month’s disclosures, Foxguard recommends: 

• Prioritize high-risk remote code execution vulnerabilities: Patch Siemens Altair Grid Engine, LOGO! 8 BM devices, Rockwell Studio 5000 Simulation Interface, and CISA-listed Advantech and Fuji Electric systems. 

• Mitigate exposure where patches are not yet available: For Eaton Network-M2 cards or Phoenix FL MGUARD firewalls, enforce network segmentation, restrict management access, and monitor for anomalous activity. 

• Secure engineering, cloud, and diagnostic tools: Isolate COMOS, FactoryTalk DataMosaix, and SCADA visualization platforms from general OT networks. Enable logging and alerting for unusual activity. 

• Enforce strong access controls: Rotate credentials, remove defaults, and apply least privilege to all administrative accounts, particularly in firewalls and remote monitoring tools. 

• Coordinate multi-vendor patching: Synchronize Siemens, Schneider, and Rockwell updates to minimize windows of vulnerability, and ensure third-party libraries are current. 

How Foxguard Can Help 

Industrial control environments are growing increasingly complex. The November advisories confirm rapid exploitation of security gaps across both core ICS components and auxiliary systems. Vulnerabilities in Siemens grid engines, LOGO! 8 devices, and exposures in Rockwell’s simulation and cloud interfaces unequivocally prove that trusted operational tools function as entry points for lateral movement or privilege escalation.  

Foxguard’s platform and services are engineered to bridge the operational reality and security requirement, delivering actionable clarity, continuous oversight, and automated remediation pathways without disrupting production stability. 

Our services include:  

• FOXGUARD DISCOVER: Asset and network visibility solution for ICS and OT environments, providing real-time visibility of critical assets, detecting vulnerabilities, and offering actionable insights to enhance security posture.   

• FOXGUARD CYBERWATCH: Asset and vulnerability management platform that monitors, manages, and remediates security risks across ICS and OT environments, ensuring compliance and reducing overall cyber risk.   

• FOXGUARD PATCHINTEL: Patch intelligence service that provides patch availability reports to identify available security updates, and a secure supply chain to acquire and validate patch binaries for improved patch management and compliance.   

• FOXGUARD DEPLOY: Patch distribution and deployment solution that securely applies validated patches across ICS and OT systems, ensuring timely and effective patch management to maintain security.   

• FOXGUARD MANAGED SERVICES: Provides Patch Management as a Service (PMaaS) and Vulnerability Management as a Service (VMaaS) to continuously assess, prioritize, and address security risks in ICS and OT environments, helping maintain security compliance and operational integrity.  

With Foxguard, operators gain the confidence to act decisively on vulnerabilities, maintain operational continuity, and reduce the window of exposure. By combining expert guidance, continuous monitoring, and automated patching, teams can stay ahead of threats and keep critical infrastructure resilient. 

Stay Ahead of Threats 

The vulnerabilities released this month highlight how much the security landscape around industrial systems continues to shift. Weaknesses are turning up not only in control devices but in the supporting tools and services that keep those systems running. Remote code execution flaws in grid, cloud, and simulation platforms show how easily a compromised engineering workstation or interface can become a pivot point into production networks.  

Keeping systems secure requires disciplined patch management, careful restriction of administrative and network interfaces, and continuous monitoring of activity between OT and IT segments, as even minor oversights in these areas can provide attackers with a point of entry.  

Foxguard works with operators to close those weak points using proven update workflows and continuous asset visibility—a straightforward approach that keeps systems stable and secure, even as new advisories keep coming.  

If your organization needs tailored support managing this month’s vulnerabilities or building a stronger long-term patch management plan, contact Foxguard today.  

Your security is our priority. Stay vigilant and stay protected. 

The post ICS Critical Patch Updates: November 2025  appeared first on Foxguard.

In October, the vulnerability landscape has intensified, with Siemens, Schneider Electric, ABB, and Rockwell Automation releasing multiple high-severity advisories concerning core controllers, network infrastructure, and building management systems. Numerous vulnerabilities facilitate remote code execution, denial of service, or unauthorized data access—threats that necessitate prompt attention and a swift, coordinated response. 

Note on CVSS Scores: All vulnerabilities referenced this month follow CVSS v4.0 scoring, offering greater accuracy in assessing exploitability and impact across OT environments. Ratings noted below reflect vendor-reported base scores where available.  

