CISA Issues Four High Severity ICS Advisories June 10 2025

CISA published four new Industrial Control Systems advisories on June 10, 2025, flagging high‑severity flaws in four widely used products — SinoTrack GPS receiver devices, Hitachi Energy Relion protection relays and SAM600‑IO I/O modules, MicroDicom DICOM Viewer, and the Assured Telematics (ATI) Fleet Management System — and urging operators to apply vendor fixes and network mitigations immediately.

Background​

Industrial Control Systems (ICS) advisories from the Cybersecurity and Infrastructure Security Agency (CISA) are designed to provide rapid, actionable technical information about vulnerabilities that affect operational technology (OT) and ICS products deployed across critical infrastructure sectors. These advisories typically include a concise risk evaluation, affected products and versions, vulnerability descriptions and CWE classifications, CVE identifiers, CVSS scores, and recommended mitigations or vendor fixes. CISA’s advisory cadence — frequently grouping multiple product advisories into a single release — reflects both the diverse attack surface in ICS and the need for coordinated defensive action by asset owners and security teams. ICS devices differ from standard IT systems in lifecycle, patching cadence, and physical impact: a vulnerability that enables data theft or remote control on an IT asset may, in ICS contexts, permit direct interference with physical processes, equipment safety systems, or public‑facing services. That operational reality raises the stakes for rapid detection, risk reduction, and vendor coordination when high‑severity CVEs are disclosed. The four advisories released on June 10 exemplify the range of risks facing utilities, transport, healthcare, and fleet operators today.

---

The advisories at a glance​

• ICSA‑25‑160‑01 — SinoTrack GPS Receiver (weak authentication, credential enumeration; CVE‑2025‑5484, CVE‑2025‑5485; CVSS v4 up to 8.8).
• ICSA‑25‑160‑02 — Hitachi Energy Relion 670/650 & SAM600‑IO (OpenSSL RSA timing side‑channel / observable discrepancy; CVE‑2022‑4304; CVSS v4 ~8.2).
• ICSMA‑25‑160‑01 — MicroDicom DICOM Viewer (out‑of‑bounds write enabling code execution; CVE‑2025‑5943; CVSS v4 ~8.6).
• ICSA‑25‑140‑11 (Update A) — Assured Telematics Inc (ATI) Fleet Management System (sensitive information exposure enabling credential harvest; CVE‑2025‑4364; CVSS v4 ~8.7).

Each advisory raises high severity scores and carries a public‑facing description of potential impact. CISA’s notice for June 10 consolidates these advisories and urges asset owners to review the full technical details and apply vendor guidance.

---

SinoTrack GPS Receiver — Weak default credentials and username enumeration​

What CISA found​

CISA’s advisory for the SinoTrack IoT PC Platform documents two critical issues: a weak/default password scheme and a predictable username pattern tied to a printed device identifier, which together permit remote unauthorized access to the device management interface. The two related CVEs (CVE‑2025‑5484 and CVE‑2025‑5485) are scored with high severity (CVSS v4 up to 8.8), and the advisory explicitly warns that access to device profiles can allow tracking of vehicle location or, where supported, remote control of vehicle subsystems (for example, commands that could disable fuel pumps). CISA notes the vendor did not respond to its coordination request at the time of publication and recommends immediate password changes and concealment of device identifiers in publicly posted images.

Independent reporting and verification​

Multiple independent security outlets corroborated CISA’s technical summary and severity assessment, noting the practical exploitability of default credentials and the ease of collecting device identifiers from marketplace photos and vendor documentation. The researcher credited for reporting these issues emphasized that the flaws allow remote monitoring and modification of connected vehicles if the attacker gains web management access. These external writeups align closely with the CISA advisory’s risk evaluation and CVE assignments.

Operational risk and immediate actions​

SinoTrack devices are embedded across commercial and private fleets worldwide; the combination of static default credentials and a short numeric username space creates a high‑impact, low‑complexity attack path. The top priorities for administrators are:

• Change all default passwords immediately to unique, complex passphrases.
• Remove or obscure device‑identifying stickers or images posted publicly (marketplace listings, social media).
• Restrict web management interfaces to management networks and VPNs; deny direct Internet access.
• Apply network segmentation and firewall rules to isolate vehicle‑management systems from broader corporate networks.

CISA’s advisory adds that no known exploitation in the wild had been reported at the time of release; nonetheless the attack vector is straightforward enough that proactive remediation is warranted.

