proxyblue.yourcyber.news

Author: CISA

  • Siemens Opcenter Quality

    As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
     

    View CSAF

    1. EXECUTIVE SUMMARY

    • CVSS v3 7.1
    • ATTENTION: Exploitable from adjacent network/low attack complexity
    • Vendor: Siemens
    • Equipment: Opcenter Quality
    • Vulnerabilities: Incorrect Authorization, Missing Encryption of Sensitive Data, Generation of Error Message Containing Sensitive Information, Insufficient Session Expiration, Use of a Broken or Risky Cryptographic Algorithm

    2. RISK EVALUATION

    Successful exploitation of these vulnerabilities could allow an attacker to gain complete access of the application, access to sensitive information, access to session information, or execute a Machine-In-The-Middle attack and compromise confidentiality and integrity of data.

    3. TECHNICAL DETAILS

    3.1 AFFECTED PRODUCTS

    Siemens reports that the following products are affected:

    • Siemens SmartClient modules Opcenter QL Home (SC): Versions between 13.2 and 2506
    • Siemens SOA Audit: Versions between 13.2 and 2506
    • Siemens SOA Cockpit: Versions between 13.2 and 2506

    3.2 VULNERABILITY OVERVIEW

    3.2.1 INCORRECT AUTHORIZATION CWE-863

    The affected application does not enforce mandatory authorization on some functionality level at server side. This could allow an authenticated attacker to gain complete access of the application.

    CVE-2024-41979 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).

    3.2.2 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

    The affected application do not encrypt the communication in LDAP interface by default. This could allow an authenticated attacker to gain unauthorized access to sensitive information.

    CVE-2024-41980 has been assigned to this vulnerability. A CVSS v3.1 base score of 3.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N).

    3.2.3 MISSING ENCRYPTION OF SENSITIVE DATA CWE-311

    The affected application does not have adequate encryption of sensitive information. This could allow an authenticated attacker to gain access of sensitive information.

    CVE-2024-41982 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N).

    3.2.4 GENERATION OF ERROR MESSAGE CONTAINING SENSITIVE INFORMATION CWE-209

    The affected application displays SQL statement in the error messages encountered during the generation of reports using Cockpit tool.

    CVE-2024-41983 has been assigned to this vulnerability. A CVSS v3.1 base score of 3.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N).

    3.2.5 GENERATION OF ERROR MESSAGE CONTAINING SENSITIVE INFORMATION CWE-209

    The affected application improperly handles error while accessing an inaccessible resource leading to exposing the system applications.

    CVE-2024-41984 has been assigned to this vulnerability. A CVSS v3.1 base score of 2.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N).

    3.2.6 INSUFFICIENT SESSION EXPIRATION CWE-613

    The affected application does not expire the session without logout. This could allow an attacker to get unauthorized access if the session is left idle.

    CVE-2024-41985 has been assigned to this vulnerability. A CVSS v3.1 base score of 2.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N).

    3.2.7 USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327

    The affected application support insecure TLS 1.0 and 1.1 protocol. An attacker could achieve a man-in-the-middle attack and compromise confidentiality and integrity of data.

    CVE-2024-41986 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L).

    3.3 BACKGROUND

    • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
    • COUNTRIES/AREAS DEPLOYED: Worldwide
    • COMPANY HEADQUARTERS LOCATION: Germany

    3.4 RESEARCHER

    Siemens reported these vulnerabilities to CISA.

