CISA Issues Three ICS Advisories Addressing Vulnerabilities and Exploitation Risks

On July 17, 2025, CISA released three important advisories concerning Industrial Control Systems (ICS), targeting critical vulnerabilities in energy monitoring, healthcare imaging, and access control technologies.

The advisories warn of high-severity flaws, each with CVSS v4 scores between 8.5 and 8.7, posing serious risks of cyberattacks and unauthorized access to vital infrastructure across various sectors.

Key Takeaways

1. Leviton’s AcquiSuite and Energy Monitoring Hub are impacted by a high-severity cross-site scripting (XSS) vulnerability.
2. Panoramic Corporation’s Digital Imaging Software is susceptible to DLL hijacking, which could allow malicious code execution.
3. Johnson Controls’ C•CURE 9000 Site Server contains misconfigured default permissions, exposing executable directories to potential abuse.

Leviton XSS Vulnerability Detailed in CISA Advisory ICSA-25-198-01

CISA’s advisory ICSA-25-198-01 discloses a critical cross-site scripting (XSS) vulnerability in Leviton AcquiSuite Version A8810 and Energy Monitoring Hub Version A8812.

• Tracked as CVE-2025-6185, the flaw has a CVSS v4 score of 8.7, indicating high severity.
• The vulnerability, classified under CWE-79, allows attackers to embed malicious scripts into URL parameters, which execute in users’ browsers.
• Exploitation could result in theft of session tokens and remote control of services, despite requiring low attack complexity.
• The affected products are part of global communications infrastructure, increasing the potential impact.
• The issue was responsibly reported by security researcher notnotnotveg.

Crucially, Leviton has not engaged with CISA regarding mitigation efforts. As a result, affected users are advised to contact Leviton customer support directly for updates and potential patch information.

DLL Hijacking Vulnerability Threatens Healthcare Imaging Systems

CISA advisory ICSMA-25-198-01 warns of a critical CWE-427 uncontrolled search path element vulnerability in Panoramic Corporation’s Digital Imaging Software Version 9.1.2.7600.

• Tracked as CVE-2024-22774, the flaw holds a CVSS v4 score of 8.5 and allows DLL hijacking, enabling privilege escalation from a standard user to NT AUTHORITY\SYSTEM.
• Though local access is required, successful exploitation can result in full system compromise.
• This vulnerability poses a serious risk to healthcare and public health infrastructure, especially across North America.
• The underlying issue stems from an unsupported SDK component developed by Oy Ajat Ltd, which complicates patching and mitigation efforts.
• The flaw was responsibly disclosed by Damian Semon Jr. of Blue Team Alpha LLC.

Healthcare providers using this software should assess exposure and explore containment measures immediately due to the potential for widespread disruption.

Johnson Controls Access Control Flaw Impacts Multiple Critical Sectors

CISA’s advisory ICSA-24-191-05 Update B highlights a serious default permission misconfiguration in Johnson Controls’ Software House C•CURE 9000 Site Server Version 2.80 and earlier.

• Identified as CVE-2024-32861, the vulnerability holds a CVSS v4 score of 8.5 and affects systems running the optional C•CURE IQ Web and/or C•CURE Portal components.
• Categorized under CWE-276, the flaw arises from insufficient protection on executable directories, particularly affecting the C:\CouchDB\bin path.
• Under certain conditions, non-administrator users may have Full control or Write access, creating opportunities for privilege escalation or execution of malicious code.
• The issue affects a broad range of sectors globally, including critical manufacturing, commercial and government facilities, transportation, and energy systems.

Johnson Controls has issued mitigation guidance via a Product Security Advisory, urging administrators to remove Full control and Write permissions for non-admin users on affected directories to reduce the risk of exploitation.

Security Recommendations from CISA

CISA urges all organizations to adopt defense-in-depth strategies and network segmentation to reduce the risk of exploitation associated with these ICS vulnerabilities.

Key Mitigation Measures:

• Isolate control systems from direct internet access.
• Implement firewalls to separate business networks from control networks.
• Use secure VPNs for any necessary remote access.
• Conduct impact analysis and risk assessments before applying changes to ensure operational stability.
• Follow established incident response protocols and promptly report any suspicious activity.

Although no known public exploitation has been observed to date, the high CVSS scores and broad deployment of the affected products across critical infrastructure sectors demand immediate evaluation and remediation.