CISA Issues Advisories on Critical ICS Vulnerabilities Across Multiple Sectors – Source: www.infosecurity-magazine.com

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a number of advisories related to vulnerabilities in products related to Industrial Control Systems (ICS).

The ICS vulnerabilities span several vendors including Johnson Controls Inc, ABB, Hitachi Energy and Schneider Electric.

The sectors affected include commercial facilities, energy, transportation systems and manufacturing. One of the vulnerabilities also affects the healthcare sector.

CISA encourages users and administrators to review the newly released ICS advisories for technical details and mitigations.

The vulnerabilities have been given a range of CVSS v4 scores. One has been handed a score of 9.1 making it critical. The rest bar one are high severity and have CVSS scores between 8.2 and 8.7. The remaining flaw has a CVSS score of 6.1, making it medium severity.

Read more: Navigating the Vulnerability Maze Understanding CVE, CWE and CVSS

In alert ICSA-25-196-01, various vulnerabilities which affect the Hitachi Energy Asset Suite have been identified, specifically:

• Asset Suite AnyWhere for Inventory (AWI) Android mobile app: Versions 11.5 and prior (CVE-2019-9262, CVE-2019-9429, CVE-2019-9256, CVE-2019-9290)
• Asset Suite 9 series: Version 9.6.4.4 (CVE-2025-1484, CVE-2025-2500)
• Asset Suite 9 series: Version 9.7 (CVE-2025-2500)

Successful exploitation of these vulnerabilities could allow an attacker to gain unauthorized access to the target equipment, perform remote code executions or escalate privileges, the CISA advisory noted.

The vulnerability related to the healthcare sector was assigned CVE-2024-22774, affecting Panoramic Digital Imaging Software version 9.1.2.7600 and was given a CVSS v4 score of 8.5.

The affected Panoramic product is vulnerable to DLL hijacking, which may allow an attacker to obtain NT Authority/SYSTEM as a standard user.

The imaging software is vulnerable due to an SDK component owned by Oy Ajat Ltd, which is no longer supported. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

The full list of advisories, published between July 15 and 17 2025, can be found here:

• ICSA-25-196-01 Hitachi Energy Asset Suite
• ICSA-25-196-02 ABB RMC-100
• ICSA-25-196-03 LITEON IC48A and IC80A EV Chargers
• ICSA-25-037-02 Schneider Electric EcoStruxure (Update B)
• ICSA-25-140-08 Schneider Electric Modicon Controllers (Update A)
• ICSA-25-070-01 Schneider Electric Uni-Telway Driver (Update A)
• ICSA-25-198-01 Leviton AcquiSuite and Energy Monitoring Hub
• ICSMA-25-198-01 Panoramic Corporation Digital Imaging Software
• ICSA-24-191-05 Johnson Controls Inc. Software House C●CURE 9000 (Update B)