ICS Critical Patch Updates: September 2025 

Welcome to Foxguard’s September 2025 ICS Critical Patch Updates. Each month we bring you the latest advisories impacting Industrial Control Systems (ICS) and Operational Technology (OT). This cycle saw a heavy slate of high-severity disclosures from Siemens, Schneider Electric, ABB, Rockwell Automation, and CISA, many of which carry immediate risk for operators. 

The September updates illustrate just how broad the attack surface in modern ICS environments has become. Remote code execution, privilege escalation, and denial-of-service vulnerabilities were identified across controllers, firmware, and engineering software in sectors ranging from energy to transportation. Foxguard’s analysts have reviewed these disclosures and distilled the key points into actionable insights to help operators prioritize remediation while maintaining uptime. 

Note on CVSS Scores: You’ll see vendors are now often reporting both v3.1 and the newer v4.0 scores. We’ve included both where available to give you the most complete picture of each vulnerability’s severity and potential impact. 

Siemens

Siemens has released 15 security advisories this month, many of them high and critical. Key vulnerabilities include: 

• Multiple Vulnerabilities in User Management Component (UMC) (CVSS v4.0 Base Score 9.3): A critical vulnerability in the UMC could allow an unauthenticated remote attacker to execute arbitrary code or cause a denial of service. Siemens has released a new version and urges users to update to the latest version. 

• Vulnerabilities in the GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP V1.1 (CVSS v3.1 Base Score 9.1): These vulnerabilities could pose a significant risk. Siemens is preparing fix versions and has provided specific countermeasures for products where fixes are not yet available. 

• Insecure File Share Vulnerability in SIMATIC Virtualization as a Service (SIVaaS) (CVSS v4.0 Base Score 9.3): This flaw could allow an attacker to access or alter sensitive data without proper authorization. Siemens recommends contacting technical support for a fix. 

• Local Privilege Escalation Vulnerability in SIMOTION Tools (CVSS v3.1 Base score 8.1): A vulnerability that could allow an attacker to execute arbitrary code with SYSTEM privileges during the setup and installation phase of affected tools. Fixes are in preparation, and countermeasures are recommended. 

In a third-party advisory, Siemens also addressed multiple vulnerabilities in Fortigate NGFW before V7.4.1 on RUGGEDCOM APE1808 Devices (CVSS v4.0 Base Score 9.2). A new version has been released, with further fixes in preparation and specific countermeasures recommended. 

Foxguard Insight: Siemens’ September disclosures emphasize critical risks across both core ICS components and supporting infrastructure. The high-severity vulnerabilities in UMC and SIVaaS demonstrate the potential for attackers to gain a significant foothold through remote, unauthenticated attacks. Organizations should prioritize patching these systems and, where fixes are not yet available, implement recommended countermeasures. 

Schneider Electric 

Schneider has released six security advisories, addressing vulnerabilities across its product lines. 

• Vulnerability in Multiple Altivar Process Drives and Communication Modules (CVE-2025-7746 CVSS v3.1 Base Score 6.1): This could result in a partial loss of confidentiality and integrity on a workstation running a web browser. 

• Vulnerabilities in Saitel DR & Saitel DP RTU (CVE-2025-9996/7 CVSS v3.1 Base Score 6.6): These flaws may risk a command injection attack, which could result in arbitrary code execution. Fixes are available. 

• Update about Multiple vulnerabilities in Pro-face GP-Pro EX and Remote HMI products (CVE-2024-12399 CVSS v3.1 Base Score 7.1): Remediations for these multiple vulnerabilities are now available. 

• Update about Multiple vulnerabilities in EcoStruxure™ Building Operation (CVE-2025-8449 CVSS v3.1 Base Score 4.5 and CVE-2025-8448 CVSS v3.1 Base Score 2.3): Details about affected and fixed versions have been added. 

In third-party advisories, Schneider has provided updates on: 

• ‘BadAlloc’ Vulnerabilities: This addresses multiple memory allocation vulnerabilities published by Microsoft that could result in denial of service or remote code execution. 

