CISA ICS Advisories: VxWorks Flaw in Schneider Modules and Dario Health App

CISA’s latest notice that it has released two Industrial Control Systems advisories underscores a simple but urgent fact: vulnerabilities in operational technology (OT) and medical-device software continue to present high-impact risks to critical infrastructure and patient safety, and they require immediate, coordinated mitigation by equipment vendors and asset owners.

Background​

Industrial Control Systems (ICS) advisories from the Cybersecurity and Infrastructure Security Agency (CISA) translate technical findings into actionable guidance for asset owners, system integrators, and administrators. CISA’s recent bundle includes two focused advisories issued on February 27, 2025: ICSA-25-058-01, covering Schneider Electric communication modules used with Modicon M580 and Quantum controllers, and ICSMA-25-058-01, an ICS Medical Advisory concerning Dario Health’s USB‑C Blood Glucose Monitoring System Starter Kit Android application and backend infrastructure. These advisories are concise but consequential: one centers on a long‑standing, high‑severity memory-corruption flaw in the VxWorks TCP/DHCP stack that affects industrial controllers, and the other catalogues a set of web and data‑handling weaknesses in a consumer/medical app that could expose personal health information. Both advisories include vulnerability identifiers (CVE numbers), severity metrics, and vendor remediation guidance.

---

Why this matters: OT and medical devices are high‑value, high‑impact targets​

Industrial control equipment and medical devices occupy a unique position in risk calculus: they often run legacy or embedded operating systems, are expected to run continuously, and frequently sit on networks that have become more connected to enterprise IT. That combination increases both the likelihood and impact of compromise.

• A compromised ICS controller can cause process disruption, safety incidents, and prolonged downtime in sectors such as energy, manufacturing, and critical facilities.
• A compromised medical app or backend can expose personal health information (PHI), enable session takeover, or even produce erroneous readings that affect treatment decisions.

Windows-focused administrators should not dismiss these advisories: many SCADA/OT monitoring systems, HMIs, and engineering workstations run on Windows platforms and serve as integration points between IT and OT domains. Lateral movement from a vulnerable ICS device into Windows infrastructure (or vice versa) remains a realistic threat scenario.

---

ICSA-25-058-01 — Schneider Electric communication modules (technical summary)​

The core issue​

The Schneider Electric advisory (ICSA-25-058-01) documents an out‑of‑bounds write / stack overflow vulnerability rooted in the Wind River VxWorks TCP/DHCP server component (CVE-2021-29999). When exploited, this flaw can allow remote code execution or device denial of service due to memory corruption. CISA assigns a very high severity (CVSS v4 9.3 reported on the advisory).

Affected products and versions (high‑level)​

Schneider Electric’s advisory lists multiple communication modules used with Modicon M580 and Quantum controllers, and maps them to specific firmware versions that are vulnerable. Affected module families include BMENOC, BMECRA, BMXCRA and specific Quantum RIO drop adapters; Schneider published fixed firmware versions and staged updates across 2025. Asset owners must verify exact module part numbers and firmware revisions.

Risk and mitigation guidance​

CISA emphasizes standard OT best practices alongside vendor patches:

• Apply Schneider Electric firmware updates that explicitly address the VxWorks DHCP/DHCP server issue. Schneider’s security notification and firmware downloads reference fixed versions (for example, BMENOC0321 SV1.10 and BMECRA/BMXCRA updates).
• Isolate and segment ICS networks from enterprise networks; limit remote access and ensure remote access paths use validated, up‑to‑date secure gateways and multi‑factor authentication.
• Restrict physical access, avoid leaving controllers in programming mode, and treat mobile devices and removable media as risky in OT zones.

CISA additionally notes that there were no known public reports of exploitation targeting this specific Schneider advisory at the time of the advisory, while strongly urging swift patching and risk assessments.

Cross‑verification of the technical claim​

The underlying CVE (CVE‑2021‑29999) is cataloged by NVD and multiple vulnerability trackers as a VxWorks DHCP stack issue with severe CVSS scores (NVD/CVE records list the description and scoring history). This cross‑reference confirms that the Schneider notice is a vendor‑specific exposure of a widely documented VxWorks memory‑corruption problem.

