ICS Critical Patch Updates: August 2025 

Welcome to Foxguard’s ICS Critical Patch Updates for August 2025, your trusted monthly briefing on critical and high-severity vulnerabilities impacting Industrial Control Systems (ICS) and Operational Technology (OT) environments. 

In August, a diverse array of advisories from Siemens, Schneider Electric, Rockwell, ABB, Phoenix Contact, and CISA addressed critical and high-severity vulnerabilities impacting everything from industrial control systems and operational technology to vital transportation infrastructure. 

Note on CVSS Scores: Many vendors still rely predominantly on CVSS v3.1 for scoring vulnerabilities, but the use of CVSS v4.0 is gradually increasing for newer disclosures. In this blog, we’ve included the scores as published in vendor advisories to ensure you have the most accurate representation of severity for each vulnerability. 

Below is a roundup of the most relevant advisories released this month and insights from Foxguard’s team to help you prioritize your patching and mitigation efforts. 

Siemens 

Siemens has released multiple security advisories this month, many of which are high and critical. Key vulnerabilities include: 

• Multiple SQLite Vulnerabilities in RUGGEDCOM CROSSBOW Station Access Controller Before V5.7 (CVSS v3.1 8.3 / CVSS v4.0 6.9): Multiple vulnerabilities in the integrated SQLite component could allow an attacker to execute arbitrary code or cause a denial of service. Siemens recommends updating to version 5.7 or later. 

• Vulnerability in Nozomi Guardian/CMC on RUGGEDCOM APE1808 Devices (Multiple Vulnerabilities – CVSS v3.1 7.2 / CVSS v4.0 7.5): An OS command injection vulnerability and privilege escalation risk affect Nozomi Guardian/CMC. Siemens is preparing fixes and recommends countermeasures and contacting customer support in the interim. 

• Local Arbitrary Code Execution Vulnerability in COMOS Before V10.6 (CVE-2024-8894 – CVSS v3.1 8.2 / CVSS v4.0 8.1): A specially crafted DWF file could trigger an out-of-bounds write, leading to a crash or possible code execution. Update to V10.6 is recommended. 

• Deserialization Vulnerability in Siemens Engineering Platforms (CVE-2024-54678 – CVSS v3.1 8.2 / CVSS v4.0 8.6): Platforms before version 20 improperly handle user-controllable input, allowing arbitrary code execution. Update to the latest version is recommended. 

• File Parsing Vulnerabilities in Simcenter Femap Before V2506 (CVSS v3.1 7.8 / CVSS v4.0 7.3): Multiple vulnerabilities in file parsing routines could lead to denial of service or arbitrary code execution. Update to V2506 or later is recommended. 

• Multiple Vulnerabilities in Third-Party Components in SINEC OS before V3.1 (CVSS v3.1 9.1): Vulnerabilities in embedded third-party components could enable privilege escalation, denial of service, or information disclosure. Upgrade to version 3.1 or later. 

• Multiple Vulnerabilities in SINEC Traffic Analyzer Before V3.0 (CVSS v3.1 7.8 / CVSS v4.0 8.8): Multiple vulnerabilities, including command injection and information disclosure risks, affect the Traffic Analyzer. Update to version 3.0 or later and apply mitigations. 

• Arbitrary Code Execution Vulnerability in SIMATIC RTLS Locating Manager Before V3.2 (CVE-2025-40746 – CVSS v3.1 9.1 / CVSS v4.0 9.4): An arbitrary code execution vulnerability is exploitable via specially crafted inputs. Upgrade to V3.2 to resolve the issue. 

• Deserialization Vulnerability in Siemens Engineering Platforms (CVE-2025-40759 – CVSS v3.1 7.8 / CVSS v4.0 8.5): Improper deserialization leads to a code execution risk. Update to V20 or later. 

• Denial of Service Vulnerability in SIPROTEC 4 and SIPROTEC 4 Compact (CVE-2024-52504 – CVSS v3.1 7.5 / CVSS v4.0 8.7): A denial of service vulnerability exists via network-based attacks. Update to the latest versions and apply recommended mitigations. 

