The Cybersecurity & Infrastructure Security Agency (CISA) has released five Industrial Control Systems (ICS) advisories. These advisories offer timely information regarding current security issues, exploits and vulnerabilities associated with critical hardware.

Tim Mackey, Head of Software Supply Chain Risk Strategy at Black Duck, explains the value of the ICS advisories, stating, “The CISA KEV Catalog is primarily for the benefit of IT organizations while ICS advisories benefit the Operational Technology (OT) community. Since many organizations have differing cybersecurity requirements for IT staff vs OT systems, it’s reasonable to have different security feeds. Additionally, since OT systems typically include systems controlling a manufacturing or production line, or an industrial environment, patch processes are often more involved than simply updating a laptop and rebooting it.”

“An ICS advisory is published when a vendor or researcher discloses a flaw that affects industrial hardware and offers a patch or workaround,” adds Jason Soroko, Senior Fellow at Sectigo. “The goal is rapid risk awareness for operators whether or not attacks are happening. A CVE moves to the KEV catalog only after CISA confirms real exploitation. At that point United States federal agencies receive a binding directive with a patch-by date, and private operators usually adopt the same deadline in their risk scoring.”

In the advisories, CISA warns of flaws in Siemens, Schneider Electric, and ABB hardware. In particular, CISA warns of an “improper neutralization of special elements used in an SQL Command (SQL Injection).” 

Soroko explains, “Security staff should treat TeleControl Server Basic versions older than 3.1.2.2 as exposure points because an unauthenticated user on port 8000 can inject SQL, change process data, open an OS shell under Network Service, or crash the service. Block the port at every ingress edge, isolate the server on its own VLAN, collect logs on every SQL statement, and move to the fixed Siemens build. Where downtime will not be approved, place an inline WAF or reverse proxy that drops SQL metacharacters.  CVE-2025-27495 is recorded in the public CVE list and the NVD, but no public report shows in-the-wild use.”