---

Hitachi Energy Relion 670/650 & SAM600‑IO — Timing side‑channel against RSA decryption​

What CISA found​

CISA’s advisory revisits a long‑standing cryptographic weakness (tracked as CVE‑2022‑4304) affecting multiple Hitachi Energy products, where an observable timing discrepancy in OpenSSL’s RSA decryption implementation can be abused in a Bleichenbacher‑style attack to recover plaintext (for example, TLS pre‑master secrets) after issuing a very large number of trial ciphertexts. The advisory lists affected Relion and SAM600‑IO versions and assigns a CVSS v4 score near 8.2. Hitachi Energy reported the finding to CISA and supplied mitigations and version guidance.

Independent corroboration and context​

The vulnerable behavior is not unique to Hitachi products — CVE‑2022‑4304 has appeared in advisories across multiple vendors and product families where OpenSSL’s RSA decryption path is used by embedded devices. Public vulnerability databases and multiple CISA advisories document the same weakness and recommended mitigations (patch OpenSSL, move away from RSA key transport modes in TLS where possible, rate‑limit and monitor for suspicious decryption requests). Operators should treat the advisory as part of a wider cryptography‑hardening program for ICS devices.

Operational risk and immediate actions​

The Hitachi issue is technically demanding to exploit at scale — successful attacks require the ability to send very large numbers of trial messages and to measure precise timing differences, conditions more likely to be met against Internet‑exposed or poorly segmented devices. Recommended steps include:

• Apply vendor firmware upgrades and OpenSSL patches as provided by Hitachi Energy.
• Disable legacy RSA key transport in TLS configurations where feasible; prefer (EC)DHE ciphers and TLS 1.3.
• Ensure Relion and SAM600‑IO devices are not directly reachable from the Internet and are protected by rate‑limiting controls and monitored gateways.
• Harden network defenses around substations and energy control zones using segmentation, firewalls, and strict access controls.

CISA’s advisory and Hitachi’s PSIRT postings make clear there were no confirmed public in‑the‑wild exploits identified at publication, but the cryptographic nature of the flaw means it must be prioritized for devices exposed beyond tightly controlled management networks.

---

MicroDicom DICOM Viewer — Out‑of‑bounds write allowing code execution​

What CISA found​

The ICS Medical Advisory (ICSMA‑25‑160‑01) flags an out‑of‑bounds write in MicroDicom DICOM Viewer (CVE‑2025‑5943) that can be triggered when a user opens a specially crafted DICOM file or visits a malicious website that delivers such content. The vulnerability is rated high (CVSS v3.1 ~8.8 and CVSS v4 ~8.6) because successful exploitation can result in arbitrary code execution on systems that open the malicious files. CISA states MicroDicom published an update (version 2025.3 or later) to remediate the issue and recommends patching.

Independent corroboration and vendor response​

Security firms and vulnerability databases reflect the same technical details and severity score, and healthcare cybersecurity authorities have circulated the advisory to NHS and hospital IT teams with explicit guidance to update or sandbox affected viewers. The MicroDicom vendor released an update promptly and operators are advised to verify installations and enforce safe handling of imaging files from untrusted sources.

Operational risk and immediate actions for healthcare​

DICOM viewers are high‑value targets in healthcare because they run on clinician workstations and often have access to patient records and medical networks. Best practices for clinical IT teams include:

• Immediately upgrade MicroDicom DICOM Viewer to the patched version (2025.3 or later).
• Adopt default deny policies for opening external DICOM files and implement content inspection on DICOM ingestion points.
• Run DICOM viewers in restricted user contexts or sandboxed VDI sessions to limit post‑exploit impact.
• Validate medical imaging exchange workflows and tools (PACS servers, transfer services) for rigorous authentication and file validation.

CISA’s advisory indicated no known exploitation in the wild at the time of publication, but the reliance on user interaction (opening a file) elevates the importance of endpoint hardening and user awareness within clinical environments.

---

Assured Telematics (ATI) Fleet Management System — Information disclosure enabling credential harvest​

What CISA found​

The updated advisory (ICSA‑25‑140‑11, Update A) addresses an information‑exposure vulnerability (CVE‑2025‑4364) in the ATI Fleet Management System that could allow unauthenticated attackers to enumerate or retrieve sensitive file system information and administrative credentials on installations prior to February 6, 2025. The issue is rated high (CVSS v4 ~8.7). Assured Telematics reported a fix and CISA’s update removed a prior vendor mention (Geotab) that was not central to the vulnerability.

