ICS Critical Patch Updates: December 2025 

Welcome to Foxguard’s ICS Critical Patch Updates December 2025 report, your monthly overview of newly disclosed vulnerabilities affecting Industrial Control Systems (ICS) and Operational Technology (OT), your monthly overview of newly disclosed vulnerabilities affecting Industrial Control Systems (ICS) and Operational Technology (OT).  

This month, Siemens, Schneider Electric, Rockwell Automation, and CISA reported high-severity issues spanning engineering software, industrial controllers, Ruggedcom devices, and OT monitoring platforms. Several advisories describe remote code execution, denial-of-service conditions, and privilege escalation, which could impact grid operations, industrial network stability, or access to sensitive OT systems. 

Vulnerabilities are not limited to core controllers—supporting software and cloud services remain frequent targets. Siemens COMOS and SICAM T devices, Schneider EcoStruxure™ Foxboro DCS Advisor services, and Rockwell FactoryTalk® DataMosaix™ Private Cloud are examples of systems requiring prompt patching and careful configuration to prevent unauthorized actions or operational disruption. 

Note on CVSS Scores: All vulnerabilities this month are reported using CVSS v4.0. Vendor-reported base scores are included where available, providing operators with clear visibility of each issue’s severity to guide remediation priorities.  

Siemens  

Siemens released multiple high-severity advisories this month affecting engineering software, rugged networking platforms, grid devices, and supporting authentication components:  

• SSA-212953 – Multiple Vulnerabilities in COMOS 

CVE: Multiple | CVSS v4.0: 10.0 

COMOS engineering software contains several critical flaws that may allow remote code execution, privilege escalation, or denial-of-service. Compromise could impact engineering workflows and system integrity. 

Recommendation: Update to the latest COMOS release. Restrict access to COMOS servers, avoid untrusted project files, and apply Siemens’ hardening guidance. 

• SSA-471761 – Multiple Vulnerabilities in SICAM T (Before V3.0) 

CVE: Multiple | CVSS v4.0: 9.9 

SICAM T devices prior to V3.0 contain vulnerabilities enabling remote code execution, denial of service, or unauthorized access to sensitive functions. 

Recommendation: Update to firmware V3.0 or later, restrict interface access, enforce firewall rules, and monitor for suspicious activity. 

• SSA-202008 – Multiple Vulnerabilities in RUGGEDCOM ROX (Before V2.17.0) 

CVE: Multiple | CVSS v4.0: 9.8 

RUGGEDCOM ROX devices running firmware before V2.17.0 contain improper input validation and buffer overflows that may allow remote code execution or denial of service. 

Recommendation: Update to firmware V2.17.0 or later, isolate management interfaces, and apply strict firewall rules. 

• SSA-912274 – Multiple Vulnerabilities in RUGGEDCOM ROX (Before V2.17) 

CVE: Multiple | CVSS v4.0: 8.8 

Additional vulnerabilities affect ROX-based devices prior to V2.17 that are not addressed by SSA-202008, allowing potential remote code execution or system disruption. 

Recommendation: Install firmware V2.17 or later and isolate administrative interfaces. 

• SSA-416652 – Multiple Vulnerabilities in SIMATIC CN 4100 (Before V4.0.1) 

CVE: Multiple | CVSS v4.0: 8.3 

Flaws in SIMATIC CN 4100 could allow remote code execution, denial of service, or unauthorized access, affecting network communications. 

Recommendation: Update to V4.0.1 or later and restrict management access. 

• SSA-710408 – Missing Server Certificate Validation in Siemens Advanced Licensing Toolkit (SALT) 

CVE: CVE-2025-40801 | CVSS v4.0: 8.1 

SALT fails to validate server certificates, enabling possible MITM attacks. 

Recommendation: Apply updated SALT components and restrict access to licensing servers. 

• SSA-915282 – Denial-of-Service Vulnerability in Interniche IP-Stack Devices 

CVE: CVE-2025-40820 | CVSS v4.0: 7.5 

Crafted packets could trigger denial of service in devices using the Interniche IP-Stack. 

Recommendation: Update to patched firmware and apply segmentation and IDS monitoring. 

• SSA-868571 – Missing Server Certificate Validation in IAM Client 

CVE: CVE-2025-40802 | CVSS v4.0: 7.4 

IAM Client does not properly validate certificates, potentially enabling MITM attacks. 

Recommendation: Update to the latest IAM Client version and enforce TLS best practices. 

