ICS Critical Patch Updates: November 2025 

Welcome to Foxguard’s ICS Critical Patch Updates November 2025, your monthly briefing on the latest vulnerabilities affecting Industrial Control Systems (ICS) and Operational Technology (OT). This ICS Critical Patch Updates November 2025 cycle features a significant number of high-severity advisories from Siemens, Schneider Electric, Rockwell Automation, Phoenix Contact, Eaton, and CISA, highlighting continued risks to controllers, engineering tools, cloud platforms, and network infrastructure. Many of these flaws enable remote code execution, privilege escalation, or unauthorized access, demanding immediate attention from operators to safeguard operational continuity.

Note on CVSS Scores: November’s advisories include both CVSS v4.0 and select v3.1 ratings. All base scores referenced here follow the vendor-reported severity, providing an accurate snapshot of each vulnerability’s exploitability and potential impact on OT systems. 

Siemens 

Siemens released several advisories affecting grid management, engineering software, and industrial controllers: 

• SSA-682326 – Multiple Vulnerabilities in COMOS Before V10.4.5 

CVE: Multiple | CVSS v3.1: 9.3 

Arbitrary code execution and data infiltration may be possible. Operators should update to COMOS V10.4.5 and follow Siemens’ general security guidance to secure systems. 

• SSA-770770 – Fortigate NGFW Vulnerabilities on RUGGEDCOM APE1808 

CVE: CVE-2022-42475, CVE-2023-27997, CVE-2024-21762 | CVSS v4.0: 9.1 

Remote code execution and unauthorized access are possible through FortiOS flaws. Siemens advises updating Fortigate NGFW to V7.4.7 and following both Fortinet and Siemens mitigation guidance. 

• SSA-522291 – Improper Certificate Validation in Solid Edge 

CVE: CVE-2025-40744 | CVSS v4.0: 8.7 

Solid Edge fails to validate certificates when connecting to the License Service, allowing potential MITM attacks. Siemens advises updating to SE2025 V225.0 Update 11 and securing network configurations to ensure proper certificate validation. 

• SSA-339694 – Multiple Vulnerabilities in Spectrum Power 4 < v4.70 SP12 Update 2 

CVE: CVE-2024-32008 to CVE-2024-32014 | CVSS v4.0: 8.7 

Remote and local code execution vulnerabilities exist due to exposed debug interfaces and misconfigured binaries. Siemens recommends updating to Spectrum Power 4 V4.70 SP12 Update 2 and following mitigation guidance. 

• SSA-267056 – Multiple Vulnerabilities in LOGO! 8 BM Devices 

CVE: CVE-2025-40815, CVE-2025-40816, CVE-2025-40817 | CVSS v4.0: 8.6 

Vulnerabilities could allow remote code execution, denial-of-service, or unauthorized behavior changes. Siemens recommends protecting LSC access with strong passwords, restricting port 10006/udp, and applying firmware updates when available.  

• SSA-514895 – Multiple Vulnerabilities in Altair Grid Engine V2025.1.0  

CVE: CVE-2025-40760, CVE-2025-40763 | CVSS v4.0: 8.5 

Privilege escalation and arbitrary code execution could occur through password hash exposure and path hijacking. Siemens recommends updating to V2026.0.0, removing setuid-root bits, and following Siemens security guidelines to prevent unauthorized system access. 

• SSA-365596 – DLL Hijacking in Siemens Software Center and Solid Edge 

CVE: CVE-2025-40827 | CVSS v4.0: 8.5 

Crafted DLLs could be loaded, enabling arbitrary code execution. Siemens recommends updating Siemens Software Center to V3.5 and Solid Edge to V225.0 Update 10 to prevent exploitation. 

• SSA-216014 – EFI Variable Vulnerabilities in SIMATIC IPCs and PGs 

CVE: CVE-2024-56181, CVE-2024-56182 | CVSS v4.0: 8.4 

Authenticated attackers could manipulate secure boot or password configurations. Updating BIOS versions and following Siemens mitigation guidance are recommended to secure systems. 

Foxguard Insight: Siemens continues to encounter serious vulnerabilities across its software tools and grid hardware. Attackers are targeting often-overlooked areas—specifically operational software and external interfaces—using sophisticated methods like DLL hijacking, EFI manipulation, and third-party firewall flaws. Enforcing strict access controls, timely patching, and network segmentation is essential to contain this risk. 

Schneider Electric 

Schneider’s November advisories focus on SCADA platforms, machine visualization, and power management systems: 

• SEVD-2025-315-02 – EcoStruxure™ Machine SCADA Expert & Pro-face BLUE Open Studio 

CVE: CVE-2025-9317 | CVSS v4.0: 8.3 

Third-party vulnerabilities affect SCADA visualization platforms. Operators should apply Patch 1 for 2023.1 and follow secure deployment practices to prevent exploitation. 