• Multiple Vulnerabilities in Opcenter Quality Before V2506 (CVSS v3.1 7.1 / CVSS v4.0 7.5): Multiple issues, including injection and authentication bypass risks. Update to V2506 or later. 

• Multiple Vulnerabilities in Third-Party Components in SINEC OS before V3.2 (CVSS v3.1 9.1 / CVSS v4.0 6.9): Vulnerabilities from third-party components may allow privilege escalation and denial of service. Upgrade to V3.2 or later. 

• Privilege Escalation Vulnerability in WIBU CodeMeter Runtime Affecting Siemens Products (CVE-2025-47809 – CVSS v3.1 8.2): WIBU CodeMeter Runtime is vulnerable to local privilege escalation. Apply updates provided by WIBU and restrict access. 

• DLL Hijacking Vulnerability in Siemens Web Installer used by the Online Software Delivery (CVE-2025-30033 – CVSS v3.1 7.8 / CVSS v4.0 8.5): The installer component is vulnerable to DLL hijacking, which could allow arbitrary code execution during installation. Use updated installer versions and apply strict security policies. 

• Improper VNC Password Check Vulnerability in SINUMERIK Controllers (CVE-2025-40743 – CVSS v3.1 8.3 / CVSS v4.0 8.7): SINUMERIK Controllers improperly validate VNC passwords, allowing attackers to bypass authentication. Apply updates and disable VNC where not needed. 

• Authentication Bypass Vulnerability in BIST mode of RUGGEDCOM ROX II (CVE-2025-40761 – CVSS v3.1 7.6 / CVSS v4.0 8.6): BIST mode is vulnerable to authentication bypass, allowing unauthorized administrative access. Disable BIST mode when not in use and apply available patches. 

• Multiple OpenSSL Vulnerabilities in BFCClient Before V2.17 (CVSS v3.1 9.8 / CVSS v4.0 8.7): BFCClient is affected by multiple OpenSSL vulnerabilities that could lead to denial of service or code execution. Update to V2.17 or later. 

Foxguard Insight: With a recurring theme of vulnerabilities in third-party components and deserialization flaws, this month’s Siemens advisories highlight a concentration of risks in engineering platforms like COMOS and Femap, as well as perimeter devices like RUGGEDCOM and SINEC. Foxguard recommends a holistic security approach that prioritizes patching these systems, restricts access, and disables unnecessary services like VNC and BIST mode to minimize the attack surface. 

Schneider Electric 

Schneider has released five security advisories, many of them high and critical. 

• Privilege Management Vulnerability in Saitel DR RTU and Saitel DP RTU (CVE-2025-8453 – CVSS 8.4): This vulnerability allows for privilege escalation and unauthorized access. Schneider recommends updating to firmware versions 11.06.29+ for DR RTU and 11.06.34+ for DP RTU. 

• Multiple Vulnerabilities in EcoStruxure™ Power Monitoring Expert (PME), Power Operation (EPO), and Power SCADA Operation (PSO) (Multiple Vulnerabilities up to CVSS v3.1 8.8 / CVSS v4.0 8.7): Vulnerabilities include deserialization, SSRF, and path traversal risks. Updates for PME versions 2022–2024 R2 are available, with mitigations including network segmentation and applying hotfixes. 

• Improper Link Resolution Vulnerability in Schneider Electric Software Update (SESU) (CVE-2025-5296 – CVSS v3.1 7.3 / CVSS v4.0 7): This may allow unauthorized file access. Patch SESU to v3.0.12 or later. 

• Improper Input Validation in Modicon M340 Controller and Communication Modules (CVE-2025-6625 – CVSS v3.1 7.5 / CVSS v4.0 8.7): This vulnerability impacts all versions and related modules. Mitigation includes firmware updates and network restrictions. 

• Web Server Exposure Vulnerability on Modicon M340 and BMXNOE0100/0110, BMXNOR0200H Communication Modules (CVE-2024-12142 – CVSS v3.1 8.6 / CVSS v4.0 8.8): Could allow unauthorized access, modification of web pages, denial of service, and sensitive information exposure. Update firmware and limit network access. 

