CISA’s September 2, 2025 bulletin that released four new Industrial Control Systems (ICS) advisories is a stark reminder that operational technology (OT) and energy-sector devices remain high-value targets—and that defenders must move faster than vendors and attackers to close windows of exposure. The advisories cover Delta Electronics EIP Builder, Fuji Electric FRENIC‑Loader 4, SunPower PVS6, and an Update A to a previously published Hitachi Energy Relion advisory; each entry includes CVE identifiers, calculated CVSS scores, and concrete mitigation guidance for affected devices. These notices, published directly by the Cybersecurity and Infrastructure Security Agency (CISA), identify issues ranging from information disclosure to remote-code-execution and denial‑of‑service risks that can have operational and safety consequences.
Industrial Control Systems (ICS) advisories published by CISA are intended to provide operators, integrators, and IT/OT security teams with succinct technical summaries of vulnerabilities, the affected products and versions, and the mitigations or vendor fixes available. The September 2, 2025 release groups four items that affect a mix of engineering software, device-management utilities, and energy‑sector field devices—types of products that frequently sit at the intersection of corporate Windows infrastructure (HMIs, engineering workstations, monitoring servers) and field OT gear. The aggregated advisory page lists all four advisories and urges administrators to review the technical details for remediation. The user-supplied material that prompted this article mirrors CISA’s release, and internal archive notes show similar advisories across CISA bulletins through 2025—demonstrating a sustained pattern of discovery and disclosure in ICS software and firmware.
Background
Industrial Control Systems (ICS) advisories published by CISA are intended to provide operators, integrators, and IT/OT security teams with succinct technical summaries of vulnerabilities, the affected products and versions, and the mitigations or vendor fixes available. The September 2, 2025 release groups four items that affect a mix of engineering software, device-management utilities, and energy‑sector field devices—types of products that frequently sit at the intersection of corporate Windows infrastructure (HMIs, engineering workstations, monitoring servers) and field OT gear. The aggregated advisory page lists all four advisories and urges administrators to review the technical details for remediation. The user-supplied material that prompted this article mirrors CISA’s release, and internal archive notes show similar advisories across CISA bulletins through 2025—demonstrating a sustained pattern of discovery and disclosure in ICS software and firmware.Executive summary of the four advisories
- Delta Electronics — EIP Builder (ICSA-25-245-01): an XML External Entity (XXE) information‑disclosure issue (CVE‑2025‑57704). CISA rates the CVSS v4 vector at 6.7 and identifies the vulnerability as exploitable via processing of crafted XML documents; Delta has released an update to V1.12 to remediate the issue. (cisa.gov, cisa.gov, cisa.gov, cvedetails.com, cisa.gov, nvd.nist.gov, cisa.gov, CISA Releases Four Industrial Control Systems Advisories | CISA
