CISA ICS Advisories Aug 28 2025: 9 Critical Vulnerabilities Across OT Vendors

CISA on August 28, 2025, published a batch of nine Industrial Control Systems (ICS) advisories covering critical vulnerabilities across Mitsubishi Electric, Schneider Electric, Delta Electronics, GE Vernova, Hitachi Energy, and ICONICS/Mitsubishi integrations — a coordinated disclosure that underscores a renewed wave of attention on ICS security and forces operators to prioritize immediate mitigation, patching, and network-hardening actions.

Background​

Industrial control systems power manufacturing floors, utility substations, water treatment plants, and critical infrastructure. When the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issues ICS advisories, it consolidates vendor reports and technical details into actionable security notices that ICS operators and OT (operational technology) teams rely on for triage and remediation. The August 28, 2025 batch contains advisories for nine separate product families, from PLC CPU modules and HMI/SCADA suites to RTUs, CNC/HMI applications, and protection relays — illustrating that vulnerabilities continue to affect both embedded devices and the Windows-based engineering/tooling stack.
This feature unpacks each advisory, highlights the technical risk, summarizes available mitigations and patches, and provides a pragmatic, prioritized remediation plan for ICS owners and security teams. It also assesses systemic trends revealed by the disclosures and the operational trade-offs teams must weigh when securing live systems.

---

Overview of the nine advisories (at-a-glance)​

• ICSA-25-240-01 — Mitsubishi Electric MELSEC iQ-F Series CPU Module (Missing Authentication; CVE-2025-7405; CVSSv4 6.9)
• ICSA-25-240-02 — Mitsubishi Electric MELSEC iQ-F Series CPU Module (Cleartext Transmission; CVE-2025-7731; CVSSv4 8.7)
• ICSA-25-240-03 — Schneider Electric Saitel DR & Saitel DP Remote Terminal Unit (Improper Privilege Management; CVE-2025-8453; CVSSv3 6.7)
• ICSA-25-240-04 — Delta Electronics CNCSoft-G2 (Out-of-bounds Write; CVE-2025-47728; CVSSv4 8.5)
• ICSA-25-240-05 — Delta Electronics COMMGR (Stack-based Buffer Overflow & Code Injection; CVE-2025-53418, CVE-2025-53419; CVSSv4 up to 8.8)
• ICSA-25-240-06 — GE Vernova CIMPLICITY (Uncontrolled Search Path Element; CVE-2025-7719; CVSSv4 7.0)
• ICSA-24-135-04 — Mitsubishi Electric Multiple FA Engineering Software Products (Update D) (multiple CVEs from 2023; lower CVSS; local attacker risk)
• ICSA-25-140-04 — Mitsubishi Electric / ICONICS GENESIS / GENESIS64 / MC Works64 (Execution with Unnecessary Privileges; CVE-2025-0921; CVSSv4 6.8)
• ICSA-25-184-01 — Hitachi Energy Relion 670/650 and SAM600-IO series (Update A) (Improper disk-check leading to reboot; CVE-2025-1718; CVSSv4 7.1)

Each advisory includes technical details about affected versions, assigned CVE identifiers, calculated CVSS scores (often both v3.1 and v4.0 where applicable), potential impact, and vendor-provided mitigations or patches. The common denominators across the batch are: broad vendor coverage, a mix of remote and local exploitation vectors, and recommendations that range from immediate patching to network isolation and compensating controls.

---

Detailed advisory breakdown​

Mitsubishi Electric — MELSEC iQ-F Series CPU Module (ICSA-25-240-01)​

• Vulnerability type: Missing authentication for critical function (MODBUS/TCP with no authentication)
• CVE: CVE-2025-7405
• Severity: CVSSv3 7.3 / CVSSv4 6.9 (exploitable remotely; low complexity)
• Affected: Extensive list of MELSEC iQ-F CPU SKUs with firmware/versions indicated (some models 1.060 and later; others "all versions" depending on SKU)
• Impact: Read/write device values; program stoppage; potential information tampering and DoS
• Vendor stance & mitigation: No fix planned for some affected models. Recommended mitigations focus on network controls: firewalls, VPNs, IP filtering, restrict LAN access, physical controls.
• Operational note: Because no universal vendor patch is available, defenders must treat this as a long-term compensating-control problem and assume potential exposure for any devices in affected version ranges.