• SEVD-2025-315-01 – PowerChute™ Serial Shutdown 

CVE: CVE-2025-11565, CVE-2025-11566, CVE-2025-11567 | CVSS v4.0: 6.9+ 

Path traversal, incorrect default permissions, and lack of brute-force protection could allow unauthorized access or system compromise. Schneider Electric recommends upgrading to the latest version and restricting access to configuration files and interfaces. 

Foxguard Insight: This month’s Schneider advisories highlight a key danger: third-party components are turning even simple visualization and machine monitoring tools into vectors for remote exploitation within OT environments. To keep operations running smoothly, coordinate patching across both SCADA and machine-level systems. 

Rockwell Automation 

Rockwell advisories continue to expose risks in simulation, cloud platforms, and third-party libraries: 

• Studio 5000® Simulation Interface – Remote Code Execution 
  CVE: CVE-2025-11696, CVE-2025-11697 | CVSS v4.0: 8.9 
  Remote code execution or denial-of-service is possible via the simulation interface. Rockwell advises updating to the latest version and restricting access to simulation components. 
• FactoryTalk® Policy Manager – Third-Party Component 
  CVE: CVE-2024-22019 | CVSS v4.0: 8.7 
  Remote exploitation via third-party libraries is possible. Update third-party components and validate policy configurations. 
• AADvance – SIS Workstation DotNetZip 
  CVE: CVE-2024-48510 | CVSS v4.0: 8.6 
  Directory traversal or file overwrite possible. Update the DotNetZip component and restrict archive handling.

• Verve Asset Manager – Improper Access Control 
  CVE: CVE-2025-11862 | CVSS v4.0: 8.4 
  Unauthorized privilege escalation risk exists. Apply access control patches and enforce least privilege to secure the system. 

• FactoryTalk® DataMosaix™ Private Cloud – Multiple Vulnerabilities 
  CVE: CVE-2025-11084, CVE-2025-11085 | CVSS v4.0: 7.6 & 8.6 
  Could allow unauthorized access or data manipulation. Update cloud services and monitor for abnormal activity to mitigate risk.  

Foxguard Insight: With Rockwell’s software stretching into the cloud and simulation space, the OT environment is now a much bigger target. Attackers are looking for the easiest way in. To prevent them from moving laterally across your network and compromising data, it is critical to enforce strict segmentation and monitor for any unusual access between those cloud, simulation, and operational networks. 

Phoenix Contact 

Phoenix Contact’s advisory addresses network security on firewalls: 

• FL MGUARD Series Firewall Vulnerability 
  CVE: CVE-2025-48291 | CVSS v4.0: 8.6 
  Remote authentication bypass could grant administrative access. Operators should update firmware to 12.3.1 or later, restrict management interface access, and enable logging. 

Foxguard Insight: Phoenix Contact’s FL MGUARD vulnerabilities confirm that perimeter devices become high-value targets for adversaries. Exploiting session validation flaws allows attackers to completely subvert authentication and gain administrative control, ensuring rapid lateral movement across OT networks. Strict segmentation, continuous monitoring of management interfaces, and active logging are essential to contain the risk. 

Eaton 

Eaton reported a high-privilege input validation issue in legacy devices: 

• Network-M2 Security Issue 
  CVE: CVE-2025-22495 | CVSS v3.1: 8.4 
  Improper input validation in the NTP server field could allow arbitrary command execution. Firmware version 3.1.17 or later should be applied, access to management interfaces restricted, and logs monitored. Note: Network-M2 has reached end-of-life; transition to Network-M3 is recommended. 

Foxguard Insight: Eaton’s Network-M2 vulnerabilities are a clear signal of the residual threat from legacy devices. Inadequate input validation on network interfaces allows high-privilege users to execute arbitrary commands, risking the systemic compromise of connected systems. To reduce exposure, operators must strictly enforce access controls, continuously monitor for anomalous activity, and prioritize migration to supported platforms. 

CISA 

CISA highlighted multiple high-severity exposures affecting controllers, HMIs, and video analytics systems. 

• Remote Code Execution – Advantech DeviceOn/iEdge 
  CVE: CVE-2025-12635, CVE-2025-12637, CVE-2025-12638 | CVSS v4.0: Up to 9.8 
  Improper authentication and command injection could allow full device compromise. Update to the latest version, restrict network access, and monitor logs. 
• Buffer Overflow – Fuji Electric Monitouch V-SFT-6 
  CVE: CVE-2025-12641 | CVSS v4.0: 9.8 
  Remote code execution could occur. Update software and restrict engineering port access. 
• Stack-Based Buffer Overflow – Delta Electronics CNCSoft-G2 
  CVE: CVE-2025-12643 | CVSS v4.0: 9.1 
  Update to the latest version and isolate engineering workstations. 

• Remote Control – ABB FLXeon Controllers 
  CVE: CVE-2025-12639 | CVSS v4.0: 8.8 
  Improper access control may permit remote code execution. Apply firmware updates and enforce access restrictions. 

