Industrial control systems could be taken over in attacks leveraging a pair of critical operating system command injection flaws impacting the mySCADA myPRO supervisory control and data acquisition systems for operational technology environments, tracked as CVE-2025-20014 and CVE-2025-20061, The Hacker News reports.
Abusing the security issues, which arise from inadequate user input sanitization, could enable threat actors to facilitate system command injections, arbitrary code execution, and eventual ICS hijacking, according to an analysis from PRODAFT. Organizations have been urged to not only immediately remediate the flaws by adopting mySCADA PRO Manager 1.3 and mySCADA PRO Runtime 9.2.1 but also implement network segmentation and robust authentication measures while remaining vigilant on potentially malicious activity within their IT networks. "These vulnerabilities highlight the persistent security risks in SCADA systems and the need for stronger defenses. Exploitation could lead to operational disruptions, financial losses, and safety hazards," said PRODAFT.
