Every week, we catalog the major industrial cybersecurity vulnerabilities and updates you should know about. Here are the notable threats from the week of August 28 - September 3. Sign up to get these updates right to your inbox!
Mozilla released a security update for Thunderbird due to a vulnerability found that could lead to an attacker gaining control of affected systems.
Sources: Thunderbird Advisory, CISA
Contec Health CMS8000 CONTEC ICU CCU Vital Signs Patient Monitor contains improper access control, uncontrolled resource consumption, use of hard-coded credentials and active debug code vulnerabilities.
Sources: Contec Health Support, CISA
Delta Electronics DOPSoft contains an out-of-bounds read vulnerability that could lead to an attacker gaining sensitive information.
Sources: Delta Electronics Support, CISA
Hitachi Energy FACTS Control Platform (FCP) Product contains inconsistent interpretation of HTTP requests, use after free, classic buffer overflow, integer underflow, improper certificate validation and observable discrepancy vulnerabilities.
Sources: Hitachi Energy Advisory, CISA
Hitachi Energy Gateway Station (GWS) Product contains inconsistent interpretation of HTTP requests, use after free, classic buffer overflow, integer underflow, improper certificate validation and observable discrepancy vulnerabilities.
Sources: Hitachi Energy Advisory, CISA
Hitachi Energy MSM Product contains a reliance on uncontrolled component vulnerability that could lead to a denial-of-service condition.
Sources: Hitachi Energy Advisory, CISA
Hitachi Energy RTU500 series contains an improper input validation vulnerability that could lead to an internal buffer overflow.
Sources: Hitachi Energy Advisory, CISA
Fuji Electric D300win contains an out-of-bounds read and write-what-where condition vulnerabilities that could lead to a loss of sensitive data and manipulation of information.
Sources: Fuji Electric Support, CISA
Honeywell ControlEdge contains a missing authentication for critical function vulnerability that could lead to remote code execution, denial-of-service or configuration manipulation.
Sources: CISA
Honeywell Experion LX contains a missing authentication for critical function vulnerability that could lead to a denial-of-service condition.
Sources: Honeywell Support, CISA
Honeywell Trend Controls IQ Series that utilize Inter-Controller (IC) protocol contains a cleartext transmission of sensitive information vulnerability that could lead to the loss of authentication information.
Sources: Trend Partner Network, CISA
Omron CX-Programmer contains a use after free vulnerability that could lead to an attacker executing arbitrary code.
Sources: CISA
PTC Kepware KEPServerEX contains a heap-based buffer overflow and a stack-based buffer overflow vulnerabilities that could lead to an attacker crashing the device or rebotely executing arbitrary code.
Sources: Kepware KepServerEx Upgrade, CISA
Sensormatic Electronics iSTAR Ultra contains a command injection vulnerability that could lead to an attacker using a malicious request to run arbitrary commands as a root user.
Sources: iStar Ultra, CISA
MitsubishiGOT2000 compatible HMI software, CC-Link IE TSN Industrial Managed Switch and MELSEC iQ-R Series OPC UA Server Module contains an infinite loop and an OS command injection vulnerabilities that could lead to a denial-of-service condition or arbitrary code execution.
