CISA issues ICS advisories on Schneider Electric, Vertikal Systems vulnerabilities; adds DELMIA Apriso flaws to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published on Tuesday one ICS (industrial control system) advisory, one ICS medical advisory, and updated an earlier ICS advisory addressing the presence of hardware vulnerabilities in equipment deployed across the critical infrastructure sector. The agency urges asset owners and operators to review these ICS advisories for technical details and mitigations.

A vulnerability exists related to the allocation of resources without limits or throttling that could cause denial of service for the EcoStruxure OPC UA Server Expert when a large number of OPC UA requests are sent to the server. CVE-2024-10085 has been assigned to this vulnerability. It carries a CVSS v3.1 base score of 7.5 and a CVSS v4 base score of 8.2.

An improper input validation vulnerability exists that could lead to denial of service and loss of confidentiality and integrity in the controller when an unauthenticated, crafted Modbus packet is sent to the device. CVE-2024-11737 has been assigned to this vulnerability. It has a CVSS v3.1 base score of 9.8 and a CVSS v4 base score of 9.3.

Apart from these ICS advisories, the CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. The newly listed flaws are CVE-2025-6204, a Dassault Systèmes DELMIA Apriso code injection vulnerability, and CVE-2025-6205, a missing authorization vulnerability in the same platform. These vulnerabilities are common attack vectors for malicious actors and present significant risks to the federal enterprise.

To read the complete article see:
Read More