Siemens  

Siemens has released an extensive slate of 20 security advisories this month, with several rated at the highest levels of severity and affecting foundational ICS components: 

• SSA-062309 | Information Disclosure in TeleControl Server Basic V3.1 | CVE-2025-40765 | CVSS 9.8: Sensitive data may be exposed due to improper access controls; Siemens recommends updating to the patched version and enforcing strict authentication and access policies.  

• SSA-722410 | (Update) Multiple Vulnerabilities in UMC | CVSS 9.8: Buffer overflows and privilege escalation risks exist; Siemens advises applying the latest patches and restricting access to UMC interfaces. 

• SSA-486936 | Authentication Vulnerability in SIMATIC ET 200SP | CVE-2025-40771 | CVSS 9.8: Weak authentication could permit unauthorized access; Siemens has released new firmware and recommends enforcing strong credential policies. 

• SSA-083019 | (Update) Multiple Vulnerabilities in RUGGEDCOM ROS Devices | CVSS 8.8: Buffer overflows and input validation flaws may be exploited; Siemens recommends upgrading firmware and limiting access to trusted networks. 

• SSA-318832 | SQL Injection in SINEC NMS | CVE-2025-40755 | CVSS 8.8: Injection vulnerability could enable privilege escalation; Siemens has issued a firmware update to resolve the issue. 

• SSA-599451 | Multiple Vulnerabilities in SiPass Integrated (pre-V3.0) | CVSS 8.8: Flaws in authentication and input validation affect earlier versions; Siemens advises upgrading to SiPass V3.0 or later and hardening access controls. 

• SSA-978177 | (Update) Vulnerability in Nozomi Guardian/CMC on RUGGEDCOM APE1808 (third-party) | CVSS 8.1: Third-party software vulnerabilities could impact Siemens devices; Siemens suggests contacting support for patch guidance and applying network segmentation. 

Foxguard Insight: This month’s Siemens advisories highlight how authentication weaknesses and third-party dependencies continue to define OT exposure. Many of these issues exist behind administration layers and third-party components, typically outside the immediate operator’s view. These advisories emphasize the requirement for continual validation and change awareness across all software modules, not only core control firmware. 

Schneider Electric  

Schneider Electric has published seven advisories. The following two, spotlight on command injection and data exposure:  

• SEVD-2025-252-02 | OS Command Injection in Saitel DR & DP RTUs | CVE-2025-9996 & CVE-2025-9997 | CVSS 8.8: Command injection flaws could allow remote code execution. Schneider Electric recommends firmware updates, limiting network exposure, and monitoring for suspicious system activity. 

• SEVD-2025-224-04 (V2.0) | (Update) Sensitive Data Exposure in EcoStruxure Building Operation | CVSS 7.8: Information disclosure and resource consumption vulnerabilities are addressed in the latest Enterprise Server version. Resource controls and timely upgrades are advised. 

Foxguard Insight: These advisories emphasize the convergence of facility management and process automation, as cyber risk spreads to environmental and infrastructure systems. For consistent mitigation across both building and process control networks, it is recommended that the patch cycles for EcoStruxure and Saitel RTUs be coordinated with the broader OT update initiatives.  

ABB  

ABB updated its advisory on critical vulnerabilities in system diagnostics: 

• Improper Resource Locking and Weak Session Token Generation | CVE-2025-3450 – CVSS 9.3: Unauthenticated attackers could cause denial-of-service or hijack sessions. ABB urges updating to version 6.3 or Q4.93, isolating SDM interfaces from public networks, and monitoring for abnormal activity. 

Foxguard Insight: ABB’s SDM vulnerabilities demonstrate how resource management and session integrity continue to be important weak points in industrial runtime environments. When it comes to multi-vendor ecosystems, the protection of diagnostic and management channels is just as important as the protection of control logic itself. 

CISA  

CISA advisories this month reinforce the importance of robust patch and segmentation practices, particularly relating to network infrastructure:  

• CVE-2025-9177 | Rockwell 1715 EtherNet/IP Comms Module | CVSS 7.7: Vulnerabilities could allow disruption or unauthorized actions. Rockwell provides firmware updates and recommends limiting module access to trusted segments with active monitoring.  

