CISA August 2025 ICS Advisories: Patch Now, Segment Networks, Plan for EoT/HoT

CISA’s August 12 advisory roll-up catalogs seven Industrial Control Systems (ICS) security alerts — spanning building automation, power monitoring, OT data integrators, legacy web apps, rail telemetry, CAD/CAM tooling, and medical imaging servers — and signals that operators must act now to reconcile patches, mitigations, and operational constraints across a heterogeneous OT estate.

Background​

CISA’s regular ICS advisory bulletins aggregate vendor disclosures, assigned CVEs, technical details, and mitigations into an operationally-focused briefing for asset owners and security teams. The August 12, 2025 release lists the following advisories: ICSA-25-224-01 (Ashlar‑Vellum), ICSA-25-224-02 (Johnson Controls iSTAR family), ICSA-25-224-03 (Schneider Electric EcoStruxure Power Monitoring Expert), ICSA-25-224-04 (AVEVA PI Integrator), plus three related entries: ICSA-24-263-04 (MegaSys Telenium Online — Update A), ICSA-25-191-10 (End-of-Train / Head-of-Train Remote Linking Protocol — Update A), and ICSMA-25-224-01 (Santesoft Sante PACS Server). The roll-up encourages review of technical advisories and the immediate application of vendor guidance.
This article dissects each advisory, verifies technical claims against vendor and third‑party sources where available, highlights practical mitigations, and assesses systemic risks for Windows-centric and OT‑centric environments alike.

---

Executive summary of technical risk​

• Several advisories describe remote-exploitable vulnerabilities with moderate-to-high CVSS scores, including vulnerabilities that may yield remote code execution or data disclosure.
• At least one advisory (End‑of‑Train / Head‑of‑Train protocol) identifies a protocol-level weak authentication affecting a safety‑critical rail telemetry standard; this one is not fixable by a simple patch and requires standards and hardware replacement planning. (cisa.gov, industrialcyber.co)
• Multiple advisories either affect Windows‑hosted server software or Windows tools used to manage devices (e.g., configuration utilities), increasing likelihood of cross‑domain exposure when OT and IT networks intersect. (cisa.gov, tenable.com)

---

Advisory deep dives​

AVEVA — PI Integrator (ICSA-25-224-04)​

What CISA reports​

CISA documents two vulnerabilities in PI Integrator for Business Analytics (versions 2020 R2 SP1 and prior): an Unrestricted Upload of File with Dangerous Type (CVE‑2025‑54460) and Insertion of Sensitive Information into Sent Data (CVE‑2025‑41415). Both are characterized with CVSSv4 scores near 7.1 and flagged as exploitable remotely/low attack complexity. CISA warns exploitation could lead to information disclosure or file upload that may be executed.

Verification and vendor guidance​

AVEVA’s published mitigation is straightforward: upgrade to PI Integrator 2020 R2 SP2 or later and audit user permissions for publication targets; the vendor and CISA also recommend limiting output file extensions and isolating publish targets from executable paths. CISA additionally suggests standard OT defensive measures (segmentation, minimized exposure). The advisory lists the original reporters (Michelin CERT researchers).

Risk assessment​

PI Integrator runs in OT/IT bridging roles — ingesting PI (OSIsoft) streams and exporting to analytics targets. Allowing unrestricted uploads or leaking sensitive connectors/credentials elevates both information disclosure risk and supply chain exposure for downstream analytics environments. Organizations should prioritize the upgrade where integrators or data outputs are internet‑reachable or accessible from broad network segments.

---

Schneider Electric — EcoStruxure Power Monitoring Expert (ICSA-25-224-03)​

What CISA reports​

Schneider Electric’s EcoStruxure Power Monitoring Expert (PME) advisory identifies a deserialization of untrusted data vulnerability that can lead to remote code execution. CISA lists the affected versions as PME 2022 and 2021/prior and assigns CVSSv4 ≈ 7.3 for the issue.