Independent corroboration and global notices​

National vulnerability repositories and third‑party security vendors published aligned summaries and JVN (Japan Vulnerability Notes) and CERT bulletins mirrored CISA’s technical details and noted the vendor’s mitigation status. These independent notices reinforce that fleet telemetry and management platforms are attractive targets because credential compromise or sensitive path disclosure can yield lateral movement into corporate systems or vehicle controls.

Operational risk and immediate actions for transportation operators​

Fleet management platforms are central to logistics, telematics, and vehicle health monitoring. An attacker able to harvest credentials or sensitive file paths can pivot to remote administrative control, data theft, or coordinated interference with a fleet. Recommended mitigations:

• Confirm that every ATI Fleet Management installation is updated to a post‑February‑6,‑2025 build or to the vendor’s patched release.
• Rotate administrative credentials and enforce multi‑factor authentication for vendor and operator accounts.
• Restrict API endpoints and management interfaces to whitelisted networks and use strong mutual TLS where supported.
• Monitor for anomalous API access, unusual data exports, and privileged account usage.

CISA’s updated advisory confirms the vendor provided a remediation path; the advisory also noted that there was no known public exploitation at the time of the update.

---

Cross‑cutting themes, root causes, and implications​

Default credentials and device identity leakage​

The SinoTrack case underscores a persistent IoT/OT failure mode: devices shipped with shared or easily guessable credentials and sticky identifiers printed on chassis or packaging. Marketplace photos and unredacted documentation amplify attack surface by exposing identifiers that double as usernames. The remedy is straightforward technically but organizationally complex: enforce unique credentials at provisioning, adopt robust onboarding that forces credential rotation, and treat device images and listings as a vector that must be sanitized.

Cryptographic technical debt in embedded systems​

The Hitachi advisories reflect a wider ecosystem problem: legacy cryptographic patterns and embedded OpenSSL uses that remain in fielded devices long after best‑practice TLS modes became common. Embedded devices that still rely on RSA key transport are susceptible to timing attacks when cryptographic libraries are not hardened. Mitigation is dual: patch libraries where feasible and migrate toward ephemeral key exchanges (DHE/EDHE/TLS1.3) and modern cipher suites.

The medical and transportation convergence on ICS security​

MicroDicom’s DICOM issue and the ATI fleet advisory demonstrate that ICS/OT security is no longer limited to power stations and factories; healthcare and transportation systems are fully within scope. Medical software that processes untrusted files and telematics platforms that aggregate vehicle telemetry both require the same defensive posture as classical control systems: secure update channels, file validation, strict access controls, and segmented management planes.

Vendor coordination and disclosure practices​

CISA’s advisories note variable vendor engagement: Hitachi and Assured Telematics provided coordination and fixes, MicroDicom released an update, while SinoTrack reportedly did not respond to CISA’s coordination request. That disparity affects response timelines and elevates risk, particularly where vendors are small or operate across jurisdictions. Asset owners must have compensating controls ready when vendor patches are delayed or absent.

---

Practical playbook: what operators should do this week​

• Inventory: Map every asset that may be affected — GPS trackers, relays, DICOM viewers, and fleet management endpoints. Record versions, network locations, and exposure to the Internet.
• Patch and validate: Apply vendor updates for MicroDicom (2025.3+), Assured Telematics patched releases, and Hitachi Energy firmware/patches where available. Validate successful update operations and document rollbacks as needed.
• Credentials and access: Enforce immediate password rotation for devices with default or shared credentials (SinoTrack). Implement MFA for management interfaces and rotate service accounts.
• Network controls: Block or restrict access to management interfaces at the firewall level, require VPNs or jump boxes for administration, and apply strict ACLs between control and corporate networks.
• Monitoring and detection: Deploy IDS/IPS signatures for known exploit patterns, enable logging for anomalous TLS handshakes, watch for high‑volume decryption attempts, monitor API and file‑ingest endpoints for unusual requests or malformed DICOM files.
• Containment playbooks: Prepare incident response runbooks for suspected device compromise, including isolating affected devices, revoking credentials, and engaging vendors and regulators where patient safety or public infrastructure is implicated.
• Proof of remediation: Maintain change logs, update CMDB entries, and collect forensic evidence of patch application or compensating controls to satisfy compliance and regulatory reporting.

These actions prioritize containment and risk reduction while vendors complete or release upstream fixes.