• Hardcoded Credentials – Survision LPR Camera 
  CVE: CVE-2025-12642 | CVSS v4.0: 8.6 
  Default credentials may allow unauthorized access. Change credentials and apply firmware updates. 

• Denial of Service via Input Validation – Radiometrics VizAir 
  CVE: CVE-2025-12644 | CVSS v4.0: 8.2 
  Improper input validation could allow denial of service. Apply the vendor patch and monitor device behavior. 

Foxguard Insight: CISA’s November advisories reveal attackers are systematically exploiting both human and technical weaknesses to circumvent defenses and target critical OT assets. The attack surface spans a wide range of vulnerabilities, from authentication bypasses in Advantech iEdge and buffer overflows in HMI software to the serious risks posed by hardcoded credentials in cameras. This puts controllers, operator interfaces, and auxiliary monitoring systems directly in the crosshairs. Preventing system-wide disruption requires a layered defense strategy, combining timely patching, strong network segmentation, rigorous enforcement of least privilege, and continuous monitoring of operational behavior. 

Actionable Recommendations 

November’s advisories cover a mix of high-severity remote code execution, privilege escalation, and access control flaws. Based on this month’s disclosures, Foxguard recommends: 

• Prioritize high-risk remote code execution vulnerabilities: Patch Siemens Altair Grid Engine, LOGO! 8 BM devices, Rockwell Studio 5000 Simulation Interface, and CISA-listed Advantech and Fuji Electric systems. 

• Mitigate exposure where patches are not yet available: For Eaton Network-M2 cards or Phoenix FL MGUARD firewalls, enforce network segmentation, restrict management access, and monitor for anomalous activity. 

• Secure engineering, cloud, and diagnostic tools: Isolate COMOS, FactoryTalk DataMosaix, and SCADA visualization platforms from general OT networks. Enable logging and alerting for unusual activity. 

• Enforce strong access controls: Rotate credentials, remove defaults, and apply least privilege to all administrative accounts, particularly in firewalls and remote monitoring tools. 

• Coordinate multi-vendor patching: Synchronize Siemens, Schneider, and Rockwell updates to minimize windows of vulnerability, and ensure third-party libraries are current. 

How Foxguard Can Help 

Industrial control environments are growing increasingly complex. The November advisories confirm rapid exploitation of security gaps across both core ICS components and auxiliary systems. Vulnerabilities in Siemens grid engines, LOGO! 8 devices, and exposures in Rockwell’s simulation and cloud interfaces unequivocally prove that trusted operational tools function as entry points for lateral movement or privilege escalation.  

Foxguard’s platform and services are engineered to bridge the operational reality and security requirement, delivering actionable clarity, continuous oversight, and automated remediation pathways without disrupting production stability. 

Our services include:  

• FOXGUARD DISCOVER: Asset and network visibility solution for ICS and OT environments, providing real-time visibility of critical assets, detecting vulnerabilities, and offering actionable insights to enhance security posture.   

• FOXGUARD CYBERWATCH: Asset and vulnerability management platform that monitors, manages, and remediates security risks across ICS and OT environments, ensuring compliance and reducing overall cyber risk.   

• FOXGUARD PATCHINTEL: Patch intelligence service that provides patch availability reports to identify available security updates, and a secure supply chain to acquire and validate patch binaries for improved patch management and compliance.   

• FOXGUARD DEPLOY: Patch distribution and deployment solution that securely applies validated patches across ICS and OT systems, ensuring timely and effective patch management to maintain security.   

• FOXGUARD MANAGED SERVICES: Provides Patch Management as a Service (PMaaS) and Vulnerability Management as a Service (VMaaS) to continuously assess, prioritize, and address security risks in ICS and OT environments, helping maintain security compliance and operational integrity.  

With Foxguard, operators gain the confidence to act decisively on vulnerabilities, maintain operational continuity, and reduce the window of exposure. By combining expert guidance, continuous monitoring, and automated patching, teams can stay ahead of threats and keep critical infrastructure resilient. 

Stay Ahead of Threats 

The vulnerabilities released this month highlight how much the security landscape around industrial systems continues to shift. Weaknesses are turning up not only in control devices but in the supporting tools and services that keep those systems running. Remote code execution flaws in grid, cloud, and simulation platforms show how easily a compromised engineering workstation or interface can become a pivot point into production networks.  

Keeping systems secure requires disciplined patch management, careful restriction of administrative and network interfaces, and continuous monitoring of activity between OT and IT segments, as even minor oversights in these areas can provide attackers with a point of entry.  

Foxguard works with operators to close those weak points using proven update workflows and continuous asset visibility—a straightforward approach that keeps systems stable and secure, even as new advisories keep coming.  

If your organization needs tailored support managing this month’s vulnerabilities or building a stronger long-term patch management plan, contact Foxguard today.  

Your security is our priority. Stay vigilant and stay protected.