Verification and corroboration​

CISA’s PME advisory (Update B) documents CVE‑2024‑9005 and references Schneider Electric’s own CPCERT report and vendor hotfix guidance (hotfixes are available for supported versions). Independent coverage and Schneider’s public advisories confirm vendor-provided hotfixes and EoL notices for older versions; operators running PME 2021 or earlier should consider immediate upgrades or compensating controls.

Risk assessment​

Power monitoring software sits close to energy management and grid telemetry. Remote code execution against PME can enable false telemetry, manipulation of meter data, or denial of monitoring capability — each with direct operational and financial impact. Given PME’s presence in commercial and industrial sites, prioritize patch testing in staging and then deployment during maintenance windows.

---

Johnson Controls — iSTAR family (ICSA-25-224-02)​

What CISA lists​

The roll-up includes Johnson Controls’ iSTAR Ultra / Ultra SE / Ultra G2 / Edge G2 family. These devices and associated utilities have repeatedly appeared in CISA advisories due to authentication/utility flaws; CISA’s bulletin references Johnson Controls as vendor. (cisa.gov, johnsoncontrols.com)

Verification and background​

Johnson Controls has multiple product security advisories dating through 2024–2025 covering iSTAR door controllers and the iSTAR Configuration Utility (ICU). Some advisories indicate missing authentication, stack overflows, or uninitialized variables in the ICU that affect Windows hosts. Vendor guidance repeatedly recommends firmware updates (for Ultra/Ultra LT series) and replacement strategies for end‑of‑life controllers.

Risk assessment​

Building access controllers are high‑value targets. Vulnerabilities that enable unauthorized configuration or compromise the Windows workstation used for configuration (ICU) can lead to physical access bypass and lateral movement into enterprise networks. Remediation priorities: confirm firmware baseline, update ICU on Windows machines, and enforce strict network segmentation between access control systems and general IT networks.

---

Ashlar‑Vellum — Cobalt / Graphite / Xenon / Argon / Lithium / Cobalt Share (ICSA‑25‑224‑01)​

What CISA and NVD report​

CISA has historically reported multiple memory‑safety flaws in Ashlar‑Vellum desktop tooling (Cobalt, Graphite, etc.) that can lead to arbitrary code execution when users open purposely crafted CAD files. NIST/NVD records show CVE entries related to file parsing buffer overflows and type confusion. While many of these require user interaction (open a malicious file), the impact is execution on the user’s host. (cisa.gov, nvd.nist.gov)

Risk assessment​

CAD/CAM tools often run on Windows workstations; their compromise can lead to IP theft and supply chain insertion (corrupt design files). Protecting this class of software requires user awareness, strict handling of external files, and application whitelisting on engineering workstations.

---

MegaSys Computer Technologies — Telenium Online Web Application (ICSA‑24‑263‑04, Update A)​

What CISA reports​

MegaSys’ Telenium Online Web Application (versions 8.3 and prior) is flagged for improper input validation that allows Perl code injection via crafted HTTP requests (CVE‑2024‑6404) — CISA rates the CVSS very high (>9). Vendor patch versions (v7.4.72 and v8.3.36) are listed by MegaSys as remediations.

Risk assessment​

Telenium is used as a communications/web portal in multiple deployments. A remote code execution vulnerability in a web application is a high priority — immediate patching, isolating the administrative interface, and blocking public accessibility are necessary compensations when patch deployment requires testing.

---

End‑of‑Train and Head‑of‑Train Remote Linking Protocol (ICSA‑25‑191‑10)​

What CISA reports​

CISA’s advisory documents a weak authentication flaw in the remote linking protocol used by End‑of‑Train (EoT) and Head‑of‑Train (HoT) telemetry devices. The protocol’s reliance on a simple BCH checksum enables adversaries with radio access or software defined radio (SDR) capability to construct packets and potentially issue brake commands to EoT devices. CISA assigns CVE‑2025‑1727 and flags it as a safety‑critical vulnerability affecting the U.S. rail sector.

