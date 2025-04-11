Multiple industrial control system (ICS) devices are affected by vulnerabilities carrying critical severity ratings up to a 9.9 CVSS base score.

In an April 10 blog post, Cyble urged users of Rockwell Automation, Hitachi Energy and Inaba Denki Sangyo, three industrial hardware providers, to patch critical vulnerabilities in their products.

The vulnerabilities affect various products, including Rockwell Automation Industrial Data Center, Hitachi Energy MicroSCADA Pro/X SYS600, and Inaba Denki Sangyo CHOCO TEI WATCHER mini-industrial cameras.

The identified vulnerabilities are:

CVE-2025-23120: A deserialization of untrusted data vulnerability in Veeam Backup and Replication, potentially allowing remote code execution to the Rockwell Automation Industrial Data Center (IDC) product range (CVSS v3.1 score: 9.9)

CVE-2025-25211: A weak password requirement vulnerability in Inaba Denki Sangyo CHOCO TEI WATCHER mini-industrial cameras, potentially allowing unauthorized access (CVSS v3.1 score: 9.8)

CVE-2025-26689: A forced browsing vulnerability in Inaba Denki Sangyo CHOCO TEI WATCHER mini-industrial cameras, potentially allowing data tampering and product setting modifications (CVSS v3.1 score: 9.8)

CVE-2024-4872: An improper neutralization of special elements in data query logic vulnerability in Hitachi Energy MicroSCADA Pro/X SYS600, potentially allowing code injection (CVSS v3.1 score: 8.8)

CVE-2024-3980: A path traversal vulnerability in Hitachi Energy MicroSCADA Pro/X SYS600, potentially allowing file system manipulation and session hijacking (CVSS v3.1 score: 8.8)

These are the most critical vulnerabilities identified in Cyble’s latest ICS Vulnerability Report, which examined 70 flaws in ICS, operational technology (OT) and supervisory control and data acquisition (SCADA) systems.

The vulnerabilities identified affect systems across five sectors, including critical manufacturing, energy, healthcare, wastewater and commercial facilities.

“Given the critical role of SCADA, DCS, and MES systems, immediate mitigation—including patching, authentication hardening, and access restrictions—is essential to prevent exploitation,” Cyble wrote.

