Every week, we catalog the major industrial cybersecurity vulnerabilities and updates you should know about. Here are the notable threats from the week of December 3 - 9. Sign up to get these updates right to your inbox!
Mitsubishi Electric FA Engineering Software Products contain processor optimization removal or modification of security-critical code observable discrepancy vulnerabilities that can allow a malicious attacker to disclose information in the affected products.
Sources: Mitsubishi Electric, CISA
Schweitzer Engineering Laboratories SEL-411L contains an improper restriction of rendered UI layers or frames vulnerability that can expose authorized users to clickjacking attacks.
Sources: CISA, Schweitzer Engineering Laboratories
Johnson Controls Metasys and Facility Explorer contains an uncontrolled resource consumption vulnerability that can allow an attacker to cause a denial-of-service by sending invalid credentials.
Sources: CISA, Johnson Controls
ControlbyWeb Relay contains a cross-site scripting vulnerability that can allow an authenticated attacker to run malicious code during a user's session.
Sources: CISA, ControlbyWeb
Sierra Wireless AirLink with ALEOS firmware contains infinite loop, NULL pointer dereference, cross-site scripting and more vulnerabilities that can allow an attacker to perform remote code execution to take full control of the device, steal credentials through a cross-site scripting attack or crash the device being accessed through a denial-of-service attack.
Sources: CISA, Sierra Wireless
Mitsubishi Electric CNC Series (Update D) contains a classic buffer overflow vulnerability that can allow a malicious remote attacker to cause a denial-of-service condition and execute malicious code on the product by sending specially crafted packets.
Sources: CISA, Mitsubishi Electric
