Scada
Monthly
OS command injection in InSAT MasterSCADA BUK-TS through MMadmServ web interface. Unauthenticated RCE on SCADA management server. EPSS 1.26%.
SQL injection in InSAT MasterSCADA BUK-TS through the main web interface. ICS/SCADA system with unauthenticated SQL injection enabling full database compromise.
ScadaApp for iOS 1.1.4.0 contains a denial of service vulnerability that allows attackers to crash the application by inputting an oversized buffer in the Servername field. Attackers can paste a 257-character buffer during login to trigger an application crash on iOS devices. [CVSS 7.5 HIGH]
Remote code execution in FUXA prior to 1.2.11 allows authenticated administrators to bypass path traversal protections using nested directory sequences, enabling arbitrary file writes to the server filesystem. An attacker with admin privileges can inject malicious scripts into runtime directories that execute when the server reloads, achieving complete system compromise. Update to version 1.2.11 or later to remediate.
FUXA SCADA has an eleventh critical vulnerability — missing authorization from versions 1.2.8 onward.
FUXA SCADA has an authentication spoofing vulnerability from versions 1.2.8 through 1.2.10 — tenth critical vulnerability.
FUXA SCADA has a path traversal vulnerability — ninth critical vulnerability enabling arbitrary file access on SCADA servers.
FUXA SCADA has insecure default configuration with a known JWT secret — eighth critical vulnerability.
FUXA SCADA has yet another authorization bypass — now the seventh critical FUXA vulnerability discovered, enabling unauthenticated access to industrial controls.
FUXA SCADA/HMI software has an additional authorization bypass vulnerability enabling unauthenticated access to industrial control visualizations.
Unauthenticated attackers can retrieve sensitive InfluxDB credentials from FUXA versions through 1.2.9 due to missing authentication controls, enabling direct database access. An attacker exploiting this vulnerability can read, modify, or delete all historical process data and perform denial of service attacks by corrupting the database. FUXA 1.2.10 addresses this issue, but no patch is currently available for affected versions.
ProficySCADA for iOS 5.0.25920 contains a denial of service vulnerability that allows attackers to crash the application by manipulating the password input field. [CVSS 7.5 HIGH]
CVE-2025-1727 is a critical vulnerability in RF-based remote linking protocols used for End-of-Train (EoT) and Head-of-Train (HoT/FRED) devices in railway operations. The vulnerability exploits a weak BCH checksum implementation that allows attackers to forge brake control commands using software-defined radios (SDR), potentially disrupting train operations or overwhelming brake systems. This affects railway infrastructure globally, with a CVSS score of 8.1 indicating high severity; active exploitation status and proof-of-concept availability are critical factors that determine immediate priority despite the attack requiring physical/adjacent network proximity.
A remote code execution vulnerability in Honeywell Experion PKS and OneWireless WDM (CVSS 9.4). Critical severity with potential for significant impact on affected systems.
CVE-2025-39202 is a local privilege escalation vulnerability in MicroSCADA X SYS600's Monitor Pro interface that allows authenticated users with low privileges to read and overwrite arbitrary files, leading to information disclosure and data corruption. The vulnerability affects the SYS600 product line and requires local access with valid credentials; while the CVSS score of 7.3 indicates moderate-to-high severity, real-world exploitability depends on whether this vulnerability has been added to CISA's KEV catalog or has publicly available proof-of-concept code.
OS command injection in InSAT MasterSCADA BUK-TS through MMadmServ web interface. Unauthenticated RCE on SCADA management server. EPSS 1.26%.
SQL injection in InSAT MasterSCADA BUK-TS through the main web interface. ICS/SCADA system with unauthenticated SQL injection enabling full database compromise.
ScadaApp for iOS 1.1.4.0 contains a denial of service vulnerability that allows attackers to crash the application by inputting an oversized buffer in the Servername field. Attackers can paste a 257-character buffer during login to trigger an application crash on iOS devices. [CVSS 7.5 HIGH]
Remote code execution in FUXA prior to 1.2.11 allows authenticated administrators to bypass path traversal protections using nested directory sequences, enabling arbitrary file writes to the server filesystem. An attacker with admin privileges can inject malicious scripts into runtime directories that execute when the server reloads, achieving complete system compromise. Update to version 1.2.11 or later to remediate.
FUXA SCADA has an eleventh critical vulnerability — missing authorization from versions 1.2.8 onward.
FUXA SCADA has an authentication spoofing vulnerability from versions 1.2.8 through 1.2.10 — tenth critical vulnerability.
FUXA SCADA has a path traversal vulnerability — ninth critical vulnerability enabling arbitrary file access on SCADA servers.
FUXA SCADA has insecure default configuration with a known JWT secret — eighth critical vulnerability.
FUXA SCADA has yet another authorization bypass — now the seventh critical FUXA vulnerability discovered, enabling unauthenticated access to industrial controls.
FUXA SCADA/HMI software has an additional authorization bypass vulnerability enabling unauthenticated access to industrial control visualizations.
Unauthenticated attackers can retrieve sensitive InfluxDB credentials from FUXA versions through 1.2.9 due to missing authentication controls, enabling direct database access. An attacker exploiting this vulnerability can read, modify, or delete all historical process data and perform denial of service attacks by corrupting the database. FUXA 1.2.10 addresses this issue, but no patch is currently available for affected versions.
ProficySCADA for iOS 5.0.25920 contains a denial of service vulnerability that allows attackers to crash the application by manipulating the password input field. [CVSS 7.5 HIGH]
CVE-2025-1727 is a critical vulnerability in RF-based remote linking protocols used for End-of-Train (EoT) and Head-of-Train (HoT/FRED) devices in railway operations. The vulnerability exploits a weak BCH checksum implementation that allows attackers to forge brake control commands using software-defined radios (SDR), potentially disrupting train operations or overwhelming brake systems. This affects railway infrastructure globally, with a CVSS score of 8.1 indicating high severity; active exploitation status and proof-of-concept availability are critical factors that determine immediate priority despite the attack requiring physical/adjacent network proximity.
A remote code execution vulnerability in Honeywell Experion PKS and OneWireless WDM (CVSS 9.4). Critical severity with potential for significant impact on affected systems.
CVE-2025-39202 is a local privilege escalation vulnerability in MicroSCADA X SYS600's Monitor Pro interface that allows authenticated users with low privileges to read and overwrite arbitrary files, leading to information disclosure and data corruption. The vulnerability affects the SYS600 product line and requires local access with valid credentials; while the CVSS score of 7.3 indicates moderate-to-high severity, real-world exploitability depends on whether this vulnerability has been added to CISA's KEV catalog or has publicly available proof-of-concept code.