The recent release of security advisories by the Cybersecurity and Infrastructure Security Agency (CISA) has shed light on critical vulnerabilities affecting various platforms, including industrial control systems (ICS). These advisories play a crucial role in alerting users and administrators about potential risks associated with exploitable vulnerabilities. By taking a proactive approach, CISA ensures that organizations stay informed about the latest threats and equipped with the necessary defenses to safeguard their systems.
One of the significant advisories issued by CISA pertains to a vulnerability in Schneider Electric’s EcoStruxure Power Monitoring Expert (PME), specifically Update A. This software is extensively used for monitoring and managing power systems in different industries. The vulnerability identified could have severe implications if exploited, potentially enabling remote code execution and posing a significant threat to sensitive infrastructure systems. The flaw, categorized as a deserialization of untrusted data (CWE-502), stems from unsafe deserialization when data is posted to the PME’s web server. Known as CVE-2024-9005, this vulnerability has garnered a CVSS v3 base score of 7.1 and a CVSS v4 score of 7.3. A successful exploit could grant malicious actors the ability to remotely execute code, compromising system integrity and overall security.
In response to this vulnerability, Schneider Electric has provided mitigations for affected users. Users of PME 2022 and earlier versions can acquire a hotfix from Schneider Electric’s Customer Care Center. Furthermore, users are strongly advised to upgrade to the latest PME versions and adhere to industry-standard cybersecurity practices such as network isolation and firewall protection.
In addition to these advisories, CISA has updated its Known Exploited Vulnerabilities Catalog with new vulnerabilities that have been actively exploited in the wild. This catalog serves as a vital resource for agencies and enterprises, aiding them in prioritizing patches for vulnerabilities that are already being targeted by malicious actors. The most recent inclusion in this catalog is CVE-2025-2783, a high-severity vulnerability affecting Google Chrome. This flaw, found in the Mojo component, enables attackers to bypass Chrome’s sandboxing mechanisms on Windows versions prior to 134.0.6998.177. The vulnerability results from incorrect handle management in Mojo, potentially allowing attackers to escape the sandbox and execute arbitrary code on the system.
Furthermore, CISA has identified two deserialization vulnerabilities, CVE-2019-9874 and CVE-2019-9875, in the Sitecore CMS and Sitecore Experience Platform (XP). These vulnerabilities could permit attackers to execute arbitrary code through unsafely deserialized data. While CVE-2019-9874 impacts earlier versions of Sitecore CMS and XP, CVE-2019-9875 affects versions up to Sitecore 9.1. Exploiting these vulnerabilities could grant attackers unauthorized access to systems, compromising their security.
The updates to the Known Exploited Vulnerabilities Catalog underscore the critical importance of addressing vulnerabilities actively exploited by cybercriminals. By staying vigilant and implementing the necessary security patches and mitigations, organizations can effectively reduce the risk of falling victim to cyberattacks targeting these vulnerabilities. It is imperative for users of Schneider Electric’s EcoStruxure PME, Google Chrome, and Sitecore CMS/XP to heed these warnings and take prompt action to secure their systems.
The growing number of vulnerabilities added to the CISA Known Exploited Vulnerabilities Catalog serves as a stark reminder of the persistent threat posed by cybercriminals targeting known weaknesses in commonly used software and hardware. CISA encourages all entities to stay informed and proactive in safeguarding their systems against potential cyber threats. By staying updated and taking the necessary precautions, organizations can mitigate risks and protect themselves from malicious exploitation of these critical vulnerabilities.