Every week, we catalog the major industrial cybersecurity vulnerabilities and updates you should know about. Here are the notable threats from the week of November 26 - December 2. Sign up to get these updates right to your inbox!
Delta Electronics DOPSoft contains a stack-based buffer overflow vulnerability that can lead to remote code execution.
Sources: CISA, Delta Electronics
PTC KEPServerEx contains heap-based buffer overflow and improper validation of certificate with host mismatch vulnerabilities that can allow an attacker to gain Windows SYSTEM-level code execution on the service host and may cause the product to crash, leak sensitive information or connect to the product without proper authentication.
Mitsubishi Electric FA Engineering Software Products contain an external control of file name or path vulnerability that can allow a malicious attacker to execute malicious code by tricking legitimate users into opening a specially crafted project file, which could result in information disclosure, tampering and deletion, or a denial-of-service condition.
Sources: CISA, Mitsubishi Electric
Delta Electronics InfraSuite Device Master contains path traversal, deserialization of untrusted data, exposed dangerous method or function, and more vulnerabilities that can allow an attacker to remotely execute arbitrary code and obtain plaintext credentials.
Sources: CISA, Delta Electronics
Franklin Electric Fueling Systems Colibri contains a path traversal vulnerability that can allow an attacker to obtain login credentials for other users.
Sources: CISA, Franklin Electric
Mitsubishi Electric GX Works2 contains a denial-of-service vulnerability that can allow a denial-of-service (DoS) due to improper input validation in the simulation function of GX Works2 by sending specially crafted packets.
Sources: CISA, Mitsubishi Electric
