ICS Critical Patch Updates: May 2025 

Welcome to Foxguard’s ICS Critical Patch Updates May 2025, your go-to overview of the top vulnerabilities affecting Industrial Control Systems.

Each month, major ICS vendors release critical vulnerability disclosures and security advisories. Foxguard reviews these updates, highlights key risks, and summarizes vendor-provided patches or mitigations to help asset owners and operators stay informed and prepared. 

For May’s ICS Patch Tuesday, Siemens, Schneider Electric, Phoenix Contact, and Rockwell all issued new advisories, several of which contain high and critical CVSS scores. CISA also published advisories impacting multiple industrial products, including ABB and Hitachi Energy. 

Siemens 

Siemens issued 18 new security advisories, several of which are high and critical in severity. Among the most serious: 

• Code Execution and SQL Injection in OZW Web Servers: CVE-2025-26389 (CVSS 10) and CVE-2025-26390 (CVSS 9.3). These vulnerabilities could allow attackers to execute arbitrary code with root privileges (pre-V8.0) or authenticate as an Administrator (pre-V6.0). Siemens has released updated versions and strongly recommends applying them. 

• Authentication Bypass in BMC – SIMATIC IPC RS-828A: CVE-2024-54085 (CVSS 10). This vulnerability could allow unauthorized access, compromising the confidentiality, integrity, and availability of the BMC and the entire system. Fixes are in progress, and Siemens has published temporary countermeasures. 

• Client-Side Enforcement of Server-Side Security in RUGGEDCOM ROX II: (CVSS 9.4). A vulnerability affecting users with highly privileged web interface accounts could result in privileged code execution in the underlying OS. New versions have been released. 

• Impact of “Blastradius” (RADIUS Protocol Vulnerability): CVE-2024-3596 (CVSS 9.1). This vulnerability affects several Siemens products (SIPROTEC, SICAM, and others) and could allow on-path attackers between a Network Access Server and RADIUS server to forge Access-Request packets, manipulating responses to gain unauthorized network access. Fixes are available for many affected products, with more on the way. 

Updated Advisories 

Several previously published advisories have also been updated with new fixes or clarifications: 

• Heap-based Buffer Overflow in User Management Component (UMC) / Updated remediation for SINEC NMS: Siemens updated remediation for SINEC NMS to point directly to the UMC update addressing the heap-based buffer overflow. 

• Heap-based Buffer Overflow in User Management Component (UMC) / Added remediation for Totally Integrated Automation Portal (TIA Portal) V17, V18, and V19: New fixes added for TIA Portal versions V17, V18, and V19 for the same vulnerability. 

• Denial-of-Service Vulnerability in Automation License Manager / Added fix for V6.0: Patch added to mitigate denial-of-service issues affecting Automation License Manager V6.0. 

• Weak Authentication Vulnerability in Industrial Edge Device Kit / No further fixes for versions V1.17, V1.18, and V1.19: Siemens clarified no additional fixes are planned for these version lines. 

Foxguard Insight: Siemens’ advisories this month emphasize the serious impact of vulnerabilities in edge and management interfaces, as well as long-standing protocol flaws (e.g., RADIUS manipulation). The CVSS 10 ratings—especially in BMC and OZW Web Servers—highlight the risk of remote exploitation and complete system takeover. Operators should prioritize patching systems with exposed interfaces and review compensating controls for unsupported product lines. 

Schneider Electric 

Schneider Electric has released multiple new security advisories, many of them high and critical. The ones with the highest severity include: 

• Erlang/OTP SSH Vulnerability – Galaxy UPS Products: CVE-2025-32433 (CVSS 10). This flaw could lead to complete system compromise. Schneider is currently providing mitigations for affected products. 

• Arbitrary File Read in Modicon Controllers: CVE-2025-2875 (CVSS 8.7). Unauthenticated attackers could read sensitive data from affected controllers (M241/M251/M258/LMC058). A fix is available in version 5.3.12.48 for M241/M251; future fixes planned for M258/LMC058. 

• Update: Modicon M580, BMENOR2200H, EVLink Pro AC: CVE-2024-11425 (CVSS 8.7). A remediation is now available for BMENOR2200H. 

Foxguard Insight: With high-impact vulnerabilities affecting both data center infrastructure (Galaxy UPS) and core control systems (Modicon), Schneider’s advisories call for immediate attention. Operators should review product-specific mitigation steps and consider temporary isolation of affected devices until patches can be applied. 

Phoenix Contact 

Phoenix Contact disclosed a vulnerability affecting the industrial controllers AXL F BK and IL BK bus couplers: 

• (CVE-2025-2813 – CVSS 7.5): Exploiting port 80 could cause device overload. Firmware updates are available, and users are advised to restrict use to protected, closed networks. Denial-of-service scanning on port 80 should be disabled if used in such environments. 

Foxguard Insight: While this is a lower-severity vulnerability, the potential disruption in high-availability systems shouldn’t be overlooked, and tightly controlling network scanning tools and traffic within ICS environments, even when operating inside trusted zones, should be prioritized. 

Rockwell Automation 

Rockwell Automation has published one security advisory: 

• Local Privilege Escalation and Denial-of-Service in ThinManager: (CVE-2025-3617 – CVSS 8.5 and CVE-2025-3618 – CVSS 8.7). These vulnerabilities could lead to local privilege escalation and denial of service. Rockwell advises implementing general security best practices while fixes are pending. 