---

ICSMA-25-058-01 — Dario Health USB‑C Blood Glucose Monitoring System (technical summary)​

The core issue​

CISA’s ICS Medical Advisory (ICSMA-25-058-01) lists a collection of web/app/backend vulnerabilities affecting the Dario Health USB‑C Blood Glucose Monitoring System Starter Kit Android application and the associated application database / internet‑based server infrastructure. The advisory enumerates multiple CWEs and assigned CVEs (including CVE‑2025‑20060, CVE‑2025‑23405, CVE‑2025‑24843, CVE‑2025‑24849, CVE‑2025‑20049, CVE‑2025‑24318, and CVE‑2025‑24316), with CVSS v4 scores up to 8.7 for the most severe items. Key vulnerability classes include:

• Exposure of private personal information (PII / PHI) to unauthorized actors (CWE‑359).
• Improper output neutralization for logs (log injection), storage of sensitive data without proper access controls, and cleartext transmission of sensitive information.
• Cross‑site scripting (XSS) weaknesses, and cookie configuration issues that could enable session compromise in the presence of XSS.

Affected components and versions​

CISA’s advisory identifies Android app versions 5.8.7.0.36 and prior as affected, and indicates that the server/database infrastructure is broadly impacted. Dario Health and researchers identified fixes and mitigation measures; owners of deployed units and users of the application must check for updated app versions and vendor communication.

Risk and mitigation guidance​

CISA lists vendor-recommended mitigations and general best practices:

• Update Android app installations to vendor‑released versions that include fixes.
• Confirm cloud/backend server hardening: remove or restrict development artifacts, enforce encryption-in-transit, and apply secure cookie flags and input/output validation in web applications.
• For clinical or enterprise deployments, treat the system as part of the larger clinical‑IT ecosystem: validate user access controls, logging/monitoring, and incident response readiness.

Conflicting or ambiguous exploitation reports — proceed with caution​

Some third‑party trackers and regional CERT posts have described active exploit concerns or flagged rapid remediation status, while official U.S. government records (CISA/NVD) show the CVE records as recently published and under enrichment. Because reporting on “active exploitation” can differ between vendor, regional CERTs, and threat‑intelligence outlets, this remains a point where asset owners should err on the side of caution: apply updates immediately and treat the issue as high‑risk until an organization‑level assessment confirms otherwise. Flagging such discrepancies is important; public evidence of widespread active exploitation was not consistently documented in the primary CISA advisory itself at the time of issuance.

---

What Windows admins and IT/OT teams should do now (practical checklist)​

• Inventory: Identify any Schneider Electric Modicon M580 / Quantum controllers, related communication modules, and Dario Health devices or mobile apps in your environment. Include firmware/app versions and whether backend services are hosted inside your network or via third‑party cloud providers.
• Patch and upgrade: For Schneider modules, apply the firmware updates Schneider published for the affected module part numbers; for Dario Health, update the Android app and coordinate with the vendor on backend fixes. Verify update checksums and vendor instructions before deployment.
• Isolate and segment: Ensure ICS networks are segmented from enterprise Windows networks; use firewalls, VLANs, and jump hosts for administrative access. Limit the number of Windows workstations that can reach OT devices.
• Harden remote access: If remote access to controllers or HMIs is required, confirm that VPNs, remote access gateways, and RDP interfaces are hardened, patched, and protected with MFA and strict access controls.
• Monitor and log: Activate and centralize OT log collection where possible; watch for anomalous DHCP activity (for VxWorks‑based devices), unexpected firmware upgrade attempts, or exfiltration patterns from medical‑device backends.
• Validate backups and failover plans: Ensure critical controller configurations are backed up and that fail‑safe operational procedures exist in case a patched device must be taken offline temporarily.
• Coordinate with vendors: If you operate equipment covered by these advisories, engage Schneider Electric or Dario Health support teams and request written confirmation of remediation steps and timelines.

---

Why vendor communications and public advisories matter — and how to read them​

CISA advisories distill vendor findings and provide a neutral publication point for resource-constrained operators to learn about risks. However, operators must also read the underlying vendor security bulletins and CVE/NVD entries to:

• Map CVEs to specific product revisions and firmware versions.
• Confirm whether the vendor’s remediation is available as firmware, hotfix, or configuration change.
• Determine whether any operational workarounds are required before deploying a fix (for example, staged firmware upgrades or downtime windows).

