CISA ICS Advisories (August 28, 2025): Nine Vendor Vulnerabilities, CVEs, and Fixes

On August 28 2025, CISA published nine advisories covering Mitsubishi Electric, Schneider Electric, Delta Electronics, GE Vernova, and Hitachi Energy. Several issues are remotely exploitable with low attack complexity; patches exist for many products, while some Mitsubishi Electric PLC weaknesses require compensating controls only. No known public exploitation is reported as of August 28, 2025 [1]. (cisa.gov)

Overview

These ICS advisories span PLCs, HMI/SCADA software, RTUs, and engineering tools. Highlights include two Mitsubishi Electric MELSEC iQ-F CPU module weaknesses (missing authentication on MODBUS/TCP and cleartext SLMP credentials), Schneider Electric Saitel DR/DP privilege escalation, two Delta Electronics advisories (CNCSoft‑G2 file-parsing code execution and COMMGR stack overflow/code injection), a GE Vernova CIMPLICITY uncontrolled search path element, a broad Mitsubishi Electric FA engineering software rollup (Update D), a Mitsubishi Electric ICONICS/MC Works64 local privilege issue (Update B), and a Hitachi Energy Relion/SAM600‑IO authenticated reboot DoS. CVSS v4 base scores range from 4.4 to 8.8; remote, low‑complexity attack paths exist for MELSEC iQ‑F and Delta COMMGR, while several others are local‑only. CISA reports no in‑the‑wild exploitation across the set [2]–[10]. (cisa.gov)

Impact

• Loss of view/control and unauthorized logic changes in PLC environments due to unauthenticated MODBUS/TCP writes or credential interception against MELSEC iQ‑F modules (CVE‑2025‑7405, CVE‑2025‑7731). Operators could face unexpected program stops or manipulated process values [2], [3]. (cisa.gov)
• Workstation compromise risks from malicious project/file types: DPAX for CNCSoft‑G2 and ISP for COMMGR. Successful exploitation can yield code execution in the current user context or full remote code execution for COMMGR (CVE‑2025‑47728, CVE‑2025‑53418, CVE‑2025‑53419) [5], [6]. (cisa.gov)
• Local privilege escalation on operator servers/engineering HMIs via path hijacking (GE CIMPLICITY, CVE‑2025‑7719) and unsafe service behavior (Schneider Electric Saitel DR/DP, CVE‑2025‑8453), enabling arbitrary code at elevated privileges [4], [7]. (cisa.gov)
• Targeted denial‑of‑service in substation protection and I/O devices (Hitachi Energy Relion 670/650 and SAM600‑IO; CVE‑2025‑1718) via authenticated FTP, causing device reboot and potential protection unavailability until recovery [10]. (cisa.gov)
• Numerous low‑to‑medium‑severity local flaws in Mitsubishi Electric FA engineering products can lead to Windows blue screen or privilege escalation when malicious code executes on the engineering workstation (multiple CVEs; Update D) [8]. (cisa.gov)

Affected Products & Versions

• Mitsubishi Electric MELSEC iQ‑F CPU module (two advisories)
  • Missing authentication for critical function (CVE‑2025‑7405): FX5U/FX5UC firmware 1.060 and later; FX5UJ all versions; FX5S all versions [2], [11].
  • Cleartext transmission of sensitive information (CVE‑2025‑7731): FX5U/FX5UC/FX5UJ/FX5S, all versions [3], [12]. (cisa.gov, mitsubishielectric.com)
• Schneider Electric Saitel DR and Saitel DP RTUs
  • Saitel DR: 11.06.29 and prior; Saitel DP: 11.06.34 and prior (CVE‑2025‑8453) [4], [13]. Fix available for DR; DP fix pending. (cisa.gov, download.schneider-electric.com)
• Delta Electronics CNCSoft‑G2
  • v2.1.0.20 and prior (CVE‑2025‑47728) [5], [14]. (cisa.gov, filecenter.deltaww.com)
• Delta Electronics COMMGR
  • v2.9.0 and prior (CVE‑2025‑53418, CVE‑2025‑53419) [6], [15]. (cisa.gov, filecenter.deltaww.com)
• GE Vernova CIMPLICITY HMI/SCADA
  • Versions 2024, 2023, 2022, 11.0 (CVE‑2025‑7719) [7]. Fix distributed as CIMPLICITY 2024 SIM 4 (KB article 000071725) [7]. (cisa.gov)
• Mitsubishi Electric Multiple FA Engineering Software (Update D)
  • Multiple tools including GX Works2 ≤ 1.622Y, GX Works3 ≤ 1.106L, iQ Works ≤ 2.102G, MX Component ≤ 5.007H, FR Configurator2 ≤ 1.32J, and others. Update D adds new fixed versions (e.g., GX Works2 1.625B, GX Works3 1.110Q, iQ Works 2.106L) [8]. See the advisory for the full matrix. (cisa.gov)
• ICONICS Product Suite and Mitsubishi Electric MC Works64 (Update B)
  • GENESIS64: all versions; GENESIS: 11.00; MC Works64: all versions (CVE‑2025‑0921). GENESIS is fixed in 11.01; GENESIS64 fix is in development; no MC Works64 fix planned [9], [17]. (cisa.gov, mitsubishielectric.com)
• Hitachi Energy Relion 670/650 and SAM600‑IO
  • Affected ranges include Relion 650 versions 1.0.0–<2.0.0 and multiple 2.2.x trains, Relion 670 versions 1.0.0–2.2.6.3, and SAM600‑IO 2.2.1.0–2.2.1.6 and 2.2.5.0–2.2.5.7 (CVE‑2025‑1718) [10]. (cisa.gov)

