INDUSTRIAL giants Siemens, Schneider Electric, Mitsubishi Electric and Moxa have published new Patch Tuesday advisories covering vulnerabilities in their ICS products.
According to SecurityWeek, Siemens and Schneider Electric have each published six new advisories, with Schneider detailing issues across EcoStruxure IT Data Center Expert (hardcoded credentials), EcoStruxure Power Monitoring Expert and Power Operation (local arbitrary code execution), and EcoStruxure Automation Expert (command execution and full system compromise). Medium-severity flaws are listed for Modicon controllers (DoS, account takeover via XSS) and EcoStruxure Foxboro DCS (remote code execution).
Siemens’ disclosures include a critical stored XSS in Simatic S7-1500 devices and a potentially severe Mendix applications misconfiguration, plus notes about vulnerabilities introduced by Fortinet, OpenSSL and other third-party components; higher- and medium-severity issues were fixed in the Sicam Siapp SDK, and there is a low-severity fix in Heliox EV chargers.
Mitsubishi Electric published one advisory describing a remotely exploitable DoS in its Numerical Control Systems (including C80, M800, M800V and M700V series). Moxa issued four advisories, three related to Intel vulnerabilities and a fourth stating its products are not affected by a recent GNU Inetutils flaw.