1. EXECUTIVE SUMMARY CVSS v3 6.7 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Schneider Electric Equipment: EcoStruxure Building Operation Vulnerabilities: Unrestricted Upload of File with Dangerous Type, Cross-site Scripting, Improper Restriction of XML External Entity Reference, Improper Access Control, Windows Unquoted Search Path 2. RISK EVALUATION Successful exploitation…

1. EXECUTIVE SUMMARY CVSS v3 5.5 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Hitachi ABB Power Grids Equipment: Ellipse EAM Vulnerabilities: Cross-site Scripting, User Interface Misrepresentation of Critical Information 2. RISK EVALUATION Successful exploitation of these vulnerabilities could allow an attacker to steal sensitive information, hijack a user’s…

1. EXECUTIVE SUMMARY CVSS v3 8.8 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: PerFact Equipment: OpenVPN-Client Vulnerability: External Control of System or Configuration Setting 2. RISK EVALUATION Successful exploitation of this vulnerability could allow for local privilege escalation or remote code execution through a malicious webpage. 3. TECHNICAL…

1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low skill level to exploit Vendor: Fatek Equipment: FvDesigner Vulnerabilities: Use After Free, Access of Uninitialized Pointer, Stack-based Buffer Overflow, Out-of-Bounds Write, Out-of-Bounds Read 2. RISK EVALUATION Successful exploitation of these vulnerabilities may allow an attacker to read/modify information, execute arbitrary, and/or…

1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Rockwell Automation Equipment: Studio 5000 Logix Designer, RSLogix 5000, Logix Controllers Vulnerability: Insufficiently Protected Credentials 2. UPDATE INFORMATION This updated advisory is a follow-up to the original advisory titled ICSA-21-056-03 Rockwell Automation Logix Controllers that…

1. EXECUTIVE SUMMARY CVSS v3 8.2 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: ProSoft Technology Equipment: ICX35-HWC-A and ICX35-HWC-E Vulnerability: Permissions, Privileges, and Access Controls 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to change the current user’s password and alter device configurations. 3….

1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Advantech Equipment: BB-ESWGP506-2SFP-T Vulnerability: Use of Hard-coded Credentials 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information and execute arbitrary code. 3. TECHNICAL DETAILS 3.1…

1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Advantech Equipment: Spectre RT Industrial Routers Vulnerabilities: Improper Neutralization of Input During Web Page Generation, Cleartext Transmission of Sensitive Information, Improper Restriction of Excessive Authentication Attempts, Use of a Broken or Risky Cryptographic Algorithm, Use…

1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Multiple Equipment: Nut/Net, CycloneTCP, NDKTCPIP, FNET, uIP-Contiki-OS, uC/TCP-IP, uIP-Contiki-NG, uIP, picoTCP-NG, picoTCP, MPLAB Net, Nucleus NET, Nucleus ReadyStart Vulnerabilities: Use of Insufficiently Random Values CISA is aware of a public report, known as “NUMBER:JACK” that…