The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has published a new alert about a previously undisclosed vulnerability, CVE-2020-6287, affecting the SAP NetWeaver Application Server (AS) Java component LM Configuration Wizard. An unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications.
CISA has published an advisory on stack-based buffer overflow and out-of-bounds read vulnerabilities in Phoenix Contact Automation Worx Software Suite. PC Worx version 1.87 and prior and PC Worx Express version 1.87 and prior are affected. Successful exploitation could allow an attacker to execute arbitrary code under the privileges of the application. Phoenix Contact recommends a series of steps to mitigate the vulnerabilities. CISA also recommends a series of measures to mitigate the vulnerabilities.
CISA has published an advisory on an improper restriction of XML external entity reference vulnerability in Rockwell Automation Logix Designer Studio 5000. Versions 32.00, 32.01, and 32.02 are affected. Successful exploitation of this vulnerability could allow an unauthenticated attacker to craft a malicious file, which when parsed, could lead to some information disclosure of hostnames or other resources from the program.
July 9, 2020
CISA has updated this advisory with details on the affected products. Read the advisory at CISA.
June 11, 2020
CISA has published an advisory on missing authentication for critical function and unprotected storage of credentials vulnerabilities in Grundfos CIM 500. All versions prior to v06.16.00 are affected. Successful exploitation of these vulnerabilities could allow access to cleartext credential data. Grundfos recommends updating to firmware v06.16.00 and to change user credentials after updating. CISA also recommends a series of measures to mitigate the vulnerabilities.
CISA has published an advisory on improper restriction of operations within the bounds of a memory buffer, session fixation, NULL pointer dereference, improper access control, argument injection, and resource management errors vulnerabilities in Mitsubishi Electric GOT2000 Series. GT27, GT25, and GT23 are affected. Successful exploitation of these vulnerabilities could allow a remote attacker to cause a denial-of-service condition or remote code execution. Mitsubishi recommends users follow as series of steps to update CoreOS to the latest version.
July 7, 2020
CISA has updated this advisory with additional details on the vulnerability and mitigation measures. This advisory was initially published on June 23, 2020. Read the advisory at CISA.
June 23, 2020
The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has released Securing Industrial Control Systems: A Unified Initiative, a multi-year strategy for enhancing ICS security in the U.S., and a companion fact sheet. The initiative features four pillars:
DataBreaches.net states it best…”Here we go again?” As previously published in several Security & Resilience Updates, December 2019 – February 2020 included a significant spate of local and municipal government entities being impacted by vulnerabilities with online payment application Click2Gov. According to cybersecurity firm TrendMicro, they have identified at least eight U.S.
Periodically, critical vulnerabilities are overhyped and require a more practical approach to assessing true impacts. But in this case, Joe Slowik Principal Adversary Hunter at ICS cybersecurity firm Dragos agrees recent statements are quite appropriate for the recent F5 BIG-IP ADC vulnerability CVE-2020-5902.
1620 I Street, NW, Suite 500
Washington, DC 20006
1-866-H2O-ISAC (1-866-426-4722)
© 2025 WaterISAC. All Rights Reserved.
