Two CISA ICS Advisories Highlight Schneider Uni Telway and Optigo Risks

On March 11, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) published two Industrial Control Systems (ICS) advisories covering vulnerabilities in Schneider Electric’s Uni‑Telway driver and Optigo Networks’ Capture Tool software — advisories that carry meaningful operational risk for engineering workstations and building-automation tooling and that demand immediate attention from ICS/OT teams and integrators.

Background​

CISA issues regular ICS advisories to call attention to vulnerabilities and exploits that affect operational technology (OT) and industrial control systems (ICS). These advisories consolidate vendor technical details, severity metrics, and recommended mitigations so asset owners can prioritize remediation in production environments. The two advisories referenced here were published as distinct ICS advisories on March 11, 2025 and are registered under CISA alert identifiers that point to the vendor advisories and assigned CVE identifiers.
The security picture for ICS remains strained: security researchers and vendors continue to find software design flaws — from hard‑coded secrets to exposed management services — in tools commonly used by engineering and building‑automation teams. Meanwhile, public analysis shows a widening population of internet‑accessible industrial systems, increasing the risk surface for opportunistic and targeted attackers.

---

What CISA released (executive summary)​

• ICSA-25-070-01: Schneider Electric — Uni‑Telway driver (improper input validation; denial‑of‑service risk; CVE‑2024‑10083; CVSS v4 ≈ 6.8). CISA notes the vulnerability affects Uni‑Telway drivers installed in several Schneider products and is not remotely exploitable; mitigation guidance focuses on uninstalling the driver if not required and applying workstation hardening.
• ICSA-25-070-02: Optigo Networks — Visual BACnet Capture Tool / Optigo Visual Networks Capture Tool (multiple vulnerabilities including hard‑coded secrets and an exposed web management service that can lead to authentication bypass; CVE‑2025‑2079, CVE‑2025‑2080, CVE‑2025‑2081; CVSS v4 up to 9.3). CISA classifies these issues as remotely exploitable with low attack complexity and recommends immediate upgrades to patched capture‑tool releases while emphasizing network isolation and access restriction.

These are not academic issues: Optigo’s vulnerabilities, in particular, include authentication bypass conditions and hard‑coded keys that allow token forgery — issues that enable remote takeover of capture tooling used to inspect BACnet traffic, with direct implications for the confidentiality and integrity of building automation systems.

---

Schneider Electric Uni‑Telway driver — technical breakdown​

What’s affected​

• Affected component: Uni‑Telway driver and instances where the driver is installed inside EcoStruxure Control Expert, EcoStruxure Process Expert, Process Expert for AVEVA System Platform, and OPC Factory Server.
• Scope: CISA and Schneider indicate all versions where the Uni‑Telway driver is installed are impacted; some newer product releases no longer include the driver by default.

Vulnerability class and impact​

• Root cause: Improper input validation (CWE‑20).
• CVE: CVE‑2024‑10083 assigned.
• Consequence: Crafted input to a driver interface invoked locally by an authenticated user could trigger a denial‑of‑service (DoS) on engineering workstations, potentially halting engineering operations and requiring manual recovery. CISA’s analysis concludes this vulnerability is not remotely exploitable — the attacker needs local access to the engineering workstation.

Severity and scoring​

• CISA reports a CVSS v4 base score of 6.8 (medium–high impact on availability), and provides a CVSS v3.1 vector consistent with a local‑attack, privileges required scenario. These scores reflect the real consequence to engineering availability rather than remote compromise.

Mitigations recommended​

• Uninstall the Uni‑Telway driver if it is not required.
• Apply Schneider Electric’s recommended workstation and network hardening guidance and consider application control solutions (e.g., McAfee Application and Change Control as noted by Schneider).
• Where feasible, upgrade to product versions that do not include the Uni‑Telway driver by default (Schneider documented that some product versions removed it). CISA further emphasizes network segregation and limiting exposure to the internet.