For example, the Schneider advisory explicitly lists fixed firmware versions and documents an update history (Initial publication → Update A → Update B) as vendors gradually release and verify patches for all affected module variants. Following the vendor timeline reduces the risk of applying incomplete fixes.

---

Risk analysis: strengths and persistent gaps​

Strengths​

• Timely disclosure and coordination: CISA’s advisories provide a canonical notification that helps unify vendor, government, and operator responses. They surface CVEs, provide CVSS scoring, and list mitigations in a compact format.
• Vendor action and firmware fixes: Schneider published targeted firmware updates and staged remediation updates across 2025; Dario Health and security researchers produced patches and suggested hardening measures for app and backend components. These vendor actions materially reduce exposure when applied.

Persistent risks and limitations​

• Legacy and embedded OS exposures: VxWorks and other RTOS ecosystems are embedded across thousands of devices; vendor patch cycles can be slow and device replacement costly. This creates windows of exposure even when patches are available.
• Visibility and asset management gaps: Many organizations still lack comprehensive inventories of OT and medical devices, making it hard to prioritize and verify remediation at scale. Forum analyses and community archives show this is a recurring operational gap.
• Inconsistent exploitation reporting: Third‑party trackers, regional CERTs, and vendor advisories sometimes differ about whether a vulnerability is being actively exploited; that can complicate prioritization for busy SOCs. Operators should assume high severity until disproved and treat exploitation claims conservatively, verifying with internal telemetry.

---

Operational case studies and short scenarios​

Scenario 1 — Energy utility with Modicon M580 deployments​

An energy utility with Modicon M580 controllers should immediately identify BMENOC/BMECRA/BMXCRA modules on their network. Patch scheduling must account for operational windows; when patches cannot be deployed immediately, apply compensating controls such as isolating affected subnets, restricting DHCP traffic, and using network appliances to block suspicious DHCP payloads. Verify firmware updates in a lab before production rollout.

Scenario 2 — Clinic or telehealth provider using Dario Health integrations​

A healthcare provider that allows staff to use a Dario Health app as part of patient monitoring should require that mobile devices run the patched Android app, require encrypted communications, verify backend server TLS configurations, and enforce strict session controls. Any devices that store PHI locally should be treated as high-priority assets for encryption and remote wipe capabilities.

---

Reporting, community coordination, and the bigger picture​

CISA encourages reporting suspected exploitation and suspicious activity to established channels so incidents can be tracked and correlated across sectors. Security researchers (for example, those at Accenture who reported several Dario Health issues) play an important role in responsible disclosure and vendor coordination. Public advisories, vendor bulletins, and NVD/CVE records collectively enable operators to make informed risk decisions. Community forums and operational archives also provide useful playbooks and experience reports from practitioners about patch deployment strategies and segmentation patterns; these practitioner insights bridge the gap between advisory text and real‑world action.

---

Final assessment and recommended priorities​

• Treat the Schneider Electric VxWorks‑related advisory as critical for affected controllers: confirm device inventories, deploy the published firmware updates, and apply immediate network segmentation and monitoring while patching is scheduled. Cross‑verify firmware versions against Schneider’s advisory and change logs.
• Treat the Dario Health advisory as high‑risk for PHI exposure: require patched app versions, validate backend hardening, and treat any integration points with clinical IT as sensitive. Given discrepancies in exploitation reporting, proceed under an assumption of elevated risk until vendor confirmation and telemetry indicate otherwise.
• For Windows administrators and IT/OT converged environments, prioritize inventory accuracy, network segmentation, patch orchestration, and centralized logging. These controls materially reduce the risk that a single ICS or medical‑app vulnerability becomes a pathway for wider enterprise compromise.

---

CISA’s publication of these two advisories is a practical reminder that critical‑infrastructure cybersecurity requires constant attention across heterogeneous stacks—from real‑time OS components in industrial controllers to the web APIs and mobile applications used in medical care. Follow vendor remediation steps, verify changes in test environments, and maintain a posture that prioritizes segmentation, monitoring, and rapid patching. The technical details in each advisory provide the mapping from risk to action; the job of operators and administrators is to translate that mapping into timely, verifiable changes on their networks.

---

Source: CISA CISA Releases Two Industrial Control Systems Advisories | CISA