cisa

CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog — an archival Microsoft PowerPoint code-injection flaw (CVE-2009-0556) and a newly disclosed, critical HPE OneView code-injection/remote-code-execution vulnerability (CVE-2025-37164) — citing evidence of...

CISA has published an Industrial Control Systems advisory that consolidates vendor fixes and concrete mitigation guidance for a deserialization vulnerability in Schneider Electric’s EcoStruxure Power Monitoring Expert (PME), tracked as CVE-2024-9005, and operators running PME 2022 and earlier...

CISA’s latest consolidated bulletin parcels out nine Industrial Control Systems (ICS) advisories that expose a familiar — and escalating — set of risks: remotely exploitable firmware and protocol flaws, weak authentication and hard-coded credentials, and insecure management interfaces that...

Mitsubishi Electric’s GT Designer3 — the engineering suite used to build and transfer HMIs for GOT series panels — remains in the crosshairs of ICS security teams after coordinated disclosures and multiple CISA advisories identified serious weaknesses in GT Designer3, the associated GT SoftGOT...

CISA added a Google Chromium vulnerability — tracked as CVE‑2025‑14174 — to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation, marking the flaw as an urgent remediation priority for federal agencies and a high‑priority patching signal for enterprise...

CISA has added a GeoServer XML External Entity (XXE) flaw — tracked as CVE-2025-58360 — to its Known Exploited Vulnerabilities (KEV) catalog, elevating the bug from a vendor patch notice to an operational priority for federal agencies and an urgent remediation signal for the wider community...

CISA’s January 16, 2025 bulletin that released twelve new Industrial Control Systems (ICS) advisories is a blunt reminder that attackers continue to find and weaponize weaknesses in the hardware and software that run critical infrastructure, and that operators must prioritize patching...

A cluster of India‑deployed CCTV cameras from three vendors has been flagged in a CISA industrial‑control‑systems advisory for a missing authentication defect that can disclose configuration data and account credentials — a vulnerability tracked as CVE‑2025‑13607 and scored in the high‑severity...

CISA has again pushed a fresh set of Industrial Control Systems (ICS) advisories into the wild, emphasizing the continuing frequency and severity of vulnerabilities found in operational-technology products used across power, manufacturing, building automation, and transportation...

CISA announced this week that it has added two additional vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2022-37055, a buffer overflow affecting certain D‑Link router models, and CVE-2025-66644, an OS command‑injection flaw in Array Networks ArrayOS AG gateways. Both...

Johnson Controls has warned that a certificate-handling flaw in several iSTAR door‑controller families can leave panels unable to restore host communication after the default TLS certificate expires — a failure that impacts availability rather than enabling obvious data theft, but which...

Johnson Controls has reported a vulnerability in the OpenBlue Mobile Web Application for OpenBlue Workplace — tracked as CVE‑2025‑26381 — that allows direct request (commonly called “forced browsing”) exploitation leading to unauthorized access to sensitive information; Johnson Controls...

Advantech’s iView — a widely deployed industrial video monitoring and management platform — is the subject of a fresh, high‑priority coordinated advisory that catalogs multiple remote, authenticated and (in some cases) authenticated‑low‑privilege vulnerabilities that can lead to SQL injection...

CISA’s addition of an OpenPLC ScadaBR vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog puts industrial control system defenders back on high alert: the flaw—reported in 2021 as an unrestricted upload of file with dangerous type that permits uploading and execution of arbitrary...

CISA’s latest update to the Known Exploited Vulnerabilities (KEV) Catalog spotlights a growing problem at the intersection of mobile security and enterprise risk: an Android Framework information-disclosure bug tracked as CVE-2025-48633 has surfaced in real-world attacks, and the federal KEV...

CISA’s latest consolidated advisory package is a stark reminder that industrial control systems (ICS) remain a high‑value target for attackers and a bridge between operational technology (OT) and enterprise IT — the agency published a bundle of seven ICS advisories that name multiple widely...

Ashlar‑Vellum’s Cobalt family and related products were disclosed as containing multiple high‑impact memory‑safety vulnerabilities that can lead to information disclosure and arbitrary code execution; operators must treat these defects as urgent and update to vendor‑supplied builds or apply...

CISA’s latest advisory confirms that the agency has added another entry to its Known Exploited Vulnerabilities (KEV) Catalog — a move that again forces federal agencies to prioritize remediation and gives every organization a practical alarm bell for urgent patching and detection work. The...

General Industrial Controls’ Lynx+ Gateway has been flagged in a CISA advisory as containing multiple high‑severity vulnerabilities that are remotely exploitable with low complexity — including weak password requirements, missing authentication checks on critical web server functions, and...

CISA published four new Industrial Control Systems advisories on June 10, 2025, flagging high‑severity flaws in four widely used products — SinoTrack GPS receiver devices, Hitachi Energy Relion protection relays and SAM600‑IO I/O modules, MicroDicom DICOM Viewer, and the Assured Telematics (ATI)...