Cybersecurity researchers have disclosed main points of 2 crucial flaws impacting mySCADA myPRO, a Supervisory Keep watch over and Knowledge Acquisition (SCADA) machine utilized in operational generation (OT) environments, that might permit malicious actors to take regulate of inclined methods.
“Those vulnerabilities, if exploited, may just grant unauthorized get entry to to commercial regulate networks, doubtlessly resulting in serious operational disruptions and monetary losses,” Swiss safety corporate PRODAFT stated.
The record of shortcomings, each rated 9.3 at the CVSS v4 scoring machine, are beneath –
- CVE-2025-20014 – An working machine command injection vulnerability that might allow an attacker to execute arbitrary instructions at the affected machine by way of specifically crafted POST requests containing a model parameter
- CVE-2025-20061 – An working machine command injection vulnerability that might allow an attacker to execute arbitrary instructions at the affected machine by way of specifically crafted POST requests containing an e mail parameter
A hit exploitation of both of the 2 flaws may just allow an attacker to inject machine instructions and execute arbitrary code. The problems had been addressed within the following variations –
- mySCADA PRO Supervisor 1.3
- mySCADA PRO Runtime 9.2.1
In step with PRODAFT, each vulnerabilities stem from a failure to sanitize consumer inputs, thereby opening the door to a command injection.
“Those vulnerabilities spotlight the power safety dangers in SCADA methods and the desire for more potent defenses,” the corporate stated. “Exploitation may just result in operational disruptions, monetary losses, and protection hazards.”
Organizations are really useful to use the newest patches, put into effect community segmentation through keeping apart SCADA methods from IT networks, put into effect robust authentication, and observe for suspicious job.