Every week, we catalog the major industrial cybersecurity vulnerabilities and updates you should know about. Here are the notable threats from the week of May 14 - 20. Sign up to get these updates right to your inbox!
Carlo Gavazzi Powersoft contains a path traversal vulnerability that can allow an attacker to access and retrieve any file from the server.
Sources: CISA, Gavazzi Automation
Mitsubishi Electric MELSEC WS Series contains an active debug code vulnerability that can allow an attacker to bypass authentication and log in by connecting to the module via telnet to reset the module.
Sources: CISA, Mitsubishi Electric
Hitachi Energy’s MicroSCADA Pro/X SYS600 Products contains permissions, privileges and access controls vulnerabilities that can allow an attacker to execute arbitrary code on the affected product.
Sources: CISA, Hitachi Energy
Johnson Controls OpenBlue Enterprise Manager Data Collector contains improper authentication and exposure of sensitive information vulnerabilities that can allow an attacker, under certain circumstances, to make application programming interface (API) calls.
Sources: CISA, Johnson Controls
Rockwell Automation FactoryTalk Diagnostics (Update A) contains a deserialization of untrusted data vulnerability that can allow a remote unauthenticated attacker to execute arbitrary code with SYSTEM level privileges.
Sources: CISA, Rockwell Automation
Rockwell ArmorStart contains an improper input validation vulnerability that can allow a malicious user to view and modify sensitive data or make the web page unavailable.
Sources: CISA, Rockwell Automation
