Every week, we catalog the major industrial cybersecurity vulnerabilities and updates you should know about. Here are the notable threats from the week of April 21 - 27. Sign up to get these updates right to your inbox!
Hitachi Energy RTU500 Series contains an unrestricted upload of file with dangerous type vulnerability that can allow the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
Sources: CISA, Hitachi Energy
Hitachi Energy MACH SCM contains improper control of generation of code and improper neutralization of directives in dynamically evaluated code vulnerabilities that can result in an execution of arbitrary code.
Sources: CISA, Hitachi Energy
Honeywell Experion PKS, Experion LX, PlantCruise by Experion, Safety Manager, Safety Manager SC contain absolute path traversal, stack-based buffer overflow, Out-of-bounds write and more vulnerabilities that can disclose sensitive information, allow privilege escalation or allow remote code execution.
Mitsubishi Electric MELSEC Series CPU Module (Update D) contains a classic buffer overflow vulnerability that can allow a remote attacker to cause a denial-of-service condition or execute malicious programs on a target product by sending specially crafted packets.
Sources: Mitsubishi Electric, CISA
Rockwell Automation 5015-AENFTXT (Update A) contains an improper input validation vulnerability that can allow an attacker to crash the device and impact availability for the affected system.
Sources: CISA, Rockwell Automation
Chirp Systems Chirp Access (Update B) contains a use of hard-coded password vulnerability that can allow an attacker to adjust Beacon configuration settings and disable the Bluetooth functionality of the system it is integrated on.
Sources: CISA, Chirp Systems
