The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday issued two new advisories and updated two others, flagging active vulnerabilities and exploits that continue to threaten ICS (industrial control systems) environments. The updates, which include flaws affecting Siemens, Tigo Energy, and EG4 products, put critical sectors such as energy, utilities, and manufacturing at heightened risk. CISA said the disclosures are intended to help asset owners and operators quickly assess exposure and apply mitigations before attackers can exploit these weaknesses.
In an advisory, CISA warned that Siemens’ Desigo CC Product Family and SENTRON Powermanager contained a ‘least privilege violation’ vulnerability affecting the global critical manufacturing sector. “Successful exploitation of this vulnerability could allow privilege escalation.”
Siemens reports that the affected products include the Desigo CC family versions 5.0, 5.1, 6, 7, and 8, along with SENTRON Powermanager versions 5, 6, 7, and 8.
Wibu CodeMeter before 8.30a sometimes allows privilege escalation immediately after installation (before a logoff or reboot). For exploitation, there must have been an unprivileged installation with UAC, and the CodeMeter Control Center component must be installed, and the CodeMeter Control Center component must not have been restarted. In this scenario, the local user can navigate from Import License to a privileged instance of Windows Explorer.
CVE-2025-47809 has been assigned to this vulnerability, and a CVSS v3.1 base score of 8.2 has been calculated.
Siemens recommends that users reduce risk by updating the WIBU CodeMeter. To do this, uninstall the previously installed version through the Control Panel, then install CodeMeter V8.30a from WIBU’s support site. Once installation is complete, restart the client or server. Further details about the vulnerability in CodeMeter Runtime are available in the WIBU Systems Security Advisory WIBU-100120.
CISA disclosed the presence of an ‘improper verification of cryptographic signature’ in Siemens’ Mendix SAML Module hardware used across the global critical manufacturing sector. “Successful exploitation of this vulnerability could allow unauthenticated remote attackers to hijack an account in specific SSO configurations.”
Siemens reports that affected products include Mendix SAML versions prior to V3.6.21 (compatible with Mendix 9.24), versions prior to V4.0.3 (compatible with Mendix 10.12), and versions prior to V4.1.2 (compatible with Mendix 10.21).
Affected versions of the module insufficiently enforce signature validation and binding checks. This could allow unauthenticated remote attackers to hijack an account in specific SSO configurations.
CVE-2025-40758 has been assigned to this vulnerability and a CVSS v3.1 base score of 8.7 has been calculated. Siemens reported the vulnerability to CISA.
Siemens advises users of the affected products to ensure configurations have UseEncryption enabled. For Mendix SAML, users should update to version 3.6.21 or later for Mendix 9.24 compatibility, version 4.0.3 or later for Mendix 10.12, and version 4.1.2 or later for Mendix 10.21. As a broader security measure, Siemens recommends restricting network access with appropriate safeguards and operating devices within a protected IT environment, following both its industrial security guidelines and product manual recommendations.
In another advisory, CISA revealed that Tigo Energy Cloud Connect Advanced equipment contains use of hard-coded credentials, command injection, and predictable seed in pseudo-random number generator (PRNG) vulnerabilities. Deployed across the global energy sector, the advisory noted that the successful exploitation of these vulnerabilities could allow attackers to gain unauthorized administrative access using hard-coded credentials, escalate privileges to take full control of the device, modify system settings, disrupt solar energy production, interfere with safety mechanisms, execute arbitrary commands via command injection, cause service disruptions, expose sensitive data, and recreate valid session IDs to access sensitive device functions on connected solar inverter systems due to insecure session ID generation.
The affected versions of Cloud Connect Advanced include 4.0.1 and earlier. Anthony Rose and Jacob Krasnov of BC Security and Peter Kariuki of Ovanova reported these vulnerabilities to CISA. Tigo Energy is aware of these vulnerabilities and is actively working on a fix to address them.
Tigo Energy’s Cloud Connect Advanced (CCA) device contains hard-coded credentials that allow unauthorized users to gain administrative access. This vulnerability enables attackers to escalate privileges and take full control of the device, potentially modifying system settings, disrupting solar energy production, and interfering with safety mechanisms.
CVE-2025-7768 has been assigned to this vulnerability. It carries a CVSS v3.1 base score of 9.8 and a CVSS v4 base score of 9.3.
Tigo Energy’s CCA is vulnerable to a command injection vulnerability in the /cgi-bin/mobile_api endpoint when the DEVICE_PING command is called, allowing remote code execution due to improper handling of user input. When used with default credentials, this enables attackers to execute arbitrary commands on the device that could cause potential unauthorized access, service disruption, and data exposure.
CVE-2025-7769 has been assigned to this vulnerability, with a CVSS v3.1 base score of 8.8 and a CVSS v4 base score of 8.7.
Tigo Energy’s CCA device is vulnerable to insecure session ID generation in their remote API. The session IDs are generated using a predictable method based on the current timestamp, allowing attackers to recreate valid session IDs. When combined with the ability to circumvent session ID requirements for certain commands, this enables unauthorized access to sensitive device functions on connected solar optimization systems.
CVE-2025-7770 has been assigned to this vulnerability, with a CVSS v3.1 base score of 8.8 and a CVSS v4 base score of 8.7.
In another advisory, CISA disclosed that EG4 Electronics’ EG4 inverters contain cleartext transmission of sensitive information, download of code without integrity check, observable discrepancy, and improper restriction of excessive authentication attempts vulnerabilities. “Successful exploitation of these vulnerabilities could allow an attacker to intercept and manipulate critical data, install malicious firmware, hijack device access, and gain unauthorized control over the system.”
The affected EG4 Electronics inverters include all versions of the EG4 12kPV, EG4 18kPV, EG4 Flex 21, EG4 Flex 18, EG4 6000XP, EG4 12000XP, and EG4 GridBoss.
The MOD3 command traffic between the monitoring application and the inverter is transmitted in plaintext without encryption or obfuscation. This vulnerability may allow an attacker with access to a local network to intercept, manipulate, replay, or forge critical data, including read/write operations for voltage, current, and power configuration, operational status, alarms, telemetry, system reset, or inverter control commands, potentially disrupting power generation or reconfiguring inverter settings.
CVE-2025-52586 has been assigned to this vulnerability, with a CVSS v3.1 base score of 6.9 and a CVSS v4 base score of 7.5.
The affected product allows firmware updates to be downloaded from EG4’s website, transferred via USB dongles, or installed through EG4’s Monitoring Center (remote, cloud-connected interface) or via a serial connection, and can install these files without integrity checks. The TTComp archive format used for the firmware is unencrypted and can be unpacked and altered without detection.
CVE-2025-53520 has been assigned to this vulnerability, with a CVSS v3.1 base score of 8.8 and a CVSS v4 base score of 8.6.
The public-facing product registration endpoint server responds differently depending on whether the S/N is valid and unregistered, valid but already registered, or does not exist in the database. Combined with the fact that serial numbers are sequentially assigned, this allows an attacker to gain information on the product registration status of different S/Ns.
CVE-2025-47872 has been assigned to this vulnerability, with a CVSS v3.1 base score of 5.8 and a CVSS v4 base score of 6.9.
The affected product does not limit the number of attempts for inputting the correct PIN for a registered product, which may allow an attacker to gain unauthorized access using brute-force methods if they possess a valid device serial number. The API provides clear feedback when the correct PIN is entered. This vulnerability was patched in a server-side update on April 6, 2025.
CVE-2025-46414 has been assigned to this vulnerability, carrying a CVSS v3.1 base score of 8.1 and a CVSS v4 base score of 9.2.