---

Detection, hunting, and forensic suggestions​

• For the Hitachi timing side‑channel, instrument gateways and concentrators to detect repeated, high‑volume malformed TLS attempts and unusual latency patterns. Correlate with firewall logs to identify potential scanning.
• For SinoTrack, flag unusual web‑management access patterns, repeated authentication failures by numeric username ranges, and unusual telemetry queries from unknown IPs. Alert on high‑frequency or geographically dispersed login attempts.
• For MicroDicom, monitor endpoint security telemetry for process memory corruption, unexpected child process launches from DICOM viewer binaries, and use EDR to capture file samples for analysis. Implement sandboxing that detonates suspicious DICOM files in a controlled environment before permitting clinician access.
• For ATI Fleet systems, monitor for unexpected data exports, administrative account creation or elevation, and anomalous API calls that enumerate filesystem paths or configuration endpoints. Consider provisional throttling or IP whitelisting if vendor patches are pending.

---

Policy and procurement lessons​

• Require secure-by‑default provisioning in procurement contracts: unique device credentials, enforced password changes on first boot, and secure update mechanisms.
• Include SLAs for vulnerability disclosure and patch timelines in supplier agreements and require transparency about third‑party components (e.g., OpenSSL versions).
• Mandate product security testing and third‑party code hardening assessments for critical components (cryptography, file parsers, management interfaces).
• Treat medical imaging software and fleet telematics as OT assets in risk assessments; they should not be granted broad network privileges by default.

These measures reduce the operational dependency on reactive patching and improve resilience across asset lifecycles.

---

Strengths and limitations of the advisories​

CISA’s advisories deliver concise technical information, CVE identifiers, and mitigation guidance, which helps operators prioritize response and coordinate with vendors. The advisories also standardize how vulnerabilities are described across sectors, making it easier for SOCs and ICS teams to integrate the findings into existing workflows. However, limitations exist. CISA advisories seldom include exploit code or detailed detection signatures — deliberate to avoid enabling attackers — which leaves some defenders needing to derive detection rules themselves. Vendor responsiveness varies, and for devices where the vendor is unresponsive or hardware constrained, operators must rely on network controls and compensating processes rather than upstream fixes. Where advisories reference “no known public exploitation,” that statement is time‑bound and must not be interpreted as a guarantee; continuous monitoring is essential because adversaries often weaponize disclosed flaws quickly. Any claim about active exploitation beyond what the advisories or reputable incident reports state should be treated as unverified unless corroborated by multiple trustworthy sources; current CISA advisories for these four products explicitly reported no known public exploitation at the time of publication, a claim that should be re‑validated periodically.

---

Final assessment and recommended prioritization​

• Highest immediate priority: MicroDicom (remote code execution via crafted DICOM files; patch available) and Assured Telematics (exposure leading to credential compromise). These have direct, immediate operational consequences for healthcare and transportation and have vendor fixes or mitigations published.
• High priority: SinoTrack (default credentials combined with enumeratable usernames) — urgent for fleet operators and vehicle owners to remediate by enforcing unique credentials and reducing Internet exposure.
• Medium‑to‑high priority: Hitachi Energy Relion/SAM600‑IO cryptographic side‑channel — technically complex but potentially high impact for energy sector devices exposed to broad networks; prioritize patching and cryptographic hardening.

Operators should triage on a combination of CVSS severity, exploit complexity, device exposure, and downstream operational impact (safety, patient care, fleet control). For every vulnerable class of equipment, the immediate risk reduction steps are identical: isolate, patch (or apply vendor mitigations), rotate credentials, and enable monitoring.

---

Conclusion​

The June 10, 2025 advisories from CISA are a timely reminder that ICS and OT vulnerabilities continue to span a broad range of sectors — from vehicle trackers and fleet platforms to energy protection relays and medical imaging viewers. The technical root causes vary — default credentials, cryptographic timing leaks, unsafe file parsing, and inadvertent information disclosure — but the defensive playbook is consistent: inventory, isolate, patch, enforce credential hygiene, and monitor aggressively.
Operators must treat these advisories as operational priorities: apply vendor patches where available, deploy compensating network controls where patches are delayed, and verify remediation with documented evidence. Equally important is vendor governance: procurement and lifecycle policies should enforce secure defaults, timely disclosure, and predictable patching so critical systems do not remain dependent on reactive, ad‑hoc mitigations.
CISA’s consolidated advisories make clear which products and versions are impacted and provide the technical anchor points needed to act. The final risk posture will depend on organizations’ speed in translating advisory guidance into concrete operational changes and on sustained vendor cooperation to repair systemic weaknesses in ICS and IoT ecosystems.

---

Source: CISA CISA Releases Four Industrial Control Systems Advisories | CISA