CISA issued three critical Industrial Control Systems (ICS) advisories on June 3, 2025, warning organizations about severe vulnerabilities affecting Schneider Electric and Mitsubishi Electric industrial automation products.
These advisories highlight exploitable flaws that could enable remote code execution, authentication bypass, and denial-of-service attacks across critical infrastructure sectors, including energy, commercial facilities, and critical manufacturing.
The vulnerabilities carry CVSS scores ranging from 4.6 to 9.3, with two classified as remotely exploitable with low attack complexity, posing immediate risks to organizations worldwide that rely on these industrial control systems for operational technology environments.
Schneider Home Automation Buffer Overflow Risk
The most severe vulnerability, tracked as CVE-2023-4041 with a CVSS v4 score of 9.3, affects Schneider Electric’s Wiser AvatarOn 6K Freelocate and Wiser Cuadro H 5P Socket products across all versions.
Advisory ICSA-25-153-01 identifies this as a classic buffer overflow vulnerability (CWE-120) stemming from buffer copy operations without proper input size validation in the Silicon Labs Gecko Bootloader firmware update parser modules.
This flaw enables attackers to inject malicious code or completely bypass authentication mechanisms through network-based attacks requiring low complexity.
Since these products have reached end-of-life status, Schneider Electric cannot provide firmware updates, leaving organizations with limited mitigation options, including disabling firmware updates in the Zigbee Trust Center or completely removing affected devices from service.
Schneider Electric Buffer Overflow
Schneider Electric’s EcoStruxure Power Build Rapsody software faces a significant security risk through CVE-2025-3916, a stack-based buffer overflow vulnerability (CWE-121) affecting version 2.7.12 FR and earlier releases.
Advisory ICSA-25-153-02 reveals that local attackers can exploit this vulnerability by crafting malicious SSD project files that trigger arbitrary code execution when opened by unsuspecting users.
While the CVSS v4 score of 4.6 indicates lower severity compared to the previous vulnerability, the attack vector (AV:L/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N) still poses substantial risks to energy sector organizations.
The company has released version 2.8.1 FR as a remediation measure, requiring immediate updates and system reboots.
Mitsubishi Electric PLC Info Disclosure
The third advisory, ICSA-25-153-03, addresses CVE-2025-3755, which affects Mitsubishi Electric’s MELSEC iQ-F Series programmable logic controllers, with a CVSS v3.1 score of 9.1.
This improper validation vulnerability (CWE-1285) allows remote attackers to read confidential information, trigger denial-of-service conditions, or halt CPU module operations by transmitting specially crafted packets to affected systems.
The vulnerability impacts multiple product variants, including FX5U, FX5UC, FX5UJ, and FX5S series controllers across all firmware versions.
Mitsubishi Electric recommends implementing comprehensive network segmentation strategies, including firewall deployment, VPN usage for internet access, IP filtering functions to block untrusted hosts, and restricting physical access to affected devices and connected networks.
These advisories underscore the critical importance of maintaining robust cybersecurity practices for industrial control systems, as successful exploitation could significantly impact critical infrastructure operations across multiple sectors globally.
Speed up and enrich threat investigations with Threat Intelligence Lookup! -> 50 trial search requests