    4. MITIGATIONS

    Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

    • All affected products: Update to V2506 or later version
    • (CVE-2024-41979) All affected products: The SmartClient should be operated in a secured network and context only
    • (CVE-2024-41979) All affected products: Remove all tools giving possibility to call SOAP-services outside from the SmartClient
    • (CVE-2024-41979) All affected products: The hardening instructions mentioned in the products security concept should be followed
    • (CVE-2024-41980) All affected products: Harden LDAP-interface secure protocols by enabling the SSL-flag on configuration and a proper setup of your TLS-configuration
    • (CVE-2024-41980) All affected products: All the users (including in LDAP) should be given the least privileges required
    • (CVE-2024-41982) All affected products: Limit the permission to access those fields using the least privilege strategy
    • (CVE-2024-41983) All affected products: Do not use original table structures and accounts for reporting. Create your own reporting accounts which have access via synonyms forwarding on views representing access to result-sets the user may use for evaluation
    • (CVE-2024-41983) All affected products: Use DB-tools to limit load on productive systems for reporting accounts or use offline systems for reporting
    • (CVE-2024-41983) All affected products: Harden your IIS
    • (CVE-2024-41983) All affected products: Prevent any scanning of structures and configurations
    • (CVE-2024-41983) All affected products: Limit the information to prevent to the end-user based on the need-to-know-principle to the minimum possible information
    • (CVE-2024-41984) All affected products: Hardening of the solution, including the OS and IIS, is required, with specific measures such as hiding the IIS version to enhance security
    • (CVE-2024-41984) All affected products: Users should not have the possibility to scan folders and extensions of files allowed to open should be limited to the required one
    • (CVE-2024-41986) All affected products: Disable all protocols (SSL v2/v3, TLS 1.0, TLS 1.1) the solution should not use.
    • (CVE-2024-41986) All affected products: Ensure, TLS 1.2 is enabled if you plan to use TLS 1.2.
    • (CVE-2024-41986) All affected products: Follow the instructions of the security concept of Opcenter Quality and vendors.

    As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

    Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

    For more information see the associated Siemens security advisory SSA-382999 in HTML and CSAF.

    CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

    • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
    • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
    • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

    CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

    CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

    CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

    Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

    Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

    CISA also recommends users take the following measures to protect themselves from social engineering attacks:

    No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely.

    5. UPDATE HISTORY

    • August 14, 2025: Initial Republication of Siemens ProductCERT SSA-382999

  • Siemens RUGGEDCOM CROSSBOW Station Access Controller

    As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

    View CSAF

    1. EXECUTIVE SUMMARY

    • CVSS v4 6.9
    • ATTENTION: Exploitable remotely/low attack complexity
    • Vendor: Siemens
    • Equipment: RUGGEDCOM CROSSBOW Station Access Controller (SAC)
    • Vulnerabilities: Heap-Based Buffer Overflow, Integer Overflow or Wraparound

    2. RISK EVALUATION

    Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code or create a denial-of-service condition.

    3. TECHNICAL DETAILS

    3.1 AFFECTED PRODUCTS

    Siemens reports that the following products are affected:

    • RUGGEDCOM CROSSBOW Station Access Controller (SAC): Versions prior to V5.7

    3.2 VULNERABILITY OVERVIEW

    3.2.1 HEAP-BASED BUFFER OVERFLOW CWE-122

    An integer overflow can be triggered in SQLite’s ‘concat_ws()’ function. The resulting, truncated integer is then used to allocate a buffer. When SQLite then writes the resulting string to the buffer, it uses the original, untruncated size and thus a wild Heap Buffer overflow of size 4GB can be triggered. This can result in arbitrary code execution.

    CVE-2025-3277 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L).

    A CVSS v4 score has also been calculated for CVE-2025-3277. A base score of 6.9 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L).

    3.2.2 INTEGER OVERFLOW OR WRAPAROUND CWE-190

    In SQLite, the concat_ws() SQL function can cause memory to be written beyond the end of a malloc-allocated buffer. If the separator argument is attacker-controlled and has a large string (e.g., 2MB or more), an integer overflow occurs in calculating the size of the result buffer, and thus malloc may not allocate enough memory.

    CVE-2025-29087 has been assigned to this vulnerability. A CVSS v3.1 base score of 5.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H).

    3.2.3 INTEGER OVERFLOW OR WRAPAROUND CWE-190

    A vulnerability in sqlite allows an attacker to cause a denial-of-service via the SQLITE_DBCONFIG_LOOKASIDE component.

    CVE-2025-29088 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

    3.3 BACKGROUND

    • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
    • COUNTRIES/AREAS DEPLOYED: Worldwide
    • COMPANY HEADQUARTERS LOCATION: Germany

    3.4 RESEARCHER

    Siemens reported these vulnerabilities to CISA.