Verification and industry context​

Independent reporting and rail‑industry commentary corroborate that this is a standards‑level weakness: remediation requires protocol replacement and equipment refresh, and industry committees (AAR / RESC) are engaged to define long‑term fixes. Short‑term mitigations are operational — tighter physical and RF security, monitoring for anomalous packets, and limiting remote linkage where feasible. (industrialcyber.co, mbgsec.com)

Risk assessment​

This advisory is distinct: it touches safety‑critical functions where exploitation could create physical harm. The remediation path is multi‑year and involves standards bodies and OEM firmware/hardware replacement, so risk management must combine immediate mitigations (detection, RF monitoring, operational change) with phased capital planning.

---

Santesoft — Sante PACS Server (ICSMA‑25‑224‑01)​

What CISA and third parties report​

Santesoft’s Sante PACS Server (a medical imaging archive and viewer) is flagged by CISA’s medical advisory channel and by vendors/researchers for multiple vulnerabilities, including stack‑based buffer overflows, path traversal, and SHA1 hash truncation issues that can weaken authentication storage and enable file retrieval. Public advisories (MS‑ISAC, Tenable) document CVEs and note patched versions (upgrade to 4.2.0 or later). (cisecurity.org, tenable.com)

Risk assessment​

PACS servers store PHI and imaging data; vulnerabilities enabling remote file retrieval or RCE pose both patient privacy and availability risks. Medical IT teams must treat these advisories as high priority, coordinate with clinical engineering, and follow disclosure timelines strictly while preserving patient continuity.

---

Cross‑cutting themes and verification​

• Authentication and input validation defects remain the dominant class of flaws across these advisories. CISA and vendor pages repeatedly call out CWE categories such as CWE‑434 (unrestricted file upload), CWE‑502 (deserialization), CWE‑20 (improper input validation), and CWE‑1390 (weak authentication). These are confirmed across advisory pages and CVE/NVD entries.
• Several advisories reflect the same operational reality: patches exist but operational constraints slow deployment. CISA’s recommended compensating controls (network segmentation, minimize exposure, firewalls, secure VPNs only when required) are consistent in every advisory and echoed by vendor guidance.
• For the most safety‑critical vector (EoT/HoT), the fix is standards‑level and not a simple patch — multiple independent reports confirm this and note a longer remediation timeline. (cisa.gov, industrialcyber.co)

---

Practical mitigation checklist (prioritized)​

• Inventory and map exposures
• Enumerate all instances of the affected products and versions (PI Integrator, PME, iSTAR family, Telenium, Sante PACS, Ashlar‑Vellum installations, EoT/HoT devices).
• Identify which of these are reachable from business networks or the Internet.
• Apply vendor updates where available
• AVEVA: upgrade PI Integrator to 2020 R2 SP2 or higher.
• Schneider: apply PME hotfixes (contact Schneider support for Hotfix_75031_PME2022 or vendor guidance).
• MegaSys: ensure Telenium is on patched versions (v7.4.72 / v8.3.36).
• Santesoft: upgrade PACS server to 4.2.0 or later per Tenable/MS‑ISAC guidance. (tenable.com, cisecurity.org)
• Compensating controls when patching is delayed
• Isolate affected systems in segmented VLANs with strict ACLs.
• Implement application allow‑lists on Windows hosts used for configuration (e.g., ICU) and engineering workstations (CAD/CAM tools).
• Block public access to administrative interfaces; use jump hosts and bastioning for management.
• Monitor for post‑patch regressions in test environments before production deployment.
• Detection and logging
• Tune OT‑aware IDS/IPS sensors for anomalies in application behavior and protocol misuse (especially radio/SDR traffic for EoT/HoT).
• Centralize logging from gateway devices and Windows configuration hosts; configure alerts for unexpected file writes, database exfil attempts, or large uploads.
• Operational and procedural
• Develop incident response procedures that include OT‑specific containment (isolate PLC segments, fail-safe control modes).
• Coordinate with vendors for proof‑of‑concept exploits disclosure and testing.
• For safety‑critical devices (trains), coordinate with standards bodies and regulatory bodies early; include operational mitigations (manual safety checks, RF monitoring).