Foxguard Insight: Rockwell’s advisory highlights the risks of local threats and the importance of enforcing strict access control, even in operator-focused environments. While these are not remote execution flaws, the privilege escalation potential may be particularly concerning in shared HMI environments where ThinManager is deployed. 

CISA 

CISA published five high-severity ICS security advisories: 

• Hitachi Energy Service Suite: (CVSS 9.3). Multiple vulnerabilities could allow full system compromise. Users should upgrade to version 9.8.1.4. 

• Hitachi Energy Relion Series: CVE-2023-4518 (CVSS 7.1). Classic buffer overflow could result in device reboot and service disruption. Workarounds are provided. 

• Hitachi Energy MACH GWS Products: (CVSS 9.4). Vulnerabilities may allow code injection, file manipulation, session hijacking, and unauthorized port access. Updates are available. 

• ABB Automation Builder: CVE-2025-3394 (CVSS 8.5) and CVE-2025-3395 (CVSS 8.4). Incorrect permission assignments could compromise user management. CISA provides security setting guidance as mitigation. 

• Mitsubishi Electric MELSOFT MaiLab and VIXIO: CVE-2023-4807 (CVSS 8.2). Improper verification of cryptographic signatures could allow a remote attacker to cause a denial-of-service condition in the target product. Mitsubishi Electric recommends updating to fixed versions. 

Important CISA Update: As of May 12, 2025, CISA will no longer list cybersecurity updates or ICS advisories on its website. Future notifications will be shared via CISA’s social media platforms and email lists. Read the announcement here. 

Foxguard Insight: CISA’s decision to move advisory distribution off its website marks a major procedural change for how operators receive critical security updates. If your ICS security workflows depend on weekly or monthly website reviews, now’s the time to adjust. Subscribe to direct feeds or partner with a provider like Foxguard to ensure alerts aren’t missed. The latest batch of advisories, spanning Hitachi, ABB, and Mitsubishi Electric, demonstrate the wide vendor footprint of critical vulnerabilities, reinforcing the importance of consistent, multi-vendor patching strategies. 

Actionable Recommendations  

1. Prioritize patching for high and critical vulnerabilities: Focus on Siemens’ OZW Web Servers, BMC in SIMATIC IPC RS-828A, and Schneider Electric’s Galaxy UPS systems first due to their CVSS 10 ratings and potential for full system compromise. 

2. Apply updated remediations for previously disclosed vulnerabilities: Ensure that Siemens’ updates for UMC, TIA Portal, and Automation License Manager are implemented promptly. 

3. Review compensating controls and isolate unsupported or unpatchable devices: For example, Siemens’ Industrial Edge Device Kit versions with no planned fixes should be segmented or monitored closely. 

4. Limit network exposure of vulnerable ICS devices and services: Restrict management interfaces and disable unnecessary services such as port 80 scanning on Phoenix Contact bus couplers. 

5. Enforce strict access controls for local and operator environments: Rockwell’s ThinManager vulnerabilities underline the importance of limiting privilege escalation risks. 

6. Update ICS security monitoring workflows to adapt to CISA’s new advisory distribution method: Subscribe to direct CISA feeds, follow official social media channels, or leverage trusted partners like Foxguard to stay informed. 

How Foxguard Can Help 

Addressing ICS vulnerabilities can be overwhelming, but Foxguard offers tailored solutions to simplify security management and protect critical infrastructures.  

Our services include:  

• FOXGUARD DISCOVER: Asset and network visibility solution for ICS and OT environments, providing real-time visibility of critical assets, detecting vulnerabilities, and offering actionable insights to enhance security posture.   

• FOXGUARD CYBERWATCH: Asset and vulnerability management platform that monitors, manages, and remediates security risks across ICS and OT environments, ensuring compliance and reducing overall cyber risk.   

• FOXGUARD PATCHINTEL: Patch intelligence service that provides patch availability reports to identify available security updates, and a secure supply chain to acquire and validate patch binaries for improved patch management and compliance.   

• FOXGUARD DEPLOY: Patch distribution and deployment solution that securely applies validated patches across ICS and OT systems, ensuring timely and effective patch management to maintain security.    

• FOXGUARD MANAGED SERVICES: Provides Patch Management as a Service (PMaaS) and Vulnerability Management as a Service (VMaaS) to continuously assess, prioritize, and address security risks in ICS and OT environments, helping maintain security compliance and operational integrity.  

Backed by years of expertise and trusted by numerous clients worldwide, Foxguard provides the essential tools and insights that empower critical infrastructure operators to stay ahead of emerging cyber risks.  

Stay Ahead of Threats  

The threat landscape for Industrial Control Systems is evolving rapidly, with attackers increasingly targeting supply chains, management interfaces, and legacy protocols. This month’s critical advisories highlight the urgent need for patching exposed systems and reinforcing network defenses. 

Operators should maintain close collaboration between IT and OT teams to ensure comprehensive visibility and rapid incident response. Regularly testing compensating controls and monitoring for suspicious behavior remain essential, especially for devices no longer receiving updates. 

Adjust your alerting processes to account for CISA’s move away from website postings and leverage trusted partners or direct feeds to avoid missing critical updates. Proactive preparation and layered defenses will help mitigate risk and strengthen resilience against emerging threats. 

If your organization requires support in managing ICS vulnerabilities, contact Foxguard today.  

Your security is our priority. Stay vigilant and stay protected.