    4. MITIGATIONS

    Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

    • RUGGEDCOM CROSSBOW Station Access Controller (SAC): Update to V5.7 or later version

    As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

    Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

    For more information see the associated Siemens security advisory SSA-994087 in HTML and CSAF.

    CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

    • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
    • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
    • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

    CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

    CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

    CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

    Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

    Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

    CISA also recommends users take the following measures to protect themselves from social engineering attacks:

    No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

    5. UPDATE HISTORY

    • August 14, 2025: Initial Republication of Siemens ProductCERT SSA-994087

  • Siemens SIPROTEC 5

    As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

    View CSAF

    1. EXECUTIVE SUMMARY

    • CVSS v4 2.4
    • ATTENTION: Low attack complexity
    • Vendor: Siemens
    • Equipment: SIPROTEC 5
    • Vulnerability: Allocation of Resources Without Limits or Throttling

    2. RISK EVALUATION

    Successful exploitation of this vulnerability could allow an attacker with physical access to send specially crafted packets with high bandwidth to the affected devices thus forcing them to exhaust their memory and stop responding to any network traffic via the local USB port.

    3. TECHNICAL DETAILS

    3.1 AFFECTED PRODUCTS

    Siemens reports that the following products are affected:

    • SIPROTEC 5 6MD84 (CP300): Versions prior to V10.0
    • SIPROTEC 5 7SD82 (CP150): Versions prior to V10.0
    • SIPROTEC 5 7SD86 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 7SD87 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 7SJ81 (CP150): Versions prior to V10.0
    • SIPROTEC 5 7SJ82 (CP150): Versions prior to V10.0
    • SIPROTEC 5 7SJ85 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 7SJ86 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 7SK82 (CP150): Versions prior to V10.0
    • SIPROTEC 5 7SK85 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 7SL82 (CP150): Versions prior to V10.0
    • SIPROTEC 5 6MD85 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 7SL86 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 7SL87 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 7SS85 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 7ST85 (CP300): Versions prior to V10.0
    • SIPROTEC 5 7ST86 (CP300): Versions prior to V10.0
    • SIPROTEC 5 7SX82 (CP150): Versions prior to V10.0
    • SIPROTEC 5 7SX85 (CP300): Versions prior to V10.0
    • SIPROTEC 5 7SY82 (CP150): Versions prior to V10.0
    • SIPROTEC 5 7UM85 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 7UT82 (CP150): Versions prior to V10.0
    • SIPROTEC 5 6MD86 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 7UT85 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 7UT86 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 7UT87 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 7VE85 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 7VK87 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 7VU85 (CP300): Versions prior to V10.0
    • SIPROTEC 5 Compact 7SX800 (CP050): Versions prior to V10.0
    • SIPROTEC 5 6MD89 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 6MU85 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 7KE85 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 7SA82 (CP150): Versions prior to V10.0
    • SIPROTEC 5 7SA86 (CP300): Versions V7.80 up to but not including V10.0
    • SIPROTEC 5 7SA87 (CP300): Versions V7.80 up to but not including V10.0

    3.2 VULNERABILITY OVERVIEW

    3.2.1 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

    Affected devices do not properly limit the bandwidth for incoming network packets over their local USB port. This could allow an attacker with physical access to send specially crafted packets with high bandwidth to the affected devices thus forcing them to exhaust their memory and stop responding to any network traffic via the local USB port. Affected devices reset themselves automatically after a successful attack. The protection function is not affected of this vulnerability.

    CVE-2025-40570 has been assigned to this vulnerability. A CVSS v3.1 base score of 2.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

    A CVSS v4 score has also been calculated for CVE-2025-40570. A base score of 2.4 has been calculated; the CVSS vector string is (CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N).

    3.3 BACKGROUND

    • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
    • COUNTRIES/AREAS DEPLOYED: Worldwide
    • COMPANY HEADQUARTERS LOCATION: Germany

    3.4 RESEARCHER

    Siemens reported this vulnerability to CISA.