• Erlang/OTP’s SSH Server Component (CVE-2025-32433 CVSS v3.1 Base Score 10): A critical vulnerability in this component used in Schneider Electric Galaxy VS, VL, and VXL products now has available remediations. 

Foxguard Insight: Schneider’s September advisories highlight the dangers of both new and ongoing threats, with a critical vulnerability in the Erlang/OTP SSH Server component and updates for previously disclosed flaws. Continuous monitoring and a rigorous patch management program ensure that fixes, once available, can be applied promptly to critical infrastructure assets. The Galaxy SSH vulnerabilities are particularly severe, and timely patching is essential to prevent full system compromise. 

ABB

ABB disclosed vulnerabilities in ELSB/BLBA ASPECT products: 

• CVE-2025-53187, CVSS v3.1 9.8 

• CVE-2025-7677, CVSS v3.1 5.9 

• CVE-2025-7679, CVSS v3.1 8.1 

Most vulnerabilities have been patched; ABB advises applying remaining mitigations to fully secure affected systems. 

Foxguard Insight: The high severity of CVE-2025-53187 demonstrates the common challenge of dealing with vulnerabilities that do not have immediate patches. With a high-severity vulnerability remaining unpatched, asset owners must rely on compensatory controls like network isolation, firewalls, and restricted access to minimize risk and protect the system in a defense-in-depth strategy. 

Rockwell Automation 

Rockwell Automation has released eight new security advisories, almost all of high severity. 

• FactoryTalk® Analytics™ LogixAI® Open Database Issue (CVE-2025-9364 CVSS v4.0 Base Score 8.7): This vulnerability could allow an attacker on the intranet to access or alter sensitive data. 

• ControlLogix® 5580 Denial-Of-Service (CVE-2025-9166 CVSS v4.0 Base Score 8.2): This flaw could lead to a major non-recoverable fault on the controller. An update to a corrected version is recommended. 

• Stratix IOS CSRF to RCE Vulnerability (CVE-2025-7350 CVSS v4.0 Base Score 8.6): Can lead to remote code execution by uploading and running malicious configurations without authentication. 

• 1783-NATR Memory Size Calculation Underflow Vulnerability (CVE-2020-28895 CVSS v4.0 Base Score 6.9): This flaw in the Wind River VxWorks memory allocator could cause an overflow during size calculation, potentially leading to memory corruption. 

• ThinManager SSRF Vulnerability (CVE-2025-9065 CVSS v4.0 Base Score 8.6): Authenticated attackers can exploit this vulnerability by specifying external SMB paths, exposing the ThinServer® service account NTLM hash. 

• FactoryTalk Optix Remote Code Execution (CVE-2025-9161 CVSS v4.0 Base Score 7.3): The flaw enables the loading of remote Mosquito plugins, which can be used to achieve remote code execution. 

• FactoryTalk Activation Manager Lack of Encryption (CVE-2025-7970 CVSS v4.0 Base Score 8.7): This vulnerability could result in data exposure, session hijacking, or full communication compromise. 

• CompactLogix® 5480 Code Execution (CVE-2025-9160 CVSS v4.0 Base Score 7.0): An attacker with physical access could abuse the controller’s maintenance menu to achieve arbitrary code execution. 

Rockwell Automation recommends updating to corrected software versions and following best practices. 

Foxguard Insight: Rockwell’s advisories cover a wide array of high-severity risks, from denial of service and data exposure to memory corruption and both remote and local code execution. The diversity of these vulnerabilities demonstrates the need for a comprehensive security strategy that goes beyond simple network perimeter defense. Rapid application of vendor updates following Rockwell’s best practices is critical to protect control systems and operational data. 

CISA 

CISA has released fourteen new security advisories, with many of them covering the Rockwell, ABB, and Schneider ones. Other advisories include: 

• Incorrect Default Permissions in Mitsubishi Electric ICONICS Digital Solutions (CVE-2024-7587 CVSS v3.1 Base Score 7.8): This may allow for confidential information disclosure, data tampering, or a denial-of-service condition. Mitsubishi provides mitigations. 