Foxguard Insight: Siemens’ December advisories illustrate that even foundational engineering systems can become operational risks if management interfaces or network boundaries are inadequately protected. Prioritizing patching while enforcing access controls and network segmentation is essential to reduce exposure.  

Schneider Electric  

Schneider released one critical advisory this month affecting Foxboro DCS Advisor services:  

• SEVD-2025-343-02 – EcoStruxure™ Foxboro DCS Advisor Services 

CVE: Not individually listed | CVSS v4.0: 9.8 (estimated) 

Foxboro DCS Advisor services are exposed via underlying Microsoft Server 2016/2022 WSUS patches (KB5066836 and KB5066782). Exploitation may allow privilege escalation or bypass update validation. 

Recommendation: Apply Microsoft’s December updates and follow Schneider’s hardening guidance for Advisor services. 

Foxguard Insight: Vulnerabilities in supporting software such as WSUS can propagate risk to industrial systems. Operators should confirm patch application and monitor downstream systems to prevent privilege misuse or update validation bypass.  

Rockwell Automation  

Rockwell issued two high-severity advisories impacting cloud environments and industrial hardware:  

• SD1765 – FactoryTalk® DataMosaix™ Private Cloud SQL Injection  
  CVE: CVE-2025-12807 | CVSS v4.0: 8.7 

A SQL injection vulnerability may allow an authenticated attacker to manipulate database queries, potentially leading to unauthorized data access or modification. 

Recommendation: Update to the patched DataMosaix release and enforce least-privilege database access.  

• SD1764 – 432ES-IG3 Series A Denial-of-Service Vulnerability  
  CVE: CVE-2025-9368 | CVSS v4.0: 8.7 

Crafted packets could crash affected devices, disrupting industrial network communications. 

Recommendation: Install updated firmware and isolate devices from untrusted networks.  

Foxguard Insight: SQL injection in FactoryTalk DataMosaix Private Cloud and a DoS in 432ES-IG3 Series A devices show Cloud and industrial endpoints both present risk vectors. Exploitation could expose or manipulate data and disrupt network communications. Patch promptly, or isolate devices and monitor closely to prevent exploitation and maintain network stability.  

CISA  

CISA released multiple high-severity advisories this month spanning video systems, access control equipment, collaboration tools, and network monitoring platforms: 

• ICSA-25-343-03 – India-Based CCTV Cameras 

CVE: CVE-2025-13607 | CVSS v4.0: 9.3 

Vulnerabilities allow attackers to bypass authentication, access video feeds, or disrupt surveillance. 

Recommendation: Apply vendor firmware updates and restrict remote access.  

• ICSA-25-336-02 – Iskra iHUB and iHUB Lite 

CVE: CVE-2025-13510 | CVSS v4.0: 9.0 

Authentication bypass and privilege escalation vulnerabilities affect all versions. 

Recommendation: Install vendor patches or restrict access. 

• ICSA-25-336-01 – Industrial Video & Control Longwatch 

CVE: CVE-2025-13658 | CVSS v4.0: 8.8 

Vulnerabilities may allow remote code execution or denial of service. 

Recommendation: Update to the latest Longwatch release and restrict network access. 

• ICSA-25-338-07 – Advantech iView 

CVE: CVE-2025-13373 | CVSS v4.0: 8.7 

Network management flaws may allow remote code execution or denial of service. 

Recommendation: Update to the latest iView version and restrict management access. 

• ICSA-25-338-02 – MAXHUB Pivot 

CVE: CVE-2025-53704 | CVSS v4.0: 8.7 

Vulnerabilities could allow remote code execution or privilege escalation. 

Recommendation: Update to the patched release and restrict access to collaboration servers. 

• ICSA-25-343-01 – Universal Boot Loader (U-Boot) 

CVE: CVE-2025-24857 | CVSS v4.0: 8.6 

Secure boot bypass, privilege escalation, or code execution may be possible. 

Recommendation: Apply patched U-Boot versions and enforce secure boot configurations. 

• ICSA-25-338-05 – Sunbird DCIM dcTrack & Power IQ 

CVE: CVE-2025-66237/66238 | CVSS v4.0: 8.4 

Flaws may allow unauthorized access or arbitrary code execution. 

Recommendation: Update to the latest releases and apply segmentation controls. 

• ICSA-25-338-06 – SolisCloud Monitoring Platform 

CVE: CVE-2025-13932 | CVSS v4.0: 8.3 

Vulnerabilities may allow manipulation of solar monitoring data or service disruption. 