---

Notable strengths of CISA’s advisory program​

• Consolidated, practical guidance: CISA consolidates vendor details, CVE assignments, CVSS scores, and prioritized mitigations into actionable advisories targeted at both technical and operational audiences. This reduces ambiguity for asset owners.
• Cross‑sector visibility: Advisories span critical sectors (energy, manufacturing, transportation, healthcare), ensuring that defenders across disciplines are alerted to overlapping risks and can coordinate mitigation strategies.
• Vendor coordination: Many advisories arise from coordinated disclosure with vendors and third‑party researchers, and CISA’s advisory pages frequently point to vendor updates and hotfixes as the primary remediation path.

---

Persistent gaps and risk drivers​

• Patch deployment friction in OT: Testing windows, uptime constraints, and regulatory processes mean patches can linger in “staging” long after they are released. This is a structural problem for OT security.
• Legacy and end‑of‑life systems: Several advisories indicate affected versions that are at or near end‑of‑life, leaving operators with limited upgrade paths or costly replacement decisions.
• Standards‑level vulnerabilities: Protocol weaknesses (e.g., EoT/HoT) that require re‑engineering of standards and equipment introduce long remediation horizons and necessitate interim operational controls.

---

Recommendations for Windows administrators and SOC teams​

• Treat Windows hosts used for ICS configuration (e.g., Johnson Controls ICU, engineering workstations) as high‑risk assets: enforce strict patching, application whitelisting, host‑based EDR, and privileged access management.
• Maintain an up‑to‑date software bill of materials (SBOM) for OT assets that interfaces with Windows servers, and prioritize patching based on exposure (internet reachable > business network reachable > isolated).
• Integrate CISA advisory parsing into vulnerability management workflows: map CVEs to internal assets, assign risk owners, and schedule prioritized remediation sprints.
• Where vendor patches are unavailable or cannot be applied quickly, implement network controls and monitoring, and escalate to executive decision makers for funding of replacements if devices are EoL.

---

What we verified and what remains to confirm​

• Verified: AVEVA PI Integrator CVE IDs and upgrade guidance; Schneider PME deserialization CVE; MegaSys Telenium RCE CVE; Santesoft PACS CVEs and recommended upgrade; EoT/HoT weak authentication and industry response. These claims are corroborated with CISA advisory pages and independent third‑party advisories (Tenable, MS‑ISAC, industry reporting). (cisa.gov, tenable.com)
• To confirm: precise exploit code availability and evidence of in‑the‑wild exploitation at the time of writing. CISA’s advisories commonly state “No known public exploitation” for several entries (AVEVA, MegaSys, others) — operators should nevertheless assume that motivated adversaries will attempt to weaponize high‑impact CVEs quickly. Always check vendor advisories, CVE databases, and threat intelligence feeds for updates.

---

Conclusion​

The August 12 CISA roll‑up is another reminder that ICS security is not an occasional compliance activity but an ongoing operational discipline. The advisories span low‑complexity remote exploits, deserialization and input‑validation bugs, Windows‑hosted configuration tool issues, and a standards‑level failure in rail telemetry that together illustrate the gamut of challenges facing defenders.
Immediate priorities for affected operators are inventory discovery, patch deployment where feasible, and rapid implementation of compensating network and host controls where patches are delayed. For safety‑critical standards issues, coordinate with industry bodies and regulators while executing short‑term operational mitigations to minimize risk.
CISA’s consolidated advisories and the corroborating vendor and research advisories provide both the what and the how — but the countermeasure that matters most is translation into prioritized, funded operational actions: patch, segment, monitor, and replace where necessary.

---

Key quick actions (one‑page checklist)

• Inventory affected products and versions.
• Apply vendor patches (AVEVA PI Integrator -> 2020 R2 SP2+, Schneider PME hotfix, MegaSys patched versions, Santesoft 4.2.0+, Johnson Controls firmware/ICU updates). (cisa.gov, tenable.com)
• Isolate administrative interfaces and enforce application whitelisting on Windows hosts.
• Enhance detection (OT IDS, RF monitoring for EoT/HoT).
• Plan capital replacement and standards engagement for protocol‑level flaws.

---

Source: CISA CISA Releases Seven Industrial Control Systems Advisories | CISA