Mitsubishi Electric — MELSEC iQ-F Series CPU Module (ICSA-25-240-02)​

• Vulnerability type: Cleartext transmission of sensitive information (SLMP messages can leak credentials)
• CVE: CVE-2025-7731
• Severity: CVSSv3 7.5 / CVSSv4 8.7 (higher impact due to credential disclosure)
• Affected: Very broad — many FX5U/FX5UC/FX5UJ/FX5S variants listed, often “all versions”
• Impact: Credential compromise enabling read/write and program disruption
• Vendor stance & mitigation: No fixed version planned for many SKUs. Vendor recommends encrypting SLMP (use VPNs), restrict physical and network access.
• Operational note: Credential compromise in an ICS context is particularly dangerous because it transforms a network-eavesdropper into an active process manipulator; encryption and network segmentation become mandatory compensations.

Schneider Electric — Saitel DR & Saitel DP RTU (ICSA-25-240-03)​

• Vulnerability type: Improper privilege management (root-level daemon executes custom scripts when configuration files modified)
• CVE: CVE-2025-8453
• Severity: CVSSv3 6.7 (local/limited remote complexity; requires auth or console access)
• Affected: Saitel DR RTU versions ≤ 11.06.29; Saitel DP RTU versions ≤ 11.06.34
• Impact: Authenticated user with console access may escalate privileges; arbitrary code execution possible
• Vendor response: Saitel DR RTU has a firmware update (HUe 11.06.30) with the fix. For Saitel DP RTU, remediation plan is being established; Schneider recommends immediate mitigations: lock down console/physical access, enforce file ownership and permissions, strict password policies.
• Operational note: Operators should prioritize applying available DR fixes and hardening access control on DP RTUs until vendor fixes ship.

Delta Electronics — CNCSoft-G2 (ICSA-25-240-04)​

• Vulnerability type: Out-of-bounds write in DPAX file parsing (remote code execution via user interaction)
• CVE: CVE-2025-47728
• Severity: CVSSv3 7.8 / CVSSv4 8.5
• Affected: CNCSoft-G2 v2.1.0.20 and prior
• Impact: Code execution when user opens malicious file or visits a malicious page
• Vendor response: Delta released v2.1.0.27 or later as a fix. Delta advises updating and following safe file-handling practices.
• Operational note: This is a classic file-parsing RCE; patching desktops and HMI machines where CNCSoft-G2 runs should be prioritized through maintenance windows.

Delta Electronics — COMMGR (ICSA-25-240-05)​

• Vulnerability types: Stack-based buffer overflow (CVE-2025-53418) and code injection (CVE-2025-53419)
• Severity: CVSSv3/v4 scores in the high range (CVSSv4 up to 8.8)
• Affected: COMMGR v2.9.0 and prior
• Impact: Remote code execution via specially crafted .isp files
• Vendor response: Update to v2.10.0 or later (or the recommended patched builds)
• Operational note: COMMGR is used in device management workflows; patching and restricting file upload/use on management consoles is critical.

GE Vernova — CIMPLICITY (ICSA-25-240-06)​

• Vulnerability type: Uncontrolled search path element
• CVE: CVE-2025-7719
• Severity: CVSSv3 7.8 / CVSSv4 7.0
• Affected: CIMPLICITY versions 2024, 2023, 2022, 11.0
• Impact: Local low-privilege attacker might escalate privileges
• Vendor response: GE Vernova recommends applying CIMPLICITY 2024 SIM 4 (support/KB article posted) and following Secure Deployment Guide recommendations.
• Operational note: This is a local privilege escalation; patch work on SCADA/HMI servers should be scheduled, and access to developer/engineer workstations strictly limited.

Mitsubishi Electric — Multiple FA Engineering Software Products (ICSA-24-135-04, Update D)​

• Vulnerabilities: A set of lower-severity local issues (improper privilege management, resource consumption, OOB write)
• CVE(s): Includes CVE-2023-51776, CVE-2023-51777, CVE-2023-51778 (previously disclosed; update D adds version details)
• Severity: Generally lower CVSS values (CVSSv4 around 4.1–4.4)
• Affected: Wide collection of MELSOFT/engineering tools and utilities (GX Works2/3, GT Designer, MX Component, GENESIS64, RT ToolBox3, etc.)
• Vendor response: Patches/updates and version-specific guidance are provided; operators must check the update matrix and apply recommended version upgrades.
• Operational note: Windows-hosted engineering tools remain a frequent attack vector for lateral movement; these advisories reinforce the need to isolate engineering workstations.