Practical implications for operators​

• Because the issue is local rather than remote, the highest‑risk scenarios are those where engineering workstations are left accessible to untrusted users or where remote access tooling allows attackers to execute local interfaces.
• ICS teams should audit which workstations have the Uni‑Telway driver installed, perform a risk assessment for functionality loss if the driver is removed, and plan controlled removal or hardening as part of maintenance windows.

---

Optigo Networks Capture Tool — technical breakdown​

What’s affected​

• Affected products: Visual BACnet Capture Tool v3.1.2rc11 and Optigo Visual Networks Capture Tool v3.1.2rc11.
• Vendor response: Optigo released patched software (v3.1.3rc8) and strongly recommends immediate upgrade.

Vulnerability classes and CVEs​

• Use of hard‑coded, security‑relevant constants (CWE‑547) — hard‑coded secret key enabling forged JWT sessions. (CVE‑2025‑2079 / CVE‑2025‑2081 elements described across advisories.)
• Authentication bypass using an alternate path or channel (CWE‑288) — an exposed web management service that bypasses authentication and can give an attacker control over the product’s management functions. (CVE‑2025‑2080.)

Severity and exploitability​

• CISA assigns the Optigo advisory a CVSS v4 up to 9.3 for the critical authentication bypass CVE and flags the issues as exploitable remotely with low attack complexity. That combination — remote authentication bypass plus token forgery — elevates Optigo’s advisory into a critical category for building automation and BAS engineers.

Vendor fix and guidance​

• Optigo’s public advisory and support pages instruct customers to upgrade immediately to v3.1.3rc8 for the capture tool. The vendor also reinforces deployment best practices: install the capture tool only on secured hosts, restrict network access to the host by firewall and segmentation, and avoid installation on hosts that are reachable from unsecured networks.

Why this matters operationally​

• Capture tools routinely run on laptops or virtual machines used by integrators and facility teams to analyze BACnet traffic. If the tool itself can be remotely controlled or impersonated, attackers can intercept or manipulate diagnostic traffic and potentially subvert engineering activities.
• Compromise of a capture tool on an administrative host can provide lateral pivoting opportunities into building‑automation controllers and other management interfaces — a classic example where a seemingly benign utility becomes an operational pivot.

---

Cross‑validation of facts (why multiple sources matter)​

CISA’s advisories summarize vendor findings and provide CVSS scoring; vendor pages and advisories confirm affected versions and published fixes; third‑party CVE aggregators and security advisories replicate the findings and list CVE numbers and scoring. For Schneider’s Uni‑Telway driver, both CISA and Schneider’s SEVD notice describe the same affected products and the non‑remote nature of the issue.
For Optigo, CISA’s ICSA and Optigo’s own release both show that the vendor has released patched versions and that the issue includes hard‑coded credentials and authentication bypass paths. External CVE entries used by vulnerability databases confirm the assigned CVE identifiers and the high severity of some of the Optigo issues. This cross‑referencing confirms the technical facts and helps asset owners prioritize patching.

---

Risk analysis — who is affected, and how bad is it?​

Sectors at risk​

• Schneider Uni‑Telway: affects Commercial Facilities, Critical Manufacturing, and Energy sectors where EcoStruxure products are used. The impact is mainly to engineering workstation availability.
• Optigo Capture Tool: affects Information Technology and Building Automation deployments worldwide — hotels, campuses, healthcare facilities, and commercial buildings that rely on BACnet monitoring and capture tools. Because Optigo recommends the tool be installed on protected hosts, environments that run capture tools on mobile laptops or poorly segmented hosts are at particular risk.

Risk vectors and attack scenarios​

• Local privilege misuse: For Uni‑Telway, an attacker or malicious insider with access to an engineering workstation could induce a DoS, interrupting engineering tasks during critical maintenance or configuration changes.
• Remote compromise of admin tooling: For Optigo Capture Tool, a remote attacker could bypass authentication and manipulate or intercept BACnet captures, or forge tokens to masquerade as legitimate users — enabling stealthy reconnaissance or active manipulation of device management traffic. This vector is extremely dangerous because capture tools are frequently trusted devices on OT networks.

