The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released eight Industrial Control System (ICS) advisories on June 24, 2025, highlighting critical vulnerabilities across global industrial infrastructure.
These advisories target systems ranging from terminal operating systems to electric vehicle charging stations, with multiple vulnerabilities allowing remote code execution and data theft.
The coordinated disclosure impacts vendors, including Schneider Electric, Kaleris, and ControlID, with several flaws rated critical under CVSS v4 scoring.
High-Risk Terminal and Controller Vulnerabilities
Kaleris Navis N4 Terminal Operating System (ICSA-25-175-01) contains two critical flaws: CVE-2025-2566 (CVSS v4 9.3) enables remote code execution through unsafe Java deserialization, while CVE-2025-5087 (CVSS v4 6.0) allows credential theft via cleartext transmission.
Affected versions before 4.0 require immediate patching or network segmentation.
Schneider Electric Modicon Controllers (ICSA-25-175-03) face three unpatched vulnerabilities (CVE-2025-3905, CVE-2025-3116, CVE-2025-3117), with mitigations limited to firewall restrictions and VPN usage until a firmware update is released.
End-of-Life and Authentication Bypass Threats
Schneider Electric’s discontinued EVLink WallBox (ICSA-25-175-04) carries three vulnerabilities (path traversal, XSS, OS command injection) rated CVSS v4 8.6, permitting full device takeover.
With no vendor patches available, CISA mandates firewall isolation and WPA3 encryption.
ControlID iDSecure On-Premises (ICSA-25-175-05) has a CVSS v4 9.3-rated improper authentication flaw enabling system compromise alongside SSRF and SQL injection risks.
No remediation timeline is provided.
Web Application and Legacy System Risks
Parsons AccuWeather Widget (ICSA-25-175-06) contains a cross-site scripting vulnerability (CVE-2025-5015, CVSS v4 8.7) allowing malicious RSS feed injection.
While cloud instances are patched, on-premise deployments require manual updates.
Mitsubishi Electric MELSEC-Q Series PLCs (ICSA-19-029-02) received Update B for legacy vulnerabilities, emphasizing the persistent threats to outdated industrial equipment.
CISA urges immediate review of all advisories, prioritizing network segmentation and credential hardening.
The agency notes no active exploitation but warns that unmitigated systems risk operational disruption and critical infrastructure compromise.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?resize=1600,900&ssl=1&description=These advisories target systems ranging from terminal operating systems to electric vehicle charging stations, with multiple vulnerabilities allowing remote code execution and data theft.){kind=link}