ICONICS / Mitsubishi Electric — GENESIS/GENESIS64/MC Works64 (ICSA-25-140-04, Update B)​

• Vulnerability type: Execution with unnecessary privileges (symbolic link / write target manipulation)
• CVE: CVE-2025-0921
• Severity: CVSSv3 6.5 / CVSSv4 6.8
• Affected: GENESIS64 (all versions), GENESIS 11.00, MC Works64 (all versions)
• Impact: Local attacker may perform unauthorized file writes leading to information tampering or DoS on the affected PC
• Vendor response: GENESIS updates and guidance are being provided; GENESIS 11.01 or later recommended where applicable
• Operational note: HMI/SCADA suites running on Windows should be hardened (restrict admin logins, disable non-required services).

Hitachi Energy — Relion 670/650 and SAM600-IO Series (ICSA-25-184-01, Update A)​

• Vulnerability type: Improper check for unusual conditions (disk space / FTP-based file access leading to reboot)
• CVE: CVE-2025-1718
• Severity: CVSSv3 6.5 / CVSSv4 7.1
• Affected: Multiple Relion 650/670 revisions and SAM600-IO revisions; specific version ranges enumerated in the advisory
• Impact: Authenticated FTP user with file-access privileges can cause device reboot (availability impact for energy sector)
• Vendor response: Fixed versions specified (e.g., 2.2.6.4, 2.2.5.8 or upgrade to 2.2.7). Operators should apply the specified updates.
• Operational note: Protection relays are critical to grid stability; HT/OT teams must schedule controlled updates and validate behavior on test benches before field roll-out.

---

Cross-cutting themes and analysis​

1) Mixed exploitability: local versus remote​

The batch includes vulnerabilities that are both remotely exploitable with no user interaction and vulnerabilities that require local access or user interaction (opening a file). From an operational perspective, remote-exploitable issues (especially cleartext credential leaks and remotely-triggerable buffer overflows) present the highest priority because they enable attackers with network reachability to act without insider access.

2) Network controls remain the primary compensating control​

Across multiple vendors, when immediate patches are not available (or for older/discontinued SKUs), vendors and CISA recommended network-layer controls — VPNs, firewalls, IP filters, isolation of control networks, and restricting internet exposure. That repeated guidance underlines that segmentation and least-privilege network design remain the most effective practical defenses in OT.

3) Vendor patch variability and lifecycle realities​

Two vendor behaviors stand out:

• Vendors issuing timely patches (Delta, Hitachi, Schneider DR RTU) and publishing specific fixed versions.
• Vendors not planning fixes for certain legacy SKUs (notably in some Mitsubishi advisories), forcing defenders to rely on compensating technical or procedural controls.

This bifurcation is a recurring industry reality: legacy devices often lack vendor fixes, highlighting the importance of lifecycle planning and migration strategies for ICS hardware.

4) Engineering tools and the Windows IT/OT crossover remain high-risk​

Several advisories concern Windows-based engineering and HMI suites (GENESIS64, MC Works64, many Mitsubishi FA tools). These are the conventional pivot points: an attacker compromises an engineer workstation and moves from IT to OT. Hardened workstations, patch cadences for engineering tools, and strict access controls are essential.

5) CVSS v4 adoption — better granularity, same urgency​

Many advisories include both CVSS v3.1 and CVSS v4.0 scores. CVSS v4 often shows slight score differences but provides more nuanced vectors. For operators, the practical takeaway is the same: high CVSS (7–9 range) vulnerabilities require urgent attention even if the scoring system differs.

---

Practical, prioritized remediation — a playbook for operators​

The following is a pragmatic, prioritized checklist designed for OT teams and security operators responding to this advisory set.