Likelihood and impact​

• Likelihood: Optigo’s failure modes (remote, low complexity, exposed web services and hard‑coded keys) make exploitation more likely in exposed or poorly segmented deployments. Schneider’s issue requires local access, so likelihood is lower for well‑segmented environments but remains high for environments that allow broad access to engineering hosts.
• Impact: Optigo’s authentication bypass is the higher‑impact issue (confidentiality, integrity, and availability) while Schneider’s Uni‑Telway vulnerability is an availability risk. Combined, they illustrate that both tooling and drivers in OT stacks can be materially dangerous.

---

Recommended immediate actions for operators (what to do now)​

Follow this prioritized checklist to reduce exposure quickly and safely:

• Inventory affected assets: identify all engineering workstations and hosts running Schneider Uni‑Telway drivers and all hosts running Optigo Capture Tool v3.1.2rc11.
• Apply vendor fixes where available: upgrade Optigo Capture Tool to v3.1.3rc8 (or later) immediately. For Schneider, follow the vendor advisory and plan removal of Uni‑Telway if it is not needed, or apply Schneider’s recommended mitigations and product updates.
• Isolate and segment: ensure engineering workstations and capture‑tool hosts are on segmented, restricted OT networks behind firewalls; deny direct internet access.
• Harden hosts: enable application whitelisting, disk encryption where appropriate, and strong host authentication; remove unnecessary services and management endpoints.
• Apply access controls: restrict local administrative rights to a minimum and ensure remote management requires multi‑factor authentication and secure VPNs that are updated and monitored.
• Monitor and hunt: add detection for anomalous web‑service access patterns, JWT token anomalies, and suspicious requests to capture‑tool management endpoints; hunt for signs of token forgery or unusual BACnet‑capture uploads.
• Communicate to stakeholders: notify integrators, third‑party contractors, and operational teams about the upgrade requirement and any planned maintenance windows.

These steps balance immediate risk reduction (patch and isolate) with operational continuity (inventory, assessment, controlled upgrades).

---

Detection and monitoring: practical indicators of compromise (IoCs)​

• Unexpected web management hits against the capture tool’s ports or endpoints from non‑admin hosts.
• JWT tokens created with the same signature pattern across different hosts (indicator of a hard‑coded secret reuse).
• Abnormal BACnet capture uploads, new sessions from external IPs, or any remote traffic to engineering‑workstation management interfaces.
• Host‑level anomalies on engineering machines hosting the Uni‑Telway driver (unexpected crashes, driver interface invocation with malformed data, or repeated process restarts).

Operators should instrument border firewalls, OT intrusion detection systems, and SIEM/EDR rules to log and alert on these behaviors. Vendors’ advisories and CVE feeds can be used to create targeted detection signatures.

---

Patch management and change‑control guidance (step‑by‑step)​

• Triage: Confirm affected versions using vendor guidance and local inventories.
• Test in staging: Deploy vendor patches (Optigo v3.1.3rc8; Schneider guidance) in a test environment and validate BAS and controller interactions.
• Backups and rollback: Snapshot host images and backup configurations before applying changes to engineering workstations or capture‑tool hosts.
• Deploy during approved maintenance windows: Coordinate with facilities and operations to minimize disruption.
• Post‑patch verification: Validate that expected services are accessible only by authorized users, JWT token behavior is normalized, and no unexpected management ports remain open.
• Document: Record the change, validation steps, and any deviations for auditing and future incident response.

---

Vendor coordination and supply‑chain considerations​

• Validate vendor notices: always confirm CISA summaries with vendor security advisories and CVE entries. Both Schneider and Optigo published vendor advisories and update mechanisms for these issues; those vendor channels are the authoritative source for remediation steps.
• Request SBOM/telemetry where possible: organizations should ask vendors and integrators for software‑bill‑of‑materials (SBOM) information and telemetry support to accelerate future response.
• Contractual obligations: ensure service contracts and SLAs with integrators cover timely security patching and coordinated vulnerability disclosure processes.

