CISA Releases Six ICS Advisories Targeting PLCs and Gateways

CISA’s release of six Industrial Control Systems advisories on September 23, 2025, spotlights a fresh wave of vulnerabilities affecting widely deployed PLCs, RTUs, and gateway devices from AutomationDirect, Mitsubishi Electric, Schneider Electric, Viessmann (Vitogate 300), and Hitachi Energy — a set of findings that mix high-severity cryptographic and command-injection flaws with a cluster of denial-of-service and update-validation weaknesses that operators cannot afford to ignore.

Background​

Industrial Control Systems (ICS) remain a primary target for attackers because of their direct impact on safety, availability, and critical infrastructure operations. Federal advisories, led by the Cybersecurity and Infrastructure Security Agency (CISA), provide concise technical summaries, CVE identifiers, and remediation measures; the six advisories released on September 23, 2025, follow that model and include both newly discovered vulnerabilities and updates to previously disclosed issues.
CISA’s advisories are designed for immediate operational use: they list affected products and firmware versions, provide vulnerability classifications (CWE), show calculated CVSS scores, and relay vendor-recommended fixes. For defenders, the value lies in the combination of technical detail (where available) and clear mitigation actions such as firmware updates, configuration changes, and network isolation recommendations.

---

Overview of the Six Advisories​

• ICSA-25-266-01 — AutomationDirect CLICK PLUS
• ICSA-25-266-02 — Mitsubishi Electric MELSEC-Q Series CPU Module
• ICSA-25-266-03 — Schneider Electric SESU
• ICSA-25-266-04 — Viessmann Vitogate 300
• ICSA-25-023-02 — Hitachi Energy RTU500 Series Product (Update A)
• ICSA-25-093-01 — Hitachi Energy RTU500 Series (Update B)

Each advisory differs in severity, attack vector, and mitigation complexity. Several include one or more assigned CVEs and CVSS v3.1 or v4 scores; several call out vendor-fixed versions that should be applied as soon as operationally possible.

---

AutomationDirect CLICK PLUS (ICSA-25-266-01)​

Executive summary​

The advisory for AutomationDirect CLICK PLUS lists multiple vulnerabilities — including cleartext storage of credentials, use of hard-coded cryptographic keys, broken or risky crypto, predictable RNG seeds, resource shutdown problems, and authorization bypasses — affecting firmware versions prior to v3.71 and Click Programming Software v3.60. Severity ratings include a high CVSS v4 score (up to 8.7 on some issues).

Technical highlights​

• Multiple CVEs were assigned for separate weaknesses (authentication, crypto, RNG, DoS).
• Notable issues: a hard-coded AES key protecting initial session messages; insecure RSA implementation; predictable PRNG seed allowing compromise of generated keys.
• Exploitation vectors range from local file-system access (cleartext credentials) to remote network exploitation for cryptographic weaknesses, depending on the specific CVE.

Vendor response and mitigations​

• AutomationDirect’s recommended remediation is upgrading CLICK PLUS firmware to v3.80 (or newer). Where immediate upgrades are not possible, CISA and the vendor suggest network isolation, disabling unnecessary services, and applying compensating access controls.
• Researchers who reported the issues included professionals from Nozomi Networks.

Analysis and operational impact​

The combined nature of these findings — weak crypto, predictable RNG, and hard-coded keys — is dangerous because it undermines the entire security foundation of secure sessions and updates. Where an attacker can break crypto or predict key material, subsequent controls (authentication, session integrity, confidentiality) can be bypassed. Operators should treat cryptographic vulnerabilities with high priority: if the device’s authentication or key management can be compromised, remote or adjacent-network attacks can escalate rapidly.
Practical steps for operators:

• Confirm the exact model and firmware version of each CLICK PLUS device.
• Schedule immediate firmware upgrades to the vendor-specified version.
• If upgrades are delayed, isolate devices onto segmented VLANs, block management ports at network edges, and monitor session anomalies.

