CISA Releases Nine Industrial Control Systems Advisories — What OT Operators Must Do Now By CyberDudeBivash • Last updated: 21 September 2025 (IST)

 

Executive Snapshot

• What happened: On September 18, 2025, CISA published nine ICS advisories spanning industrial networking, RTUs, asset/service suites, machine vision, fueling systems—and two cross-industry updates. CISA

• Vendors/products called out: Westermo (WeOS 5), Schneider Electric (Saitel RTUs), Hitachi Energy (Asset Suite & Service Suite), Cognex (In-Sight), Dover Fueling (ProGauge MagLink LX4), plus updates to rail End-of-Train/Head-of-Train protocol and Mitsubishi Electric FA engineering software. CISA

• Why it matters: Several issues are remotely exploitable with low attack complexity and carry high CVSS, expanding attack paths across energy, water/wastewater, manufacturing, and transportation environments. CISA+2CISA+2

---

The Nine Advisories

Advisory (ICSA)	Vendor / Product	CVSS	Notable Risk	Notes
25-261-01	Westermo WeOS 5	v4 8.7 (also v3.1 7.6 CVE-2025-46418)	OS command injection (CWE-78)	Westermo-25-07 republication. CISA+1
25-261-02	Westermo WeOS 5	v4 8.2	Improper validation of input	Remotely exploitable. CISA
25-261-03	Schneider Electric Saitel DR/DP RTU	v4 5.8	OS command injection → shell command execution	Versions DR ≤11.06.29, DP ≤11.06.33. CISA
25-261-04	Hitachi Energy Asset Suite	v4 8.7	SSRF, deserialization, cleartext storage, DoS, open redirect	Asset Suite ≤9.6.4.5 affected. CISA
25-261-05	Hitachi Energy Service Suite	v4 9.3 (v3.1 9.8 CVE-2020-2883)	Deserialization of untrusted data (WebLogic)	Update to 9.8.2 or latest. CISA
25-261-06	Cognex In-Sight Explorer / Camera FW	v4 8.6	Hard-coded password, cleartext transmission, auth bypass, etc.	Remotely exploitable; low complexity. CISA
25-261-07	Dover Fueling ProGauge MagLink LX4	v4 9.3	Integer overflow, hard-coded crypto key, weak creds	Affects LX4, LX4 Plus, LX4 Ultimate. CISA
25-191-10 (Update C)	End-of-Train / Head-of-Train remote linking protocol	v4 7.2 (v3 8.1 CVE-2025-1727)	Weak authentication (RF link)	Not internet-remote; operational disruption risk. CISA
24-030-02 (Update D)	Mitsubishi Electric FA Engineering Software	v3.1 up to 9.8	Missing auth, unsafe reflection	Broad toolchain impact; patched builds listed. CISA

CISA’s summary “Nine ICS Advisories” page aggregates the above with direct links. Bookmark it for tracking. CISA

---

90-Minute OT Operator Playbook 

0) Confirm exposure scope
Export your asset inventory for the affected vendors/models/versions (above). Prioritize internet-exposed or inter-zone systems (OT↔IT bridges).

1) Patch/upgrade per vendor guidance

• Westermo WeOS 5, Schneider Saitel RTU, Hitachi Asset/Service Suite, Cognex In-Sight, Dover MagLink LX4: follow each advisory’s mitigation or upgrade path. Where change windows are tight, apply compensating controls (below). CISA+6CISA+6CISA+6

2) Compensating controls (if patching lags)

• Network: isolate management interfaces; deny by default; allow-list engineering stations; no internet exposure. CISA+1

• Identity: enforce MFA/JIT for vendor access; rotate credentials on systems with hard-coded/weak credentials risks (Cognex, Dover). CISA+1

• Protocol path: for EoT/HoT, review RF-link procedures and emergency braking policies; follow AAR/Siemens/Wabtec guidance. CISA

3) Detection & response
Create alerts for:

• Unexpected config writes, firmware swaps, or service restarts on RTUs/PLC gateways.

• WebLogic (Hitachi Service Suite) deserialization probes (IIOP/T3). CISA

• New admin sessions on machine-vision appliances (Cognex) and MagLink LX4 controllers. CISA+1

4) Prioritize by exploitation status
Map linked CVEs to CISA KEV and treat KEV-listed vulns as mandatory within your SLA; keep an eye on new KEV additions. CISA+1

---

What Sectors Should Care Most?

