SB2025070408 - Multiple vulnerabilities in Hitachi Energy MicroSCADA Pro/X SYS600
Published: July 4, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Incorrect default permissions (CVE-ID: CVE-2025-39201)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect default permissions in the mailslot functionality. A local user can tamper the mailslot configuration file and cause a denial of service condition on the target system.
2) External Control of File Name or Path (CVE-ID: CVE-2025-39202)
The vulnerability allows a local user to compromise the target system.
The vulnerability exists due to external control of file name or path in Monitor Pro and Supervision log. A local user can read and overwrite files, leading to information leak and data corruption.
3) Information disclosure (CVE-ID: CVE-2025-39204)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to filtering query can be malformed. A remote user can gain unauthorized access to sensitive information on the system.
4) Improper Certificate Validation (CVE-ID: CVE-2025-39205)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper certificate validation. A remote user can perform a man-in-the-middle (MitM) attack and gain access to sensitive information.
5) Improper validation of integrity check value (CVE-ID: CVE-2025-39203)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to improper validation of integrity check value. A remote user can use a specially crafted message content from IED and cause a denial of service condition on the target system.
Remediation
Install update from vendor's website.