---

Mitsubishi Electric MELSEC-Q Series CPU Module (ICSA-25-266-02)​

Executive summary​

The MELSEC-Q Series CPU module advisory identifies an improper handling of length parameter inconsistency that can cause an integer underflow and lead to a denial-of-service condition. CISA marks the issue as remotely exploitable under certain configuration scenarios.

Technical highlights​

• Affected models include a list of MELSEC-Q CPUs subject to specific serial-number ranges or firmware/setting decisions (authentication functions tied to GX Works2 configuration can affect exploitability).
• The CVSS v3.1 score supplied in the advisory is in the mid range (approx. 6.8), indicating a significant DoS risk rather than remote code execution.

Vendor response and mitigations​

• Mitsubishi Electric has historically issued firmware updates and serial-number/firmware guidance for MELSEC products; the current advisory indicates affected versions and recommends firmware updates and configuration reviews.
• Operators are urged to confirm if the user authentication function is enabled and to apply vendor-published fixes where available.

Analysis and operational impact​

Integer underflows and related resource-management problems are common in industrial firmware and often result in service interruptions. While a DoS may not directly permit code execution, it can disrupt operations or create windows for follow-on attacks (for example, triggering failover in ways that expose weaker systems). The fact that exploitability in this advisory depends on how authentication is configured highlights a recurring theme: secure-by-default settings vary across vendors and regions, and configuration choices made to comply with one requirement (for example, a local jurisdiction’s cybersecurity law) can raise exposure elsewhere.
Practical steps for operators:

• Inventory MELSEC-Q serial numbers and firmware.
• Apply vendor firmware updates or contact Mitsubishi support for device-specific remediation paths.
• Review GX Works2-derived settings; where safe and compliant, consider conservative authentication configurations and network restrictions.

---

Schneider Electric SESU (ICSA-25-266-03)​

Executive summary​

The Schneider Electric SESU advisory discloses an improper link resolution before file access (link following) vulnerability that can allow a low-privilege, authenticated user to write arbitrary data to protected locations. The CVSS v3.1 rating stands at about 7.3.

Technical highlights​

• Affected SESU versions: any SESU versions prior to 3.0.12 (including SESU embedded in many Schneider products).
• The vulnerability permits directory-tampering or symlink-style attacks that can result in privilege escalation, file corruption, data exposure, or persistent DoS when the installation folder is tampered with.

Vendor response and mitigations​

• Schneider’s remediation is to upgrade SESU to version 3.0.12, which addresses the issue. Vendors typically offer SESU updates via their updater portal; organizations should ensure the update process itself is performed under controlled, authorized circumstances.

Analysis and operational impact​

This is a textbook post-installation or maintenance risk: installers or low-privilege users who can write to install directories (or if the install directory is network-accessible) create a vector for local privilege escalation. Because SESU is bundled inside many Schneider products across sectors (energy, manufacturing, water), the blast radius can be broad.
Practical steps:

• Verify SESU instances and immediately apply the 3.0.12 update.
• Ensure SESU installation directories are not network-accessible and are writable only by authorized administrators.
• Review endpoint configuration management processes to prevent lateral writes by unprivileged users.

---

Viessmann Vitogate 300 (ICSA-25-266-04)​

Executive summary​

The Vitogate 300 advisory covers two high-severity weaknesses — an OS command injection and client-side enforcement of server-side security (authentication bypass) — assigned CVE identifiers and carrying CVSS v4 scores in the mid-to-high 8 range. These issues affect versions prior to a patched release and were reported by security researchers working with mainstream private-sector vulnerability programs.

Technical highlights​

• Affected versions: Vitogate 300 versions prior to 3.1.0.1 (the advisory indicates fixes are available in newer firmware/software).
• Vulnerabilities permit manipulation of JSON parameters to cause OS command injection via /cgi-bin/vitogate.cgi and allow administrative functionality to be exposed by bypassing server-side authentication.
• Earlier disclosures and PoCs for prior Vitogate vulnerabilities (historically) have been publicized; the new advisory lists current CVEs and fixed versions.