• Inventory and identification
• Immediately identify assets that match the affected product lists and versions. Prioritize devices that are internet-exposed or connected to untrusted networks.
• Maintain a live, versioned asset inventory (PLC, RTU, HMI, engineering host).
• Rapid risk triage
• Classify affected assets by exploitability: remotely exploitable (highest priority), local/existing-credential required, and user-interaction required.
• Prioritize protection relays, RTUs, PLCs, and HMI servers that control critical processes.
• Apply vendor patches where available (test first)
• For products with vendor fixes (Delta COMMGR/CNCSoft, Schneider DR RTU, Hitachi Relion, GE CIMPLICITY SIMs, Delta COMMGR v2.10.0, etc.), schedule immediate patch windows.
• Use a staging/test bench to validate updates against known control logic and custom integrations to prevent unintended downtime.
• Implement compensating network controls
• Block affected devices from the internet and from the corporate/business network. Enforce one-way network flows and strict ACLs.
• Deploy or verify IP filters, firewalls, and VPN encryption where recommended (e.g., for Mitsubishi SLMP encryption via VPN).
• Use host-based firewalls on Windows engineering hosts and HMIs.
• Harden access and permissions
• Enforce least privilege for console/SSH/RDP access. Make administrative logins rare and audited.
• Apply file system permissions for critical configuration files (root-owned, minimal write permissions).
• Rotate and harden passwords; where possible, enable multifactor authentication for administrative consoles and vendor portals.
• Monitor and detect
• Increase monitoring for anomalous Modbus/SLMP/other protocol activity, unexpected credential use, and abnormal file transfers.
• Implement host and network IDS/IPS tuned for ICS protocols and known exploit fingerprints.
• Monitor vendor advisory feeds and CVE databases for rapid changes.
• Incident response and contingency planning
• Ensure incident response runbooks are up to date, with clear fallback operations for devices that must be taken offline or replaced.
• Prepare cross-functional teams (IT, OT, vendors, safety engineers) to coordinate urgent remediation.
• Vendor engagement and procurement strategy
• Contact local vendor representatives for guidance, pending patches, and compensations.
• For unsupported/discontinued products without fixes, develop migration plans and budgetary timelines.
• Test and validate
• After patching or applying mitigations, validate process behavior and safety interlocks in a test environment before production reactivation.
• Documentation and reporting
• Document the applied fixes, mitigations, and impact assessments. Report suspected exploitation attempts to your national CSIRT or CISA if applicable.

---

Risks, trade-offs, and operational constraints​

• Patching OT systems is not the same as patching enterprise servers. There are safety, availability, and regulatory concerns. Some patches require reboots or can alter runtime behavior. Proper test validation is essential.
• Legacy devices lacking vendor fixes force teams to implement network-level compensations that may not be foolproof. Long-term replacement should be part of risk reduction planning.
• Over-reliance on VPNs or perimeter protections without endpoint hardening is fragile; VPN endpoints themselves can be attack vectors.
• Resource constraints (staffing, spare equipment, test benches) often delay remediation. Prioritize by criticality and exposure.
• Publicly available CVE details may be enriched or corrected over time. Maintain a watch on vendor advisories and authoritative vulnerability databases.

---

Strengths and limitations of the advisory set​

Strengths:

• Coordinated disclosure across vendors helps operators prioritize a consolidated response.
• Each advisory includes affected version ranges, CVE identifiers, and CVSS scores providing measurable risk guidance.
• Vendor-supplied fixes and mitigation guidance are available for several high-risk items (Delta, Hitachi, Schneider, GE), enabling concrete remediation steps.

Limitations and risks:

• Several advisories indicate no planned fixes for specific SKUs, creating enduring risk for those deployments.
• The advisories emphasize network mitigations that, while effective, can be bypassed by sufficiently resourced attackers with network access or local access.
• The multiplicity of advisories in a single day can strain OT teams; simultaneous patching across different vendors requires careful scheduling to avoid plant disruption.

---

Practical recommendations for CISOs and OT leaders​

• Treat these advisories as action items: combine asset discovery, urgent patching where patches exist, and compensating controls for unsupported devices.
• Fund a dedicated OT modernization program that includes lifecycle replacement for unsupported hardware and formal change control for engineering software.
• Invest in segmented OT network architectures with rigorous remote access governance.
• Formalize vendor SLAs for security updates and push suppliers for secure-by-design criteria in procurement.
• Run tabletop exercises simulating exploitation of one of the high-severity items (e.g., credential interception on SLMP or remote code execution in HMI software) to ensure incident playbooks work under time pressure.

---

Conclusion​

The August 28 advisory package is a reminder that ICS environments remain a prime target and that vulnerabilities span embedded firmware, Windows engineering tools, HMIs, RTUs, and protection relays. Some vendors provided patches; others recommended network and operational mitigations or stated no fixes for legacy SKUs. For ICS operators, the immediate priorities are asset identification, targeted patching of devices with vendor fixes, hardening and segmentation of control networks, and implementing compensating controls where patches are not available.
The most effective short-term defense remains the same: assume that device-level vulnerabilities can be exploited if the device is reachable, and remove unnecessary exposure. Combining disciplined network segmentation, rapid patching where available, hardened engineering hosts, and a tested incident response plan reduces attack surface and preserves the availability and safety of critical industrial processes.

---

Source: CISA CISA Releases Nine Industrial Control Systems Advisories | CISA