The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is sounding the alarm over a series of high-risk vulnerabilities present in industrial control systems.
The flaws, which were found in systems manufactured by Rockwell Automation and Hitachi Energy, were each issued CVSS severity ratings higher than 9, suggesting they could not only pose a threat if exploited, but were relatively easy for a remote attacker to exploit.
Ideally, industrial control systems would not be easily exposed to the these sort of flaws. Best practices call for operational technology (OT) systems to have as few connections with the information technology (OT) network as possible in order to minimize exposure.
As OT systems become more connected and remote management becomes more ubiquitous, however, organizations have become more vulnerable to attacks via internet-facing IT systems.
For Rockwell Automation hardware, the issue is more straightforward. Dubbed CVE-2025-23120, the flaw is present in Veeam Backup and Replication, such as industrial data center units.
It is believed that by targeting a data deserialization vulnerability. In short, a remote attacker could slip malicious instructions into an otherwise legitimate command. When executed, the command would then allow the remote attacker to take total control over the targeted device.
According to CISA, that vulnerability was discovered and reported directly to the agency by Rockwell. The vendor says it has a fix for the vulnerability and will be contacted customers directly with instructions on how to patch their machines.
For Hitachi Energy, things are a little more complex. CISA is warning of a handful of different vulnerabilities, some dating back to 2024, which could present a serious security risk together.
These range from fairly low-risk vulnerabilities such as authentication bypass and URL redirection errors, to more serious issues including path traversal and missing authentication checks for critical functions.
While none of the flaws would be a major risk on their own, experts say it is not uncommon for threat actors to chain together a number of different vulnerability exploits into a single attack script in order to create a far more catastrophic attack.
This is particularly dangerous for many organizations because often administrators will make vulnerabilities with low severity ratings and CVSS scores a lower patching priority. This is not recommended in the case of the Hitachi MicroSCADA Pro/X SYS600 lines, as the issue has been given a CVSS severity score of 9.9 and is considered a threat to critical infrastructure world-wide.
Hitachi says it will be handling patching and mitigation of the flaws through its service contract network and administrators are being advised to contact their contract providers.