• CVE-2025-10217 | Hitachi Energy Asset Suite | CVSS 6.0: Vulnerabilities could lead to unauthorized access or data manipulation. Applying vendor patches and restricting access are the main mitigations.  

• CVE-2025-20352 | Rockwell Lifecycle Services with Cisco | CVSS 6.3: Lifecycle services integrating Cisco components may expose systems to remote attacks. Updating Cisco elements and hardening configurations is advised. 

• CVE-2025-20352 | Rockwell Stratix Switches | CVSS 6.3: Multiple switch models are affected. Operators should upgrade firmware, segment networks, and disable unused services. 

Foxguard Insight: The CISA advisories for this month identify network infrastructure as a persistent risk vector. In conjunction with segmentation, organizations must restrict administrative access, consistently monitor for anomalous device behavior, and implement vendor remedies. With early discovery and isolation of impacted devices, lateral movement can be prevented, and the risk of operational impact can be minimized. 

Actionable Recommendations  

Based on this month’s advisories, Foxguard recommends the following steps to immediately reduce exposure and strengthen your ICS/OT environment:  

• Patch critical vulnerabilities without delay: Prioritize updates for Siemens UMC, TeleControl Server Basic, and SIMATIC firmware, as well as ABB SDM and Rockwell Ethernet/IP modules. 

• Enforce strong, unique authentication: Replace default credentials, apply strong password policies, and restrict privileged access to critical interfaces across all platforms. 

• Harden network boundaries: Segment critical devices—such as RTUs, switches, and diagnostic managers—from general business networks and public access. 

• Limit system exposure: Disable unused services and restrict access to essential personnel, especially for systems highlighted in CISA advisories. 

• Monitor for signs of exploitation: Establish alerting on authentication failures, privilege escalations, and unexpected resource consumption, especially in user management and network communication modules. 

• Consult vendor-specific hardening guidelines: ABB, Siemens, and others provide tailored recommendations—review and integrate these into your daily operations.  

How Foxguard Can Help  

The October landscape reveals a concerning trend: attackers are not just focusing on core control devices; they are also delving deeper into authentication processes, network infrastructure, and diagnostic interfaces. The growing complexity and interconnectedness of ICS environments indicate that even a minor missed update, or a misconfigured access control can result in serious consequences. 

Foxguard’s integrated toolset and expert services are designed to meet these evolving threats head-on:  

• FOXGUARD DISCOVER: Gain instant clarity into your ICS and OT landscape with a comprehensive solution that maps assets, reveals network connections, and uncovers hidden vulnerabilities—giving you the actionable intelligence needed to strengthen your security posture.   

• FOXGUARD CYBERWATCH: Stay ahead of threats with a unified platform that continuously monitors your assets, identifies vulnerabilities, and guides remediation efforts, helping you maintain compliance and actively reduce cyber risk across your operational environment.   

• FOXGUARD PATCHINTEL: Streamline your patch management process with timely intelligence on security updates, reliable patch availability reporting, and a trusted supply chain that verifies and delivers the right patches for your systems.   

• FOXGUARD DEPLOY: Ensure your critical infrastructure stays protected with a secure, automated patch deployment service designed to efficiently distribute and apply validated updates, minimizing downtime and safeguarding operations.   

• FOXGUARD MANAGED SERVICES: Let Foxguard’s experts take the lead on vulnerability and patch management, delivering ongoing assessment, prioritization, and remediation to keep your ICS and OT environments compliant and resilient. 

Working with Foxguard means your critical infrastructure benefits from both cutting-edge automation and the practical wisdom of analysts who understand the operational realities of ICS and OT. 

Stay Vigilant, Stay Secure  

The advisories released in October give insight into just how quickly new threats can appear, often exploiting the very protocols and systems designed to maintain seamless operations. Effective patch management, the implementation of layered access controls, and the strategic use of network segmentation continue to be your best defenses. With Foxguard as a partner, your team can concentrate on providing safe and reliable operations, all while having the peace of mind that your security measures are continuously monitored and strengthened. 

If you need tailored support or want to learn more about how Foxguard can help you address this month’s vulnerabilities, contact us today. 

Your security is our priority. Stay vigilant and stay protected. 

The post ICS Critical Patch Updates: October 2025  appeared first on Foxguard.