Exposure & Exploitability

• Network‑exploitable, low‑complexity
  • MELSEC iQ‑F MODBUS/TCP missing authentication (AV:N/PR:N/UI:N). Attackers can read/write device values and stop programs. No vendor fix is planned [2], [11]. (cisa.gov, mitsubishielectric.com)
  • MELSEC iQ‑F SLMP cleartext credentials (AV:N/PR:N/UI:N). Credentials captured in transit enable unauthorized writes and program stops. No fix planned; encryption via VPN is recommended [3], [12]. (cisa.gov, mitsubishielectric.com)
  • Delta COMMGR stack overflow (AV:N/PR:N/UI:N) and code injection (AV:L/UI:R). Specially crafted ISP files can trigger code execution; one issue is remote without user interaction [6], [15]. (cisa.gov, filecenter.deltaww.com)
• Local‑only with privilege gain
  • GE CIMPLICITY uncontrolled search path element enables low‑privileged users to escalate privileges (AV:L/PR:L). Upgrade is available [7]. (cisa.gov)
  • Schneider Electric Saitel DR/DP improper privilege management requires a privileged engineer with console access; DR has a fixed firmware, DP remediation is pending [4], [13]. (cisa.gov, download.schneider-electric.com)
• User‑interaction file parsing
  • Delta CNCSoft‑G2 DPAX parsing out‑of‑bounds write requires opening a malicious file or web content; it is not remotely exploitable per CISA [5], [14]. (cisa.gov, filecenter.deltaww.com)
• Authenticated network DoS
  • Hitachi Energy Relion/SAM600‑IO devices can be rebooted by an authenticated user via FTP due to improper disk space handling (PR:L). Vendor patches are available for specific trains [10]. (cisa.gov)
• Exploitation status
  • CISA notes no known public exploitation for any of the nine advisories as of August 28, 2025 [2]–[10]. (cisa.gov)

Detection & Telemetry

• Network and protocol analytics
  • Alert on unauthorized MODBUS/TCP write function codes to MELSEC iQ‑F addresses from new or untrusted hosts. Baseline normal polling intervals and flag sudden spikes in write operations (MITRE ATT&CK: Exploit Public‑Facing Application, T1190; Valid Accounts, T1078; Network Sniffing, T1040 for captured credentials).
  • For Hitachi Energy devices, monitor authenticated FTP sessions that rapidly create or upload large files preceding device reboots; correlate with device syslog/IEC‑104 status loss (ATT&CK: Endpoint DoS, T1499).
• File and endpoint telemetry
  • CNCSoft‑G2: block and quarantine unknown DPAX attachments; create detections for CNCSoft‑G2 process launches followed by exceptions or abnormal child processes (ATT&CK: User Execution, T1204; Exploitation for Client Execution, T1203).
  • COMMGR: detect ISP file handling that leads to memory corruption or script execution; look for new persistence artifacts coincident with COMMGR usage (ATT&CK: Process Injection, T1055; Create or Modify System Process, T1543).
• Privilege escalation and path hijacking
  • GE CIMPLICITY: use Sysmon to alert on DLL search order anomalies (Event ID 7, ImageLoad) and unexpected new binaries within application directories; monitor PATH/environment changes (ATT&CK: Hijack Execution Flow, T1574.002).
  • Schneider Saitel: deploy file integrity monitoring on root‑level daemon configs; ensure ownership root:root and mode 600 where feasible. Alert on any non‑root write attempt followed by elevated script execution (ATT&CK: Hijack Execution Flow, T1574).
• General OT logging
  • Centralize logs from engineering workstations, HMIs, and controllers. Tie controller program changes and operator account use to change tickets. Track anomalous device stops and compare to human‑machine interface actions.