---

Strategic implications for ICS security​

• Utility of administrative tooling as an attack vector: The Optigo case underscores that diagnostic and capture tools are attractive targets. Security teams must treat these tools with the same scrutiny as controllers and HMIs.
• Local vs. remote risk is not binary: Schneider’s Uni‑Telway demonstrates that local vulnerabilities can still create operational outages; remote access or poor segmentation transforms local flaws into systemic risks.
• Patch cadence and operational friction: OT environments often delay patching for stability reasons. That reality raises the importance of compensating controls — network segmentation, application control, and hardened remote access — to reduce exposure while planning safe patch windows.
• Visibility and inventory gaps: The recurring theme in advisories is the need for accurate inventories of where drivers, utilities, and capture tools are installed. Asset visibility is the single highest‑leverage control for prioritizing mitigation work.

---

Broader context: why advisories like these matter now​

Two converging trends amplify the urgency of acting on ICS advisories:

• A measurable rise in exposed industrial systems and BAS instances on public networks increases the probability of opportunistic exploitation. Security industry analysis highlights a growing number of industrial endpoints that remain internet‑reachable.
• Government and inter‑agency signals show intense focus on hardening critical infrastructure against state and criminal threat actors. However, organizational constraints — including reduced federal capacity during funding disruptions — can limit centralized response support, placing more responsibility on operators and vendors to act decisively.

Taken together, these trends mean that vulnerabilities in auxiliary tools (capture utilities) and drivers deserve the same prioritization as controller firmware flaws.

---

Caveats and unverifiable items​

• No public exploitation yet: CISA reported no known public exploitation of these specific vulnerabilities at the time of publication. That does not eliminate risk — absence of evidence is not evidence of absence — and asset owners should operate under the assumption that opportunistic scanners and attackers will attempt to exploit high‑severity, easy‑to‑exploit flaws quickly.
• Version telemetry: Operators must verify versions on their own systems; vendor statements about “all versions” or “removed by default in newer versions” require on‑site verification because packaged distributions and integrator images can vary by deployment. Treat vendor notices as the starting point for a verification process.

---

Final assessment — strengths and residual risks​

Strengths:

• Rapid disclosure: Both vendors and CISA produced advisories and vendor patches promptly, enabling defenders to act.
• Clear remediation paths: Optigo published a specific, fixed version; Schneider provided uninstall and mitigation guidance and noted that some product releases omit the driver by default, reducing future risk surface.

Residual risks:

• Operational delay: OT change‑control windows mean many sites will be slow to patch, leaving a window of exposure for remotely exploitable Optigo issues.
• Trust in utilities: Administrators often overlook diagnostic tools when performing threat modeling; such oversight raises the likelihood of lateral compromise if attention is not corrected.
• Inventory blind spots: Unknown or unmanaged hosts running capture tools or drivers will remain vulnerable until discovered and remediated.

Overall, these advisories are a timely reminder that security must encompass the full OT stack — including drivers and diagnostic utilities — and that compensating controls (segmentation, host hardening, minimal privileges) are required to protect operational continuity while patches are scheduled and implemented.

---

Conclusion​

CISA’s advisories highlighting Schneider Electric’s Uni‑Telway driver and Optigo Networks’ Capture Tool underscore a recurring pattern: components that appear peripheral to production — drivers and capture utilities — can create outsized operational and security risk. Operators should act immediately to inventory affected systems, apply vendor patches, harden and segment host deployments, and deploy detection for the specific indicators described above. Cross‑referencing CISA guidance with vendor releases and CVE databases will ensure remediation steps are accurate and complete; failure to act quickly on the Optigo fixes, in particular, leaves building‑automation environments exposed to high‑impact remote compromise.
Implementing the recommended checklist, coordinating with vendors and integrators for controlled patching, and improving host‑level controls and monitoring will materially reduce risk to engineering operations and building management systems. The path forward requires both tactical responses today and strategic hardening to prevent the same class of vulnerabilities from becoming systemic problems tomorrow.

---

Source: CISA CISA Releases Two Industrial Control Systems Advisories | CISA