• Multiple vulnerabilities in EG4 Electronics EG4 Inverters (CVSS v4.0 Base Score 6.9 and above): These flaws could allow an attacker to intercept data, install malicious firmware, and gain unauthorized control. EG4 is actively working on a fix and monitoring affected systems. 

Foxguard Insight: CISA advisories continue to highlight high-risk ICS and OT exposures. From digital solutions and HMIs to power inverters, these vulnerabilities demonstrate that a broad and flexible approach to vulnerability management is required. Organizations must ensure they are monitoring all relevant channels for updates and applying mitigations promptly, especially for systems that directly impact operational integrity. Integration of these updates into your asset management workflow is essential to maintain security and compliance. 

Actionable Recommendations 

With such a wide mix of new and updated advisories this month, ICS operators need a clear strategy for prioritization. Based on the severity and exploit potential of the vulnerabilities disclosed, Foxguard recommends the following actions: 

• Prioritize critical remote exploitation paths: Focus on patching high-severity flaws with remote code execution, such as those in Siemens’ UMC and Schneider’s Erlang/OTP component. 

• Patch where possible, mitigate where not: Apply available updates immediately for high-risk assets like Rockwell’s ControlLogix controllers. For vulnerabilities with no patch, such as with some ABB ASPECT products, implement compensatory controls and restrict network exposure. 

• Secure all aspects of the operational environment: The vulnerabilities in Rockwell’s FactoryTalk Optix and Siemens’ SIMOTION tools show that attackers are targeting engineering and support systems. Ensure all software that interacts with the OT network is secured and patched. 

• Harden ICS network boundaries: Enforce segmentation between OT and IT, apply allow-listing rules, and monitor for unusual traffic to protect against attacks on a variety of systems and protocols. 

How Foxguard Can Help

Managing ICS vulnerabilities is rarely straightforward. Patch cycles are slower than in IT, operational downtime carries heavy cost, and fixes are often staggered across vendor product lines. Proactive ICS security requires specialized tools and services designed for operational environments. Foxguard helps bridge that gap by supporting organizations throughout the entire vulnerability management lifecycle, from initial discovery to final remediation. 

Our services include: 

• FOXGUARD DISCOVER: Asset and network visibility solution for ICS and OT environments, providing real-time visibility of critical assets, detecting vulnerabilities, and offering actionable insights to enhance security posture.  

• FOXGUARD CYBERWATCH: Asset and vulnerability management platform that monitors, manages, and remediates security risks across ICS and OT environments, ensuring compliance and reducing overall cyber risk.  

• FOXGUARD PATCHINTEL: Patch intelligence service that provides patch availability reports to identify available security updates, and a secure supply chain to acquire and validate patch binaries for improved patch management and compliance.  

• FOXGUARD DEPLOY: Patch distribution and deployment solution that securely applies validated patches across ICS and OT systems, ensuring timely and effective patch management to maintain security.  

• FOXGUARD MANAGED SERVICES: Provides Patch Management as a Service (PMaaS) and Vulnerability Management as a Service (VMaaS) to continuously assess, prioritize, and address security risks in ICS and OT environments, helping maintain security compliance and operational integrity. 

With years of proven expertise and the trust of numerous clients worldwide, Foxguard combines automation, expert guidance, and OT-specific intelligence to provide the essential tools and insights that empower critical infrastructure operators to stay ahead of emerging cyber risks. 

Stay Ahead of Threats 

The September advisories make one thing clear: ICS security is no longer just about protecting controllers. Engineering tools, supporting infrastructure, and even embedded third-party libraries are now frequent entry points for attackers. Defenses must evolve to match. Organizations need to protect their tools, tighten network defenses against protocol and deserialization flaws, and keep an eye on vulnerabilities lurking in a variety of embedded libraries. 

By partnering with Foxguard, operators can stay proactive, securing critical assets, reducing downtime, and responding quickly as new threats emerge. Vigilance, continuous monitoring, and trusted partnerships remain the keys to resilience in today’s OT environments. 

If your organization needs tailored support in managing ICS vulnerabilities, reach out to Foxguard today. 

Your security is our priority. Stay vigilant and stay protected.