Recommendation: Update to patched SolisCloud releases and restrict monitoring access. 

• ICSMA-25-336-01 – Mirion Medical EC2 NMIS BioDose 

CVE: CVE-2025-64642 | CVSS v4.0: 7.5 

Flaws could allow unauthorized access to sensitive medical data. 

Recommendation: Update to the latest Mirion Medical release. 

Foxguard Insight: CISA flags multiple remote code execution and privilege escalation risks across Longwatch, iHUB, MAXHUB, Advantech iView, Sunbird DCIM, and U-Boot. Patching high-risk systems, maintaining strict segmentation and access controls, and careful monitoring while updates are applied is advised. These advisories remind operators that even peripheral systems can be pivot points if ignored.  

Actionable Recommendations  

December’s advisories include critical vulnerabilities in Siemens engineering and grid devices, Schneider Foxboro DCS services, Rockwell cloud and industrial systems, and multiple CISA-flagged OT platforms. To reduce exposure and maintain operational stability, Foxguard recommends:  

• Patch high-severity Siemens devices immediately: Apply updates for COMOS, SICAM T, and RUGGEDCOM ROX to mitigate remote code execution, privilege escalation, and denial-of-service risks.  

• Update supporting software and cloud platforms: Apply Microsoft updates for EcoStruxure Foxboro DCS Advisor services and Rockwell FactoryTalk DataMosaix Private Cloud patches to prevent privilege escalation and SQL injection attacks.  

• Secure OT network interfaces: Isolate management ports, enforce firewall rules, and segment networks for Siemens, Rockwell, and CISA-flagged devices to limit lateral movement and reduce attack surfaces.  

• Enforce secure communications: Update Siemens IAM Client and SALT Toolkit, validate certificates, and maintain logging to detect and prevent man-in-the-middle attacks or abnormal access attempts.  

• Patch peripheral and monitoring systems: Update CISA-flagged devices including Longwatch, iHUB, MAXHUB, Advantech iView, Sunbird DCIM, U-Boot, and Mirion Medical NMIS BioDose to prevent unauthorized access and operational disruption.  

How Foxguard Can Help  

This month’s advisories show that attackers exploit both primary ICS devices and ancillary software components, leveraging multiple types of vulnerabilities—from SQL injection to certificate validation failures. This environment demands strategic patch prioritization, network hardening, and continuous monitoring.  

Foxguard’s team of ICS and OT security experts help operators to simplify the process and focus on actionable risk reduction. We help organizations prioritize patches, enforce strong controls, and keep watch over critical infrastructure, so teams can focus on running their systems safely and without disruption.  

Our services include:   

• FOXGUARD DISCOVER: Asset and network visibility solution for ICS and OT environments, providing real-time visibility of critical assets, detecting vulnerabilities, and offering actionable insights to enhance security posture.    

• FOXGUARD CYBERWATCH: Asset and vulnerability management platform that monitors, manages, and remediates security risks across ICS and OT environments, ensuring compliance and reducing overall cyber risk.    

• FOXGUARD PATCHINTEL: Patch intelligence service that provides patch availability reports to identify available security updates, and a secure supply chain to acquire and validate patch binaries for improved patch management and compliance.    

• FOXGUARD DEPLOY: Patch distribution and deployment solution that securely applies validated patches across ICS and OT systems, ensuring timely and effective patch management to maintain security.    

• FOXGUARD MANAGED SERVICES: Provides Patch Management as a Service (PMaaS) and Vulnerability Management as a Service (VMaaS) to continuously assess, prioritize, and address security risks in ICS and OT environments, helping maintain security compliance and operational integrity.   

Foxguard works alongside operators to make sense of a patch landscape that can quickly become overwhelming, providing analysis and context so teams can prioritize patching and hardening efforts effectively.  

Stay Ahead of Threats  

The initiative behind our monthly patch update stems from years of experience in the field, reflecting a true understanding of what operators need to cut through the noise. December’s advisories certainly remind us of how important these updates are.  

Attackers are leveraging both high-value ICS devices and supporting OT systems as entry points, making it critical to patch, segment, and monitor every device—no matter how peripheral—to reduce operational risk. Consistent verification of patch deployments, proactive network monitoring, and rapid response to anomalous activity are key strategies to maintain secure OT environments.  

If your organization needs tailored support managing this month’s vulnerabilities or building a stronger long-term patch management plan, contact Foxguard today.   

Your security is our priority. Stay vigilant and stay protected.