CISA Issues Multiple ICS Advisories for Critical Vulnerabilities in Industrial Products

CISA has issued multiple Industrial Control Systems (ICS) advisories detailing vulnerabilities in various products, including Hardy Barth Salia EV Charge Controller, Siemens RUGGEDCOM CROSSBOW Station Access Controller (SAC), Zero Motorcycles Firmware, Siemens SINEC NMS, Siemens SCALANCE, Siemens TPM 2.0, SenseLive X3050, Intrado 911 Emergency Gateway (EGW), Yadea T5 Electric Bicycle, Milesight Cameras, and Siemens RUGGEDCOM CROSSBOW Station Access Controller (SAC). These vulnerabilities range from remote code execution and buffer overflows to authentication bypass and path traversal, potentially allowing attackers to crash devices, gain unauthorized access, steal information, or take complete control of the affected systems.

The affected products span critical infrastructure sectors such as Energy, Transportation Systems, Emergency Services, and Critical Manufacturing. Successful exploitation of these vulnerabilities could lead to significant disruptions, including device crashes, unauthorized access to sensitive functions, data manipulation, and even vehicle theft. Specific CVEs identified include CVE-2025-5873, CVE-2025-10371 for Hardy Barth, CVE-2025-6965 for Siemens RUGGEDCOM, CVE-2026-1354 for Zero Motorcycles, CVE-2026-6074 for Intrado, CVE-2025-70994 for Yadea, and multiple CVEs for Milesight cameras and Siemens SCALANCE.

Vendors such as Hardy Barth, Siemens, Zero Motorcycles, SenseLive, Intrado, Yadea, and Milesight have released new versions or recommend updates to address these vulnerabilities. Users of the affected products are strongly advised to apply the latest patches and firmware updates as recommended by the vendors. For products where fixes are not yet available, CISA recommends implementing available countermeasures. Continuous monitoring and adherence to security best practices are essential for mitigating the risks associated with these ICS vulnerabilities.