Vendor response and mitigations​

• Viessmann/Carrier’s product security advisory recommends updating to Vitogate 300 software v3.1.0.1 or later.
• CISA reiterates standard ICS mitigations: minimize network exposure, place devices behind firewalls and segregate them from corporate networks, and prefer VPNs or secure access methods — with the caveat that VPNs must themselves be current and secured.

Analysis and operational impact​

OS command injection combined with authentication bypass is among the most dangerous vulnerability combinations: if an attacker can both bypass front-end controls and inject commands interpreted by the device OS, full device compromise and lateral movement become feasible. Devices that bridge building automation (boilers, HVAC, heat pumps) with management systems are especially sensitive because an attacker can pivot from less-protected corporate/adjacent networks into operational environments.
Because public PoCs have existed for earlier Vitogate flaws, urgency is warranted. Operators must prioritize:

• Immediate verification of Vitogate versions.
• Upgrade to the vendor-published patch release.
• Enforce network segmentation for building automation devices and remove internet exposure entirely.

Where patching is delayed, consider taking the device offline or placing it on an air-gapped or highly restricted network until remediation is applied.

---

Hitachi Energy RTU500 Series (ICSA-25-023-02 and ICSA-25-093-01)​

Executive summary​

Two related advisories address multiple, disparate weaknesses across the RTU500 family. One advisory (Update A) focuses on a secure-update bypass allowing authenticated users to install unsigned firmware (CVE-2024-2617), while the other (Update B) enumerates denial-of-service-class issues (null pointer dereference, resource exhaustion, missing synchronization) across many CMU firmware series, with several CVEs assigned.

Technical highlights​

• Affected firmware ranges are enumerated precisely (e.g., CMU firmware versions 13.2.1–13.2.7, 13.4.1–13.4.4, 13.5.1–13.5.3 for the secure-update bypass).
• Fixes and recommended target versions are clearly provided: update to CMU firmware 13.7.7 or 13.5.4 depending on the version bracket; Update B lists numerous fixed versions for different series and calls out CVE identifiers for each issue.

Vendor response and mitigations​

• Hitachi Energy recommends enabling the secure update feature and updating CMU firmware to vendor-specified versions (for example, 13.7.7 and 13.5.4 in the latest advisory revisions).
• Additional mitigations include disabling unused protocols (HCI Modbus/IEC 60870-5-104 features where not required), hardening firewall rules, and applying defense-in-depth segmentation.

Analysis and operational impact​

The secure-update bypass is particularly troubling for supply-chain integrity: if an attacker can get an authenticated but malicious user to trick the update process (or if the authentication model allows lateral misuse), unsigned or tampered firmware could be installed — a worst-case scenario for ICS trust. The cluster of DoS vulnerabilities compounds the problem, increasing the chance of operational disruptions that can mask or facilitate more serious intrusions.
Operators should:

• Immediately review CMU firmware versions and apply the exact fixed versions recommended for each range.
• Ensure secure update features are enabled and tested in a controlled environment before roll-out.
• Use change control and verification steps (hash checks, digital signatures where supported) to validate firmware provenance.

---

Cross-cutting Trends and Context​

1) Crypto and update integrity remain weak spots​

Several advisories (AutomationDirect, Hitachi) highlight cryptographic weaknesses and update-validation problems. Attackers targeting these gaps can defeat authentication and integrity checks that serve as the last line of defense.

2) Remote-exploitable DoS and high-severity injection remain common​

Multiple advisories include remotely-exploitable denial-of-service and command-injection flaws. The presence of OS command injection and weak server-side authentication on networked gateways increases the risk of remote compromise.

3) Researchers and coordinated disclosure matter​

Across the advisories, vulnerabilities were responsibly disclosed by security researchers and coordinated with vendors, which is positive. However, prior history with Vitogate shows that public PoCs exist for some earlier issues — a reminder that once PoCs are public, risk escalates quickly.

