On July 17, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released three significant advisories addressing critical vulnerabilities in Industrial Control Systems (ICS). These vulnerabilities, with Common Vulnerability Scoring System (CVSS) v4 scores ranging from 8.5 to 8.7, pose substantial risks to sectors such as energy monitoring, healthcare imaging, and access control systems.
1. Cross-Site Scripting in Leviton Energy Monitoring Systems
CISA’s advisory ICSA-25-198-01 highlights a severe cross-site scripting (XSS) vulnerability in Leviton’s AcquiSuite Version A8810 and Energy Monitoring Hub Version A8812. Identified as CVE-2025-6185 with a CVSS v4 score of 8.7, this flaw allows attackers to inject malicious scripts into URL parameters, which execute in client browsers. Such exploitation can lead to the theft of session tokens and potential remote control over the affected service.
This vulnerability impacts communication infrastructures globally. Security researcher notnotnotveg reported the flaw to CISA. However, Leviton has not responded to CISA’s requests for collaboration on mitigation strategies. Users are advised to contact Leviton’s customer support for further information and potential patches.
2. DLL Hijacking in Panoramic Corporation’s Digital Imaging Software
The healthcare sector is at risk due to a vulnerability in Panoramic Corporation’s Digital Imaging Software Version 9.1.2.7600. Detailed in advisory ICSMA-25-198-01, this flaw, designated CVE-2024-22774 with a CVSS v4 score of 8.5, enables standard users to escalate privileges to NT Authority/SYSTEM through DLL hijacking techniques.
This vulnerability is particularly concerning for healthcare and public health infrastructures across North America. The issue originates from an unsupported Software Development Kit (SDK) component owned by Oy Ajat Ltd, complicating remediation efforts. Damian Semon Jr. of Blue Team Alpha LLC discovered and reported this vulnerability. Exploitation requires local access but can result in complete system compromise.
3. Incorrect Default Permissions in Johnson Controls’ C•CURE 9000 Site Server
Advisory ICSA-24-191-05 Update B addresses a vulnerability in Johnson Controls’ Software House C•CURE 9000 Site Server Version 2.80 and earlier. Identified as CVE-2024-32861 with a CVSS v4 score of 8.5, this flaw involves incorrect default permissions in systems with optional C•CURE IQ Web and/or C•CURE Portal installations. The vulnerability allows insufficient protection of directories containing executables under certain conditions.
This issue affects critical manufacturing, commercial facilities, government facilities, transportation systems, and energy sectors worldwide. Johnson Controls has released specific mitigation instructions through a Product Security Advisory, recommending the removal of Full control and Write permissions for non-administrator accounts on the C:\CouchDB\bin path.
Security Recommendations
CISA emphasizes the importance of implementing defense-in-depth strategies and network segmentation to mitigate exploitation risks. Organizations are advised to:
– Isolate control systems from internet access.
– Deploy firewalls between business and control networks.
– Utilize secure Virtual Private Network (VPN) connections for remote access requirements.
By adhering to these recommendations, organizations can enhance their cybersecurity posture and protect critical infrastructure from potential threats.