    4. MITIGATIONS

    Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

    • SIPROTEC 5 6MD84 (CP300), SIPROTEC 5 6MD85 (CP300), SIPROTEC 5 6MD86 (CP300), SIPROTEC 5 6MD89 (CP300), SIPROTEC 5 6MU85 (CP300), SIPROTEC 5 7KE85 (CP300), SIPROTEC 5 7SA86 (CP300), SIPROTEC 5 7SA87 (CP300), SIPROTEC 5 7SD86 (CP300), SIPROTEC 5 7SD87 (CP300), SIPROTEC 5 7SJ85 (CP300), SIPROTEC 5 7SJ86 (CP300), SIPROTEC 5 7SK85 (CP300), SIPROTEC 5 7SL86 (CP300), SIPROTEC 5 7SL87 (CP300), SIPROTEC 5 7SS85 (CP300), SIPROTEC 5 7ST85 (CP300), SIPROTEC 5 7ST86 (CP300), SIPROTEC 5 7SX85 (CP300), SIPROTEC 5 7UM85 (CP300), SIPROTEC 5 7UT85 (CP300), SIPROTEC 5 7UT86 (CP300), SIPROTEC 5 7UT87 (CP300), SIPROTEC 5 7VE85 (CP300), SIPROTEC 5 7VK87 (CP300), SIPROTEC 5 7VU85 (CP300): Update to V10.0 or later version
    • SIPROTEC 5 7SA82 (CP150), SIPROTEC 5 7SD82 (CP150), SIPROTEC 5 7SJ81 (CP150), SIPROTEC 5 7SJ82 (CP150), SIPROTEC 5 7SK82 (CP150), SIPROTEC 5 7SL82 (CP150), SIPROTEC 5 7SX82 (CP150), SIPROTEC 5 7SY82 (CP150), SIPROTEC 5 7UT82 (CP150): Update to V10.0 or later version
    • SIPROTEC 5 Compact 7SX800 (CP050): Update to V10.0 or later version

    As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

    Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

    For more information see the associated Siemens security advisory SSA-894058 in HTML and CSAF.

    CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

    • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
    • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
    • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

    CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

    CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

    CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

    Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

    Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

    CISA also recommends users take the following measures to protect themselves from social engineering attacks:

    No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

    5. UPDATE HISTORY

    • August 14, 2025: Initial Republication of Siemens ProductCERT SSA-894058

  • Siemens COMOS

    As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

    View CSAF

    1. EXECUTIVE SUMMARY

    • CVSS v3 8.2
    • ATTENTION: Low Attack Complexity
    • Vendor: Siemens
    • Equipment: COMOS
    • Vulnerability: Out-of-bounds Write

    2. RISK EVALUATION

    Successful exploitation of this vulnerability could allow an attacker to cause a crash, potentially enabling a denial-of-service attack (Crash, Exit, or Restart) or possible code execution.

    3. TECHNICAL DETAILS

    3.1 AFFECTED PRODUCTS

    Siemens reports that the following products are affected:

    • Siemens COMOS: all versions prior to V10.6

    3.2 VULNERABILITY OVERVIEW

    3.2.1 OUT-OF-BOUNDS WRITE CWE-787

    Out-of-bounds Write vulnerability was discovered in Open Design Alliance Drawings SDK before 2025.10. Reading crafted DWF file and missing proper checks on received SectionIterator data can trigger an unhandled exception. This can allow attackers to cause a crash, potentially enabling a denial-of-service attack (Crash, Exit, or Restart) or possible code execution.

    CVE-2024-8894 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.2 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H).

    3.3 BACKGROUND

    • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
    • COUNTRIES/AREAS DEPLOYED: Worldwide
    • COMPANY HEADQUARTERS LOCATION: Germany

    3.4 RESEARCHER

    Siemens ProductCERT reported this vulnerability to CISA.

    4. MITIGATIONS

    Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

    • COMOS: Ensure all files imported into the affected product originate from a trusted source and are transmitted over secure channels
    • COMOS: Update to V10.6 or later version

    As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

    Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

    For more information see the associated Siemens security advisory SSA-769791 in HTML and CSAF.

    CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

    • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
    • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
    • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs). Recognize VPNs may have vulnerabilities, should be updated to the most recent version available, and are only as secure as the connected devices.

    CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

    CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

    CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

    Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

    Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

    CISA also recommends users take the following measures to protect themselves from social engineering attacks:

    No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely.

    5. UPDATE HISTORY

    • August 14, 2025: Initial Republication of Siemens ProductCERT SSA-769791

  • CISA and Partners Release Asset Inventory Guidance to Strengthen Operational Technology Security

  • Microsoft Patch Tuesday, August 2025 Edition

    Microsoft Patch Tuesday, August 2025 Edition


    Microsoft today released updates to fix more than 100 security flaws in its Windows operating systems and other software. At least 13 of the bugs received Microsoft’s most-dire “critical” rating, meaning they could be abused by malware or malcontents to gain remote access to a Windows system with little or no help from users.

    August’s patch batch from Redmond includes an update for CVE-2025-53786, a vulnerability that allows an attacker to pivot from a compromised Microsoft Exchange Server directly into an organization’s cloud environment, potentially gaining control over Exchange Online and other connected Microsoft Office 365 services. Microsoft first warned about this bug on Aug. 6, saying it affects Exchange Server 2016 and Exchange Server 2019, as well as its flagship Exchange Server Subscription Edition.

    Ben McCarthy, lead cyber security engineer at Immersive, said a rough search reveals approximately 29,000 Exchange servers publicly facing on the internet that are vulnerable to this issue, with many of them likely to have even older vulnerabilities.

    McCarthy said the fix for CVE-2025-53786 requires more than just installing a patch, such as following Microsoft’s manual instructions for creating a dedicated service to oversee and lock down the hybrid connection.

    “In effect, this vulnerability turns a significant on-premise Exchange breach into a full-blown, difficult-to-detect cloud compromise with effectively living off the land techniques which are always harder to detect for defensive teams,” McCarthy said.

    CVE-2025-53779 is a weakness in the Windows Kerberos authentication system that allows an unauthenticated attacker to gain domain administrator privileges. Microsoft credits the discovery of the flaw to Akamai researcher Yuval Gordon, who dubbed it “BadSuccessor” in a May 2025 blog post. The attack exploits a weakness in “delegated Managed Service Account” or dMSA — a feature that was introduced in Windows Server 2025.

    Some of the critical flaws addressed this month with the highest severity (between 9.0 and 9.9 CVSS scores) include a remote code execution bug in the Windows GDI+ component that handles graphics rendering (CVE-2025-53766) and CVE-2025-50165, another graphics rendering weakness. Another critical patch involves CVE-2025-53733, a vulnerability in Microsoft Word that can be exploited without user interaction and triggered through the Preview Pane.

    One final critical bug tackled this month deserves attention: CVE-2025-53778, a bug in Windows NTLM, a core function of how Windows systems handle network authentication. According to Microsoft, the flaw could allow an attacker with low-level network access and basic user privileges to exploit NTLM and elevate to SYSTEM-level access — the highest level of privilege in Windows. Microsoft rates the exploitation of this bug as “more likely,” although there is no evidence the vulnerability is being exploited at the moment.

    Feel free to holler in the comments if you experience problems installing any of these updates. As ever, the SANS Internet Storm Center has its useful breakdown of the Microsoft patches indexed by severity and CVSS score, and AskWoody.com is keeping an eye out for Windows patches that may cause problems for enterprises and end users.

    GOOD MIGRATIONS

    Windows 10 users out there likely have noticed by now that Microsoft really wants you to upgrade to Windows 11. The reason is that after the Patch Tuesday on October 14, 2025, Microsoft will stop shipping free security updates for Windows 10 computers. The trouble is, many PCs running Windows 10 do not meet the hardware specifications required to install Windows 11 (or they do, but just barely).

    If the experience with Windows XP is any indicator, many of these older computers will wind up in landfills or else will be left running in an unpatched state. But if your Windows 10 PC doesn’t have the hardware chops to run Windows 11 and you’d still like to get some use out of it safely, consider installing a newbie-friendly version of Linux, like Linux Mint.

    Like most modern Linux versions, Mint will run on anything with a 64-bit CPU that has at least 2GB of memory, although 4GB is recommended. In other words, it will run on almost any computer produced in the last decade.