4) Vendor patch cadence varies​

Some vendors supplied immediate fixed versions (Schneider, Viessmann), while others provided staged updates or version-specific guidance (Mitsubishi, Hitachi). The variation complicates operational patch planning: operators must map device inventory to vendor guidance precisely before scheduling upgrades.

---

Recommended Immediate Actions (Operational Playbook)​

• Inventory and prioritize
• Identify all devices covered by these advisories and map serial numbers and firmware versions.
• Prioritize externally accessible devices, production-critical devices, and devices in the energy/water/health sectors.
• Apply vendor fixes
• Where vendor-fixed versions exist, apply updates after validating in a test segment and following vendor instructions. Examples: AutomationDirect CLICK PLUS -> v3.80; Schneider SESU -> v3.0.12; Viessmann Vitogate -> v3.1.0.1; Hitachi RTU500 -> 13.7.7 / 13.5.4 (as applicable).
• Network protection and segmentation
• Immediately ensure all affected devices are not exposed to the Internet.
• Implement strict firewall rules to limit management ports to authorized hosts and networks.
• Use network segmentation (VLANs, ACLs) to isolate ICS networks from corporate and guest networks.
• Harden configurations
• Enable vendor-provided secure update and authentication features.
• Remove or disable unused services and protocols (e.g., HCI Modbus/TCP, unused web interfaces).
• Ensure installation directories and local file-systems are writable only by authorized administrators.
• Monitoring and detection
• Increase logging and monitoring for anomalous session activity, unexpected firmware updates, and repeated connection attempts.
• Deploy IDS/IPS rules where possible to detect patterns associated with the disclosed vulnerabilities.
• Process controls and verification
• Implement strict change control, cryptographic verification (hash/signature checks) for firmware, and offline verification for critical updates.
• Train operations teams on safe update procedures and rollback plans.
• Incident readiness
• Prepare incident-response playbooks for device compromise, including how to contain, collect forensic data, and notify authorities (CISA, vendor PSIRT).
• Test backups and restoration procedures for firmware and configuration.

---

Risks, Caveats, and Unverifiable Claims​

• Some advisories note no known public exploitation at the time of publication. That status is time-sensitive: attackers may develop and publish exploits after disclosure. Treat “no known exploitation” as a call to vigilance, not a guarantee of safety.
• Serial-number or configuration-dependent vulnerabilities (seen in Mitsubishi advisories) require careful per-device evaluation. Assumptions about global exposure without checking device-specific data risk mis-prioritization.
• Where CISA or vendors reference researcher credits or PoCs, operational defenders should assume that PoCs may appear in public repositories quickly; therefore, fast action is required. Any claim about exploit availability can change rapidly and should be re-checked frequently if an organization manages large fleets.

---

What This Means for ICS Security Strategy​

These advisories reinforce several persistent lessons in industrial cybersecurity:

• Patch management in ICS requires coordinated planning and testing. Immediate blanket updates without testing can be as disruptive as unpatched vulnerabilities.
• Defense-in-depth is not optional. Network segmentation, strict access control, and robust monitoring reduce the chance that a single device weakness becomes a systemic failure.
• Cryptographic hygiene and secure update mechanisms are core safety requirements, not optional features. Vendors and operators must treat crypto and firmware integrity with the same urgency as physical safety features.
• Visibility and inventory are foundational. Unknown or unmanaged devices are the most vulnerable; organizations that cannot answer “what’s on my network” should treat discovery as an immediate priority.

---

Conclusion​

CISA’s six advisories released on September 23, 2025, cover a worrying combination of command injection, weak cryptography, resource exhaustion, and update-validation issues across multiple vendors and product families. The technical details and vendor-supplied fixes are clear: apply the supplied firmware updates, enable secure update and authentication features, and minimize network exposure. Beyond immediate patching, these advisories should prod organizations to re-evaluate ICS asset inventory, segmentation, and firmware-management policies. In industrial environments where availability and safety matter as much as confidentiality, rapid, measured, and well-documented remediation is the only practical defense.

---

Source: CISA CISA Releases Six Industrial Control Systems Advisories | CISA