Cybersecurity

CISA has published an advisory on an active debug code vulnerability in Siemens TIM 3V-IE and 4R-IE Family Devices. Numerous products and versions of these products are affected. Successful exploitation of this vulnerability could allow an unauthenticated attacker with network access to gain full control over the device. Siemens has released updates for the affected products and recommends users update to the new version. CISA also recommends a series of measures to mitigate the vulnerability.

CISA has published an advisory on cross-site scripting and basic XSS vulnerabilities in Siemens Climatix. All versions of Climatix POL908 (BACnet/IP module) and Climatix POL909 (AWM module) are affected. Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code to access confidential information without authentication. Siemens has identified specific workarounds and mitigations users can apply to reduce the risk. CISA also recommends a series of measures to mitigate the vulnerabilities.

CISA has published an advisory on a stack-based buffer overflow vulnerability in Triangle MicroWorks DNP3 Outstation Libraries. Versions 3.16.00 through 3.25.01 are affected. Successful exploitation of this vulnerability could possibly allow remote attackers to stop the execution of code on affected equipment. Triangle Microworks recommends users update to Version 3.26. CISA also recommends a series of measures to mitigate the vulnerability. Read the advisory at CISA.

Microsoft has released its monthly update to address vulnerabilities in its software. For this month, Microsoft has released security updates for Microsoft Windows, Microsoft Edge (EdgeHTML and Chromium-based), ChakraCore, Internet Explorer, Microsoft Office and Microsoft Office Services and Web Apps, Windows Defender, Visual Studio, Microsoft Dynamics, Microsoft Apps for Android, and Microsoft Apps for Mac. Read the update at Microsoft.