    There are many versions of Linux available, but Linux Mint is likely to be the most intuitive interface for regular Windows users, and it is largely configurable without any fuss at the text-only command-line prompt. Mint and other flavors of Linux come with LibreOffice, which is an open source suite of tools that includes applications similar to Microsoft Office, and it can open, edit and save documents as Microsoft Office files.

    If you’d prefer to give Linux a test drive before installing it on a Windows PC, you can always just download it to a removable USB drive. From there, reboot the computer (with the removable drive plugged in) and select the option at startup to run the operating system from the external USB drive. If you don’t see an option for that after restarting, try restarting again and hitting the F8 button, which should open a list of bootable drives. Here’s a fairly thorough tutorial that walks through exactly how to do all this.

    And if this is your first time trying out Linux, relax and have fun: The nice thing about a “live” version of Linux (as it’s called when the operating system is run from a removable drive such as a CD or a USB stick) is that none of your changes persist after a reboot. Even if you somehow manage to break something, a restart will return the system back to its original state.

  • CISA issues emergency directive requiring federal agencies to update systems to prevent Microsoft Exchange vulnerability

  • Who Got Arrested in the Raid on the XSS Crime Forum?

    Who Got Arrested in the Raid on the XSS Crime Forum?


    On July 22, 2025, the European police agency Europol said a long-running investigation led by the French Police resulted in the arrest of a 38-year-old administrator of XSS, a Russian-language cybercrime forum with more than 50,000 members. The action has triggered an ongoing frenzy of speculation and panic among XSS denizens about the identity of the unnamed suspect, but the consensus is that he is a pivotal figure in the crime forum scene who goes by the hacker handle “Toha.” Here’s a deep dive on what’s knowable about Toha, and a short stab at who got nabbed.

    An unnamed 38-year-old man was arrested in Kiev last month on suspicion of administering the cybercrime forum XSS. Image: ssu.gov.ua.

    Europol did not name the accused, but published partially obscured photos of him from the raid on his residence in Kiev. The police agency said the suspect acted as a trusted third party — arbitrating disputes between criminals — and guaranteeing the security of transactions on XSS. A statement from Ukraine’s SBU security service said XSS counted among its members many cybercriminals from various ransomware groups, including REvil, LockBit, Conti, and Qiliin.

    Since the Europol announcement, the XSS forum resurfaced at a new address on the deep web (reachable only via the anonymity network Tor). But from reviewing the recent posts, there appears to be little consensus among longtime members about the identity of the now-detained XSS administrator.

    The most frequent comment regarding the arrest was a message of solidarity and support for Toha, the handle chosen by the longtime administrator of XSS and several other major Russian forums. Toha’s accounts on other forums have been silent since the raid.

    Europol said the suspect has enjoyed a nearly 20-year career in cybercrime, which roughly lines up with Toha’s history. In 2005, Toha was a founding member of the Russian-speaking forum Hack-All. That is, until it got massively hacked a few months after its debut. In 2006, Toha rebranded the forum to exploit[.]in, which would go on to draw tens of thousands of members, including an eventual Who’s-Who of wanted cybercriminals.

    Toha announced in 2018 that he was selling the Exploit forum, prompting rampant speculation on the forums that the buyer was secretly a Russian or Ukrainian government entity or front person. However, those suspicions were unsupported by evidence, and Toha vehemently denied the forum had been given over to authorities.

    One of the oldest Russian-language cybercrime forums was DaMaGeLaB, which operated from 2004 to 2017, when its administrator “Ar3s” was arrested. In 2018, a partial backup of the DaMaGeLaB forum was reincarnated as xss[.]is, with Toha as its stated administrator.

    CROSS-SITE GRIFTING

    Clues about Toha’s early presence on the Internet — from ~2004 to 2010 — are available in the archives of Intel 471, a cyber intelligence firm that tracks forum activity. Intel 471 shows Toha used the same email address across multiple forum accounts, including at Exploit, Antichat, Carder[.]su and inattack[.]ru.