Mitigations & Patching/Workarounds

Prioritize updates on high‑exposure assets first. Apply vendor fixes where available; otherwise, harden and segment aggressively. Always test changes in a staging environment.

• Mitsubishi Electric MELSEC iQ‑F (CVE‑2025‑7405, CVE‑2025‑7731)
  • No fixed firmware is planned. Enforce network isolation, IP filtering, and VPN‑only access to encrypt SLMP; do not expose PLCs to untrusted networks [2], [3], [11], [12]. (cisa.gov, mitsubishielectric.com)
• Schneider Electric Saitel DR/DP (CVE‑2025‑8453)
  • Apply Saitel DR HUe firmware 11.06.30; for Saitel DP, follow Schneider’s interim mitigations, enforce password policies, restrict console access, and plan for the vendor fix when released [4], [13]. Consider migration to the PowerLogic T500 where appropriate [4]. (cisa.gov, download.schneider-electric.com)
• Delta Electronics CNCSoft‑G2 (CVE‑2025‑47728)
  • Update to v2.1.0.27 or later; block untrusted DPAX content and restrict user write privileges on engineering workstations [5], [14]. (cisa.gov, filecenter.deltaww.com)
• Delta Electronics COMMGR (CVE‑2025‑53418, CVE‑2025‑53419)
  • Update to v2.10.0 or later; restrict externally sourced ISP files and enforce application allowlisting on engineering hosts [6], [15]. (cisa.gov, filecenter.deltaww.com)
• GE Vernova CIMPLICITY (CVE‑2025‑7719)
  • Upgrade to CIMPLICITY 2024 SIM 4 (KB 000071725). If an upgrade is not immediately possible, contact GE Vernova for interim hardening guidance and follow the Secure Deployment Guide [7]. (cisa.gov)
• Mitsubishi Electric FA Engineering Software (multiple CVEs; Update D)
  • Apply the product‑specific fixed versions (e.g., GX Works2 1.625B, GX Works3 1.110Q, iQ Works 2.106L, MX Component 5.008J). Restrict physical access, run antivirus, and avoid opening untrusted files [8]. (cisa.gov)
• ICONICS Suite / MC Works64 (CVE‑2025‑0921; Update B)
  • GENESIS: update to 11.01 or later. GENESIS64 fix is in development; disable Classic OPC Point Manager on GENESIS 11.00 and restrict logins to administrators. MC Works64 has no planned fix; follow the vendor’s compensating controls [9], [17]. (cisa.gov, mitsubishielectric.com)
• Hitachi Energy Relion 670/650 and SAM600‑IO (CVE‑2025‑1718)
  • Upgrade affected trains to 2.2.6.4 or 2.2.5.8, or to 2.2.7 where supported. Restrict FTP access to trusted, authenticated users and segment management networks [10]. (cisa.gov)

If compromise is suspected

• Isolate affected engineering workstations and PLC networks. Collect volatile memory and controller diagnostics. Review recent program changes, user additions, and firmware updates. Rotate credentials captured over cleartext protocols immediately.

Timeline

• August 28, 2025: CISA announces nine ICS advisories [1]. (cisa.gov)
• August 28, 2025: Initial republications for MELSEC iQ‑F (2025‑011, 2025‑012) and Schneider Saitel DR/DP (SEVD‑2025‑224‑01) [2]–[4]. (cisa.gov)
• August 28, 2025: New advisories for Delta CNCSoft‑G2, Delta COMMGR, and GE CIMPLICITY published [5]–[7]. (cisa.gov)
• August 28, 2025: Mitsubishi Electric FA Engineering Software Update D; Mitsubishi ICONICS/MC Works64 Update B; Hitachi Energy Relion/SAM600‑IO Update A [8]–[10]. (cisa.gov)
• Prior dates of note: Schneider vendor notice dated August 12, 2025; Delta CNCSoft‑G2 vendor notice dated June 4, 2025; Delta COMMGR vendor notice dated August 26, 2025 [13]–[15]. (download.schneider-electric.com, filecenter.deltaww.com)

