SCADA systems, the backbone of critical infrastructure across various sectors, are facing increased susceptibility to cyber threats as they undergo digital transformations. Recent findings from PRODAFT’s security team have unveiled concerning vulnerabilities in the widely utilized mySCADA myPRO system, a leading SCADA management solution based in the Czech Republic. These vulnerabilities, if exploited, could compromise industrial control systems, resulting in significant operational disruptions and financial losses.
The vulnerabilities identified in the mySCADA myPRO system are linked to the inadequate validation of inputs within the myPRO Manager application. This oversight creates an opportunity for cyber attackers to launch specially crafted attacks using POST requests with email or version parameters to a specific port. Upon successful exploitation, these requests can inject system commands, triggering Remote Command Execution (RCE) and granting unauthorized access to execute arbitrary code on the system.
The two identified vulnerabilities, CVE-2025-20061 and CVE-2025-20014, each carry a high severity score of 9.8 on the CVSS scale (v3.1) and 9.3 on the CVSS scale (v4), highlighting the grave threat they pose to industrial systems and infrastructure. Both vulnerabilities fall under the CWE-78 category, indicating the application’s failure to appropriately sanitize inputs containing OS commands.
Primary impacted products include the mySCADA myPRO Manager (versions prior to 1.3) and myPRO Runtime (versions prior to 9.2.1). The presence of these vulnerabilities underscores the persistent security risks associated with SCADA systems and emphasizes the urgency for robust security measures.
To mitigate the risks posed by these vulnerabilities, organizations are advised to promptly apply vendor-issued patches for affected products, implement network segmentation to isolate SCADA systems from IT networks, enforce stringent access controls like multi-factor authentication (MFA), deploy IDS and SIEM solutions for real-time threat detection, and establish comprehensive incident response plans for effective containment and recovery in case of security incidents.
As the cybersecurity landscape continues to evolve, proactive security research and the adoption of robust defense strategies are imperative to safeguard critical infrastructure from emerging threats. The identified vulnerabilities in the mySCADA myPRO system serve as a reminder of the ongoing battle organizations face in securing SCADA systems in the face of evolving cyber risks.