Foxguard Insight: Schneider Electric’s August advisories highlight significant vulnerabilities in both data acquisition platforms (EcoStruxure) and core automation controllers (Modicon M340 and Saitel RTUs). The high CVSS scores associated with deserialization and web server exposure demonstrate the critical risks of unauthorized access and data tampering. Foxguard emphasizes the need for operators to prioritize firmware updates and implement network segmentation to protect these critical assets. 

Rockwell Automation 

Rockwell has released one security advisory: 

• Multiple Memory Corruption Vulnerabilities in Arena® Simulation Before V16.20.10 (CVSS v3.1 7.8 / CVSS v4.0 8.4): Out-of-bounds read and buffer overflow vulnerabilities could allow arbitrary code execution or information disclosure if a user opens a specially crafted file. Rockwell recommends updating to version 16.20.10 or later. 

Foxguard Insight: While this vulnerability is in a simulation tool, not an operational controller, it poses a significant risk to the OT environment. Compromising an engineering workstation could serve as a foothold for a broader attack. Foxguard recommends securing the entire OT network, including all non-operational software that interacts with it. 

ABB 

ABB has released one security advisory: 

• Multiple vulnerabilities in ASPECT® (Enterprise, NEXUS, MATRIX): ABB recommends upgrading to 3.08.04-s01 or later. For specific CVEs, there are no corrective measures planned, so ABB advises hardening systems by not exposing them to the internet, isolating them, and restricting access. 

Foxguard Insight: The ABB advisory reinforces a recurring challenge in OT security: vulnerabilities for which no patches are available. In these situations, asset owners must rely on compensatory controls like network isolation, firewalls, and restricted access to minimize risk. This is a critical reminder of the importance of a defense-in-depth strategy. 

Phoenix Contact 

Phoenix Contact has released one security advisory: 

• Device and Update Management Windows Installer Privilege Escalation (CVE-2025-41686 – CVSS v3.1 7.8): A privilege escalation vulnerability exists in Device and Update Management prior to version 2025.3.1. This could allow a low-privileged local user to execute arbitrary code with administrative privileges. Phoenix Contact recommends updating to version 2025.3.1. 

Foxguard Insight: This advisory highlights the risks associated with local threats. A malicious insider or an attacker with physical access could exploit this flaw to gain administrative privileges on a workstation. Foxguard recommends implementing strict access controls and physical security measures as a vital defense to mitigate such risks. 

CISA 

CISA has released seven security advisories, many of them high and critical. 

• Multiple vulnerabilities in Ashlar-Vellum Cobalt, Xenon, Argon, Lithium, and Cobalt Share (CVSS v4.0 8.4): Could allow information disclosure or arbitrary code execution. Ashlar-Vellum recommends updating to version 12.6.1204.204 or later. 

• Multiple vulnerabilities in Johnson Controls iSTAR Ultra, iSTAR Ultra SE, iSTAR Ultra G2, iSTAR Ultra G2 SE, and iSTAR Edge G2 (CVSS v4.0 8.7): Could allow firmware modification or access to protected areas. Johnson Controls recommends updating to firmware 6.9.3 or newer and restricting device access. 

• Multiple vulnerabilities in AVEVA PI Integrator for Business Analytics (CVSS v4.0 7.1): These could allow information disclosure or file upload/execution. AVEVA recommends upgrading to 2020 R2 SP2 or later. 

• Multiple vulnerabilities in Santesoft Sante PACS Server (CVSS v4.0 9.1): Could allow arbitrary file creation, denial-of-service, information disclosure, or cross-site scripting. Santesoft recommends upgrading to 4.2.3 or later. 

• MegaSys Computer Technologies Telenium Online Web Application (CVE-2025-8769 – CVSS v4.0 9.3): This could allow remote code execution via arbitrary Perl code injection through crafted HTTP requests. MegaSys recommends upgrading to v7.4.72 or v8.3.36. 

• End-of-Train and Head-of-Train Remote Linking Protocol (CVE-2025-1727 – CVSS v4.0 7.2): This could allow attackers to send unauthorized brake control commands to EoT/HoT devices, disrupting operations or inducing brake failure. Affected vendors include Wabtec and Siemens. 

