CYBERDUDEBIVASH® CYBERLAB
SENTINEL APEX V73.0 : ONLINE

Sunday, September 21, 2025

CISA Releases Nine Industrial Control Systems Advisories — What OT Operators Must Do Now By CyberDudeBivash • Last updated: 21 September 2025 (IST)

 


Executive Snapshot

  • What happened: On September 18, 2025, CISA published nine ICS advisories spanning industrial networking, RTUs, asset/service suites, machine vision, fueling systems—and two cross-industry updates. CISA

  • Vendors/products called out: Westermo (WeOS 5), Schneider Electric (Saitel RTUs), Hitachi Energy (Asset Suite & Service Suite), Cognex (In-Sight), Dover Fueling (ProGauge MagLink LX4), plus updates to rail End-of-Train/Head-of-Train protocol and Mitsubishi Electric FA engineering software. CISA

  • Why it matters: Several issues are remotely exploitable with low attack complexity and carry high CVSS, expanding attack paths across energy, water/wastewater, manufacturing, and transportation environments. CISA+2CISA+2

The Nine Advisories

Advisory (ICSA)Vendor / ProductCVSSNotable RiskNotes
25-261-01Westermo WeOS 5v4 8.7 (also v3.1 7.6 CVE-2025-46418)OS command injection (CWE-78)Westermo-25-07 republication. CISA+1
25-261-02Westermo WeOS 5v4 8.2Improper validation of inputRemotely exploitable. CISA
25-261-03Schneider Electric Saitel DR/DP RTUv4 5.8OS command injection → shell command executionVersions DR ≤11.06.29, DP ≤11.06.33. CISA
25-261-04Hitachi Energy Asset Suitev4 8.7SSRF, deserialization, cleartext storage, DoS, open redirectAsset Suite ≤9.6.4.5 affected. CISA
25-261-05Hitachi Energy Service Suitev4 9.3 (v3.1 9.8 CVE-2020-2883)Deserialization of untrusted data (WebLogic)Update to 9.8.2 or latest. CISA
25-261-06Cognex In-Sight Explorer / Camera FWv4 8.6Hard-coded password, cleartext transmission, auth bypass, etc.Remotely exploitable; low complexity. CISA
25-261-07Dover Fueling ProGauge MagLink LX4v4 9.3Integer overflow, hard-coded crypto key, weak credsAffects LX4, LX4 Plus, LX4 Ultimate. CISA
25-191-10 (Update C)End-of-Train / Head-of-Train remote linking protocolv4 7.2 (v3 8.1 CVE-2025-1727)Weak authentication (RF link)Not internet-remote; operational disruption risk. CISA
24-030-02 (Update D)Mitsubishi Electric FA Engineering Softwarev3.1 up to 9.8Missing auth, unsafe reflectionBroad toolchain impact; patched builds listed. CISA

CISA’s summary “Nine ICS Advisories” page aggregates the above with direct links. Bookmark it for tracking. CISA

90-Minute OT Operator Playbook 

0) Confirm exposure scope
Export your asset inventory for the affected vendors/models/versions (above). Prioritize internet-exposed or inter-zone systems (OT↔IT bridges).

1) Patch/upgrade per vendor guidance

  • Westermo WeOS 5, Schneider Saitel RTU, Hitachi Asset/Service Suite, Cognex In-Sight, Dover MagLink LX4: follow each advisory’s mitigation or upgrade path. Where change windows are tight, apply compensating controls (below). CISA+6CISA+6CISA+6

2) Compensating controls (if patching lags)

  • Network: isolate management interfaces; deny by default; allow-list engineering stations; no internet exposure. CISA+1

  • Identity: enforce MFA/JIT for vendor access; rotate credentials on systems with hard-coded/weak credentials risks (Cognex, Dover). CISA+1

  • Protocol path: for EoT/HoT, review RF-link procedures and emergency braking policies; follow AAR/Siemens/Wabtec guidance. CISA

3) Detection & response
Create alerts for:

  • Unexpected config writes, firmware swaps, or service restarts on RTUs/PLC gateways.

  • WebLogic (Hitachi Service Suite) deserialization probes (IIOP/T3). CISA

  • New admin sessions on machine-vision appliances (Cognex) and MagLink LX4 controllers. CISA+1

4) Prioritize by exploitation status
Map linked CVEs to CISA KEV and treat KEV-listed vulns as mandatory within your SLA; keep an eye on new KEV additions. CISA+1

What Sectors Should Care Most?