• Electric power & substations (Schneider Saitel RTUs; Hitachi Asset/Service Suite). CISA+2CISA+2

• Manufacturing & industrial automation (Cognex, Mitsubishi FA tools). CISA+1

• Fuel retail and logistics (Dover ProGauge MagLink LX4). CISA

• Transportation (rail) for EoT/HoT RF-link protocol. CISA

• Industrial networking across water/energy/transport (Westermo WeOS 5). CISA+1

---

Key Source Links

• CISA: “CISA Releases Nine ICS Advisories” (Sept 18, 2025) — master list & links. CISA

• Westermo WeOS 5 (ICSA-25-261-01 / -02). CISA+1

• Schneider Saitel DR/DP RTU (ICSA-25-261-03). CISA

• Hitachi Energy Asset Suite / Service Suite (ICSA-25-261-04 / -05). CISA+1

• Cognex In-Sight (ICSA-25-261-06). CISA

• Dover ProGauge MagLink LX4 (ICSA-25-261-07). CISA

• EoT/HoT protocol (Update C) (ICSA-25-191-10). CISA

• Mitsubishi FA Engineering Software (Update D) (ICSA-24-030-02). CISA

• CISA KEV Catalog (prioritization). CISA

---

Affiliate Toolbox 

Affiliate disclosure: If you purchase via the links you add here, we may earn a commission at no extra cost to you. These tools supplement vendor patches—not replace them.

• Passive OT asset discovery — auto-map WeOS, RTUs, machine-vision devices to speed triage.

• OT-aware firewalls / segmentation — enforce allow-lists around RTUs and engineering workstations.

• WebLogic virtual patching/WAF — rules for T3/IIOP deserialization probes while you schedule upgrades.
  
  

---

CyberDudeBivash — Brand & Services

CyberDudeBivash | Cybersecurity, AI & Threat Intelligence Network supports asset owners, OEMs, and integrators with:

• Rapid advisory triage: mapping advisories to your fleet, change-window plans.

• OT segmentation sprints: DMZ, jump hosts, unidirectional gateways, allow-list rules.

• Detection engineering for OT: RTU/PLC config-change detection; MagLink/Cognex login anomaly rules.

• Board/Regulator reporting: KEV alignment, SLA burn-down, residual risk.

Book a rapid consult: [www.cyberdudebivash.com] • Newsletter: CyberDudeBivash Threat Brief (weekly ICS/OT updates).

---

FAQs

Is this a confirmed active exploitation event?
CISA advisories are vulnerability reports with mitigations; treat them as action items. Check each CVE against CISA KEV and prioritize anything added there. CISA+1

What if patching isn’t possible this week?
Isolate affected devices, enforce deny-by-default / allow-listing, lock down remote access (MFA, JIT), and monitor for config changes and unexpected admin logins. Follow vendor-specific mitigations in each advisory. CISA+2CISA+2

Are any issues “not internet remote”?
The EoT/HoT RF-link weakness concerns radio-based linking (operational impact), and the advisory notes it’s not exploitable remotely over networks. CISA

Sources

• CISA: “CISA Releases Nine Industrial Control Systems Advisories” (Sept 18, 2025)—master list. CISA

• Westermo WeOS 5 — ICSA-25-261-01/-02 (CVSS v4 8.7 / 8.2; OS command injection; input validation). CISA+1

• Schneider Saitel DR/DP RTU — ICSA-25-261-03 (CVSS v4 5.8; shell command execution; version bounds). CISA

• Hitachi Energy Asset Suite — ICSA-25-261-04 (CVSS v4 8.7; SSRF, deserialization, cleartext storage, DoS, open redirect). CISA

• Hitachi Energy Service Suite — ICSA-25-261-05 (CVSS v4 9.3; WebLogic deserialization; upgrade guidance). CISA

• Cognex In-Sight — ICSA-25-261-06 (CVSS v4 8.6; hard-coded password, cleartext transmission, auth bypass, etc.). CISA

• Dover ProGauge MagLink LX4 — ICSA-25-261-07 (CVSS v4 9.3; integer overflow, hard-coded crypto key, weak creds). CISA

• EoT/HoT remote linking protocol (Update C) — ICSA-25-191-10 (CVSS v4 7.2; weak authentication; operational impact). CISA

• Mitsubishi FA Engineering Software (Update D) — ICSA-24-030-02 (CVSS v3.1 up to 9.8; missing auth; unsafe reflection). CISA

• CISA KEV Catalog — prioritization reference. CISA

---

#CyberDudeBivash #CISA #ICS #OTSecurity #Energy #Water #Manufacturing #Rail #Westermo #SchneiderElectric #HitachiEnergy #Cognex #DoverFueling #MitsubishiElectric #KEV