• CISA Adds Three Known Exploited Vulnerabilities to Catalog: CVE-2013-3893, CVE-2007-0671, CVE-2025-8088. These could allow remote code execution or path traversal attacks. 

Foxguard Insight: CISA’s August advisories are a stark reminder of the breadth of ICS risks, from building access systems (Johnson Controls) and medical imaging servers (Santesoft) to critical transportation infrastructure (EoT/HoT protocols). The inclusion of three new vulnerabilities to CISA’s Known Exploited Vulnerabilities Catalog signals that these are actively being used in attacks. It is paramount for asset owners to prioritize remediation for these and other high-severity flaws, especially those with remote code execution potential. 

Actionable Recommendations 

Reflecting the varied nature of this month’s advisories, our recommendations focus on key themes such as securing engineering platforms, mitigating unpatched vulnerabilities, and hardening network boundaries against a range of remote and local threats: 

1. Prioritize critical remote exploitation paths: Focus on patching high-severity flaws with remote code execution, such as deserialization vulnerabilities in Siemens Engineering Platforms and authentication bypasses in RUGGEDCOM and SINUMERIK devices. 

2. Patch where possible, mitigate where not: Apply available updates immediately for high-risk assets like Schneider’s Modicon controllers. For vulnerabilities with no patch, such as with some ABB ASPECT products, implement compensating controls and restrict network exposure. 

3. Audit file handling procedures: As seen with Rockwell Arena and Siemens COMOS, enforce that engineering workstations only process files from trusted sources to prevent code execution via malicious files. 

4. Harden ICS network boundaries: Enforce segmentation between OT and IT, apply allow-listing rules, and monitor for unusual traffic to protect against protocol-level and web server attacks. 

5. Address vendor-confirmed unpatched vulnerabilities: Implement strict isolation and compensating controls for devices with known vulnerabilities but no available patch. Regularly audit these controls to ensure they remain effective. 

How Foxguard Can Help 

Addressing ICS vulnerabilities can be overwhelming, but Foxguard offers tailored solutions to simplify security management and protect critical infrastructures. 

Our services include: 

• FOXGUARD DISCOVER: Asset and network visibility solution for ICS and OT environments, providing real-time visibility of critical assets, detecting vulnerabilities, and offering actionable insights to enhance security posture. 

• FOXGUARD CYBERWATCH: Asset and vulnerability management platform that monitors, manages, and remediates security risks across ICS and OT environments, ensuring compliance and reducing overall cyber risk. 

• FOXGUARD PATCHINTEL: Patch intelligence service that provides patch availability reports to identify available security updates, and a secure supply chain to acquire and validate patch binaries for improved patch management and compliance. 

• FOXGUARD DEPLOY: Patch distribution and deployment solution that securely applies validated patches across ICS and OT systems, ensuring timely and effective patch management to maintain security. 

• FOXGUARD MANAGED SERVICES: Provides Patch Management as a Service (PMaaS) and Vulnerability Management as a Service (VMaaS) to continuously assess, prioritize, and address security risks in ICS and OT environments, helping maintain security compliance and operational integrity. 

Backed by years of expertise and trusted by numerous clients worldwide, Foxguard provides the essential tools and insights that empower critical infrastructure operators to stay ahead of emerging cyber risks. 

Stay Ahead of Threats 

The August advisories demonstrate how ICS threats are becoming more complex, with attackers exploiting supply chain weaknesses and targeting a wider range of systems. From common third-party components embedded in Siemens devices, to engineering workstations such as Rockwell’s Arena, and even critical transportation protocols flagged by CISA, no part of the environment is off-limits.  

These disclosures make it clear that a defense strategy focused solely on operational controllers is no longer enough. Organizations also need to protect development tools, tighten network defenses against protocol and deserialization flaws, and keep an eye on vulnerabilities lurking in embedded libraries. CISA’s change in how they distribute advisories back in May is a reminder that keeping up requires flexible monitoring and alerting—relying on a single channel isn’t enough to catch everything. 

If your organization requires support in managing ICS vulnerabilities, contact Foxguard today. 

Your security is our priority. Stay vigilant and stay protected.