    DomainTools.com finds Toha’s email address — toschka2003@yandex.ru — was used to register at least a dozen domain names — most of them from the mid- to late 2000s. Apart from exploit[.]in and a domain called ixyq[.]com, the other domains registered to that email address end in .ua, the top-level domain for Ukraine (e.g. deleted.org[.]ua, lj.com[.]ua, and blogspot.org[.]ua).

    A 2008 snapshot of a domain registered to toschka2003@yandex.ru and to Anton Medvedovsky in Kiev. Note the message at the bottom left, “Protected by Exploit,in.” Image: archive.org.

    Nearly all of the domains registered to toschka2003@yandex.ru contain the name Anton Medvedovskiy in the registration records, except for the aforementioned ixyq[.]com, which is registered to the name Yuriy Avdeev in Moscow.

    This Avdeev surname came up in a lengthy conversation with Lockbitsupp, the leader of the rapacious and destructive ransomware affiliate group Lockbit. The conversation took place in February 2024, when Lockbitsupp asked for help identifying Toha’s real-life identity.

    In early 2024, the leader of the Lockbit ransomware group — Lockbitsupp — asked for help investigating the identity of the XSS administrator Toha, which he claimed was a Russian man named Anton Avdeev.

    Lockbitsupp didn’t share why he wanted Toha’s details, but he maintained that Toha’s real name was Anton Avdeev. I declined to help Lockbitsupp in whatever revenge he was planning on Toha, but his question made me curious to look deeper.

    It appears Lockbitsupp’s query was based on a now-deleted Twitter post from 2022, when a user by the name “3xp0rt” asserted that Toha was a Russian man named Anton Viktorovich Avdeev, born October 27, 1983.

    Searching the web for Toha’s email address toschka2003@yandex.ru reveals a 2010 sales thread on the forum bmwclub.ru where a user named Honeypo was selling a 2007 BMW X5. The ad listed the contact person as Anton Avdeev and gave the contact phone number 9588693.

    A search on the phone number 9588693 in the breach tracking service Constella Intelligence finds plenty of official Russian government records with this number, date of birth and the name Anton Viktorovich Avdeev. For example, hacked Russian government records show this person has a Russian tax ID and SIN (Social Security number), and that they were flagged for traffic violations on several occasions by Moscow police; in 2004, 2006, 2009, and 2014.

    Astute readers may have noticed by now that the ages of Mr. Avdeev (41) and the XSS admin arrested this month (38) are a bit off. This would seem to suggest that the person arrested is someone other than Mr. Avdeev, who did not respond to requests for comment.

    A FLY ON THE WALL

    For further insight on this question, KrebsOnSecurity sought comments from Sergeii Vovnenko, a former cybercriminal from Ukraine who now works at the security startup paranoidlab.com. I reached out to Vovnenko because for several years beginning around 2010 he was the owner and operator of thesecure[.]biz, an encrypted “Jabber” instant messaging server that Europol said was operated by the suspect arrested in Kiev. Thesecure[.]biz grew quite popular among many of the top Russian-speaking cybercriminals because it scrupulously kept few records of its users’ activity, and its administrator was always a trusted member of the community.

    The reason I know this historic tidbit is that in 2013, Vovnenko — using the hacker nicknames “Fly,” and “Flycracker” — hatched a plan to have a gram of heroin purchased off of the Silk Road darknet market and shipped to our home in Northern Virginia. The scheme was to spoof a call from one of our neighbors to the local police, saying this guy Krebs down the street was a druggie who was having narcotics delivered to his home.

    I happened to be lurking on Flycracker’s private cybercrime forum when his heroin-framing plan was carried out, and called the police myself before the smack eventually arrived in the U.S. Mail. Vovnenko was later arrested for unrelated cybercrime activities, extradited to the United States, convicted, and deported after a 16-month stay in the U.S. prison system [on several occasions, he has expressed heartfelt apologies for the incident, and we have since buried the hatchet].

    Vovnenko said he purchased a device for cloning credit cards from Toha in 2009, and that Toha shipped the item from Russia. Vovnenko explained that he (Flycracker) was the owner and operator of thesecure[.]biz from 2010 until his arrest in 2014.

    Vovnenko believes thesecure[.]biz was stolen while he was in jail, either by Toha and/or an XSS administrator who went by the nicknames N0klos and Sonic.