  • Electric power & substations (Schneider Saitel RTUs; Hitachi Asset/Service Suite). CISA+2CISA+2

  • Manufacturing & industrial automation (Cognex, Mitsubishi FA tools). CISA+1

  • Fuel retail and logistics (Dover ProGauge MagLink LX4). CISA

  • Transportation (rail) for EoT/HoT RF-link protocol. CISA

  • Industrial networking across water/energy/transport (Westermo WeOS 5). CISA+1

Key Source Links

  • CISA: “CISA Releases Nine ICS Advisories” (Sept 18, 2025) — master list & links. CISA

  • Westermo WeOS 5 (ICSA-25-261-01 / -02). CISA+1

  • Schneider Saitel DR/DP RTU (ICSA-25-261-03). CISA

  • Hitachi Energy Asset Suite / Service Suite (ICSA-25-261-04 / -05). CISA+1

  • Cognex In-Sight (ICSA-25-261-06). CISA

  • Dover ProGauge MagLink LX4 (ICSA-25-261-07). CISA

  • EoT/HoT protocol (Update C) (ICSA-25-191-10). CISA

  • Mitsubishi FA Engineering Software (Update D) (ICSA-24-030-02). CISA

  • CISA KEV Catalog (prioritization). CISA

Affiliate Toolbox 

Affiliate disclosure: If you purchase via the links you add here, we may earn a commission at no extra cost to you. These tools supplement vendor patches—not replace them.

  • Passive OT asset discovery — auto-map WeOS, RTUs, machine-vision devices to speed triage.

  • OT-aware firewalls / segmentation — enforce allow-lists around RTUs and engineering workstations.

  • WebLogic virtual patching/WAF — rules for T3/IIOP deserialization probes while you schedule upgrades.

CyberDudeBivash — Brand & Services

CyberDudeBivash | Cybersecurity, AI & Threat Intelligence Network supports asset owners, OEMs, and integrators with:

  • Rapid advisory triage: mapping advisories to your fleet, change-window plans.

  • OT segmentation sprints: DMZ, jump hosts, unidirectional gateways, allow-list rules.

  • Detection engineering for OT: RTU/PLC config-change detection; MagLink/Cognex login anomaly rules.

  • Board/Regulator reporting: KEV alignment, SLA burn-down, residual risk.

Book a rapid consult: [www.cyberdudebivash.com]Newsletter: CyberDudeBivash Threat Brief (weekly ICS/OT updates).

FAQs

Is this a confirmed active exploitation event?
CISA advisories are vulnerability reports with mitigations; treat them as action items. Check each CVE against CISA KEV and prioritize anything added there. CISA+1

What if patching isn’t possible this week?
Isolate affected devices, enforce deny-by-default / allow-listing, lock down remote access (MFA, JIT), and monitor for config changes and unexpected admin logins. Follow vendor-specific mitigations in each advisory. CISA+2CISA+2

Are any issues “not internet remote”?
The EoT/HoT RF-link weakness concerns radio-based linking (operational impact), and the advisory notes it’s not exploitable remotely over networks. CISA


Sources

  • CISA:CISA Releases Nine Industrial Control Systems Advisories” (Sept 18, 2025)—master list. CISA

  • Westermo WeOS 5 — ICSA-25-261-01/-02 (CVSS v4 8.7 / 8.2; OS command injection; input validation). CISA+1

  • Schneider Saitel DR/DP RTU — ICSA-25-261-03 (CVSS v4 5.8; shell command execution; version bounds). CISA

  • Hitachi Energy Asset Suite — ICSA-25-261-04 (CVSS v4 8.7; SSRF, deserialization, cleartext storage, DoS, open redirect). CISA

  • Hitachi Energy Service Suite — ICSA-25-261-05 (CVSS v4 9.3; WebLogic deserialization; upgrade guidance). CISA

  • Cognex In-Sight — ICSA-25-261-06 (CVSS v4 8.6; hard-coded password, cleartext transmission, auth bypass, etc.). CISA

  • Dover ProGauge MagLink LX4 — ICSA-25-261-07 (CVSS v4 9.3; integer overflow, hard-coded crypto key, weak creds). CISA

  • EoT/HoT remote linking protocol (Update C) — ICSA-25-191-10 (CVSS v4 7.2; weak authentication; operational impact). CISA

  • Mitsubishi FA Engineering Software (Update D) — ICSA-24-030-02 (CVSS v3.1 up to 9.8; missing auth; unsafe reflection). CISA

  • CISA KEV Catalog — prioritization reference. CISA


#CyberDudeBivash #CISA #ICS #OTSecurity #Energy #Water #Manufacturing #Rail #Westermo #SchneiderElectric #HitachiEnergy #Cognex #DoverFueling #MitsubishiElectric #KEV


Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)