References

1. CISA Alert — CISA Releases Nine Industrial Control Systems Advisories (August 28, 2025)
   https://www.cisa.gov/news-events/alerts/2025/08/28/cisa-releases-nine-industrial-control-systems-advisories
2. CISA ICS Advisory ICSA‑25‑240‑01 — Mitsubishi Electric MELSEC iQ‑F Series CPU Module (Missing Authentication; CVE‑2025‑7405)
   https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-01
3. CISA ICS Advisory ICSA‑25‑240‑02 — Mitsubishi Electric MELSEC iQ‑F Series CPU Module (Cleartext Transmission; CVE‑2025‑7731)
   https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-02
4. CISA ICS Advisory ICSA‑25‑240‑03 — Schneider Electric Saitel DR & Saitel DP RTU (CVE‑2025‑8453)
   https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-03
5. CISA ICS Advisory ICSA‑25‑240‑04 — Delta Electronics CNCSoft‑G2 (CVE‑2025‑47728)
   https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-04
6. CISA ICS Advisory ICSA‑25‑240‑05 — Delta Electronics COMMGR (CVE‑2025‑53418, CVE‑2025‑53419)
   https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-05
7. CISA ICS Advisory ICSA‑25‑240‑06 — GE Vernova CIMPLICITY (CVE‑2025‑7719)
   https://www.cisa.gov/news-events/ics-advisories/icsa-25-240-06
8. CISA ICS Advisory ICSA‑24‑135‑04 (Update D) — Mitsubishi Electric Multiple FA Engineering Software Products (multiple CVEs)
   https://www.cisa.gov/news-events/ics-advisories/icsa-24-135-04
9. CISA ICS Advisory ICSA‑25‑140‑04 (Update B) — Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products (CVE‑2025‑0921)
   https://www.cisa.gov/news-events/ics-advisories/icsa-25-140-04
10. CISA ICS Advisory ICSA‑25‑184‑01 (Update A) — Hitachi Energy Relion 670/650 and SAM600‑IO (CVE‑2025‑1718)
    https://www.cisa.gov/news-events/ics-advisories/icsa-25-184-01
11. Mitsubishi Electric PSIRT — 2025‑011: Information Disclosure/Tampering/DoS in MELSEC iQ‑F (Missing Authentication; CVE‑2025‑7405)
    https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-011_en.pdf
12. Mitsubishi Electric PSIRT — 2025‑012: Information Disclosure in MELSEC iQ‑F (Cleartext SLMP; CVE‑2025‑7731)
    https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-012_en.pdf
13. Schneider Electric Security Notification SEVD‑2025‑224‑01 — Saitel DR & Saitel DP RTU (CVE‑2025‑8453)
    https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2025-224-01&p_File_Name=SEVD-2025-224-01.pdf&p_enDocType=Security+and+Safety+Notice
14. Delta Electronics PCSA‑2025‑00007 — CNCSoft‑G2 File Parsing Memory Corruption (CVE‑2025‑47728)
    https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00007_CNCSoft-G2 – File Parsing Memory Corruption.pdf
15. Delta Electronics PCSA‑2025‑00014 — COMMGR Stack‑Based Buffer Overflow and Code Injection (CVE‑2025‑53418, CVE‑2025‑53419)
    https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2025-00014_COMMGR Stack-based Buffer Overflow and Code Injection Vulnerabilities.pdf
16. CISA ICS Recommended Practices — Improving ICS Cybersecurity with Defense‑in‑Depth Strategies
    https://us-cert.cisa.gov/ics
17. Mitsubishi Electric PSIRT — 2025‑002: Information Tampering in GENESIS64, MC Works64, and GENESIS (CVE‑2025‑0921)
    https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-002_en.pdf

Notes on scope and uncertainty

• Several advisories explicitly state “no known public exploitation” and “not exploitable remotely” where applicable; those statements are sourced from the CISA pages cited above as of August 28, 2025. Vendor patch availability and affected version matrices are summarized here; consult the linked vendor notices for the most current, product‑level details.