    “When I was in jail, [the] admin of xss.is stole that domain, or probably N0klos bought XSS from Toha or vice versa,” Vovnenko said of the Jabber domain. “Nobody from [the forums] spoke with me after my jailtime, so I can only guess what really happened.”

    N0klos was the owner and administrator of an early Russian-language cybercrime forum known as Darklife[.]ws. However, N0kl0s also appears to be a lifelong Russian resident, and in any case seems to have vanished from Russian cybercrime forums several years ago.

    Asked whether he believes Toha was the XSS administrator who was arrested this month in Ukraine, Vovnenko maintained that Toha is Russian, and that “the French cops took the wrong guy.”

    WHO IS TOHA?

    So who did the Ukrainian police arrest in response to the investigation by the French authorities? It seems plausible that the BMW ad invoking Toha’s email address and the name and phone number of a Russian citizen was simply misdirection on Toha’s part — intended to confuse and throw off investigators. Perhaps this even explains the Avdeev surname surfacing in the registration records from one of Toha’s domains.

    But sometimes the simplest answer is the correct one. “Toha” is a common Slavic nickname for someone with the first name “Anton,” and that matches the name in the registration records for more than a dozen domains tied to Toha’s toschka2003@yandex.ru email address: Anton Medvedovskiy.

    Constella Intelligence finds there is an Anton Gannadievich Medvedovskiy living in Kiev who will be 38 years old in December. This individual owns the email address itsmail@i.ua, as well an an Airbnb account featuring a profile photo of a man with roughly the same hairline as the suspect in the blurred photos released by the Ukrainian police. Mr. Medvedovskiy did not respond to a request for comment.

    My take on the takedown is that the Ukrainian authorities likely arrested Medvedovskiy. Toha shared on DaMaGeLab in 2005 that he had recently finished the 11th grade and was studying at a university — a time when Mevedovskiy would have been around 18 years old. On Dec. 11, 2006, fellow Exploit members wished Toha a happy birthday. Records exposed in a 2022 hack at the Ukrainian public services portal diia.gov.ua show that Mr. Medvedovskiy’s birthday is Dec. 11, 1987.

    The law enforcement action and resulting confusion about the identity of the detained has thrown the Russian cybercrime forum scene into disarray in recent weeks, with lengthy and heated arguments about XSS’s future spooling out across the forums.

    XSS relaunched on a new Tor address shortly after the authorities plastered their seizure notice on the forum’s  homepage, but all of the trusted moderators from the old forum were dismissed without explanation. Existing members saw their forum account balances drop to zero, and were asked to plunk down a deposit to register at the new forum. The new XSS “admin” said they were in contact with the previous owners and that the changes were to help rebuild security and trust within the community.

    However, the new admin’s assurances appear to have done little to assuage the worst fears of the forum’s erstwhile members, most of whom seem to be keeping their distance from the relaunched site for now.

    Indeed, if there is one common understanding amid all of these discussions about the seizure of XSS, it is that Ukrainian and French authorities now have several years worth of private messages between XSS forum users, as well as contact rosters and other user data linked to the seized Jabber server.

    “The myth of the ‘trusted person’ is shattered,” the user “GordonBellford” cautioned on Aug. 3 in an Exploit forum thread about the XSS admin arrest. “The forum is run by strangers. They got everything. Two years of Jabber server logs. Full backup and forum database.”

    GordonBellford continued:

    And the scariest thing is: this data array is not just an archive. It is material for analysis that has ALREADY BEEN DONE . With the help of modern tools, they see everything:

    Graphs of your contacts and activity.
    Relationships between nicknames, emails, password hashes and Jabber ID.
    Timestamps, IP addresses and digital fingerprints.
    Your unique writing style, phraseology, punctuation, consistency of grammatical errors, and even typical typos that will link your accounts on different platforms.

    They are not looking for a needle in a haystack. They simply sifted the haystack through the AI sieve and got ready-made dossiers.

  • CISA Issues Alert on Vulnerability affecting Microsoft Exchange

  • DHS Launches Over $100 Million in Funding to Strengthen Communities’ Cyber Defenses