CISA Industrial Control Systems (ICS) Advisories Recap for 2025

Industrial Control Systems (ICS) sit at the core of critical infrastructure, powering vital sectors such as energy generation, manufacturing, water management, transportation, and healthcare. With digital connectivity growing across these systems, cyber risk has accelerated sharply.

Recent analyses show a 40% rise in internet‑exposed ICS devices between 2024 and 2025, reflecting how attackers now view industrial environments as high‑impact, high‑value targets. Recognizing these rising risks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) strengthens collaboration with industry and government partners to improve ICS and OT resilience. During this two‑year period, CISA published large volumes of ICS advisories. These advisories shed light on newly discovered vulnerabilities, systemic weaknesses in industrial technologies, exploitation trends, and the sectors facing the greatest risk.

This analysis offers a recap of 2024 and 2025 CISA ICS advisories, grounded in fresh data, real‑world incidents, and clear takeaways for defenders looking to strengthen their operational resilience.

Why CISA’s ICS Advisories Matter

The surge in advisory publications throughout 2024 and 2025 signals a fundamental shift in the ICS security landscape. During this period, hundreds of vulnerabilities were disclosed across more than 200 vendors and over 700 products. Many of these technologies sit inside critical manufacturing lines, substations, control rooms, industrial networks, and automated systems responsible for essential services.

CISA’s Industrial Control Systems (ICS) advisories provide critical insights into vulnerabilities that could impact operational technology across key sectors. These advisories outline the technical risks, affected vendors, and mitigation measures for flaws that, if exploited, could disrupt industrial operations or compromise safety.

The number of alerts issued surged, with over 450 advisories published in 2025, as vulnerabilities in devices from major vendors such as Rockwell Automation, Mitsubishi Electric, Siemens, and Schneider Electric came under scrutiny. This increase mirrors a broader escalation in ICS-targeted threats, where hacktivist and state-linked groups exploited new flaws within weeks of disclosure.

A clearer picture of the ICS threat landscape emerges when examining sector exposure, product categories, vendor distribution, and technical root causes. Several themes stand out.

Growing Exposure in Critical Infrastructure Sectors

Critical manufacturing (45.8%) and energy systems (21.3%) accounted for the largest share of affected technologies. These sectors rely heavily on legacy equipment, specialized control protocols, and continuous uptime – conditions that complicate patching and monitoring. Commercial facilities (8.6%), transportation networks (6.2%), and water and wastewater systems (4.9%) also showed substantial exposure, indicating how vulnerabilities span both heavy industrial and civic infrastructure.

These findings highlight that ICS vulnerabilities rarely exist in isolation. A flaw in a single PLC family, network appliance, or engineering workstation can cascade across entire industrial ecosystems through shared software components or tight integration with business networks.

A Broader Range of ICS Products Becoming High‑Risk

The risk is no longer confined to classic PLCs and SCADA servers. Instead, the modern ICS environment now includes an entire constellation of software and hardware components that can all become entry points.

The spread of vulnerabilities across a wide array of products in 2024-2025 is another defining characteristic of this period. The most affected products, according to advisory counts, included RUGGEDCOM APE1808 (11), SINEC NMS (6), Solid Edge (6), DICOM Viewer (5), and CNCSoft-G2 (5). These span industrial networking, network management, engineering design, visualization, and CNC automation.

Technical Weaknesses Showing Clear Patterns

Analysis of the most common weakness types reveals a concentration in input-handling and memory-safety issues. Improper input validation (CWE-20) appears 73 times, while out-of-bounds read (CWE-125) and out-of-bounds write (CWE-787) each appear 57 times. Stack-based buffer overflows (CWE-121) account for 42 cases, and path traversal (CWE-22) for 37. These categories frequently underpin Remote Code Execution (RCE), privilege escalation, and unauthorized data access – issues that are particularly dangerous in safety-critical and high-availability industrial environments.

Vendor Impact and Severity Distribution

The distribution of vulnerabilities across vendors reveals that Siemens remained the most frequently affected vendor, with 275 advisories spanning network switches, engineering tools, industrial communication services, and automation platforms. Rockwell Automation (102) and Schneider Electric (69) followed, with Hitachi Energy (41) and Delta Electronics (29) rounding out the top five. Collectively, these vendors represent a large portion of the global industrial ecosystem.

Severity data adds more nuance. Siemens alone accounts for 68 critical and 150 high-severity CVEs; Rockwell Automation adds 23 critical and 73 high cases; Schneider Electric contributes 14 critical, 37 high cases. Hitachi Energy and Delta Electronics together add another 15 critical and 42 high-severity vulnerabilities.

This distribution shows that the most widely deployed vendors also carry a dense concentration of critical and high-impact issues, making prioritization around their ecosystems especially important.

Increasing Vulnerability Depth and Yearly CVE Growth

Vulnerability counts associated with ICS advisories rose sharply by 2025, reaching 2,065 CVEs, the highest total in the dataset. This growth reflects both improved research and the discovery of multi‑CVE flaw clusters within complex industrial products.

Additionally, the severity distribution over time shows that high-severity issues remain persistently elevated (912 high-severity CVEs in 2023, 929 in 2024, and 796 in 2025), while medium-severity issues surged to 1,019 cases in 2025, overtaking high-severity counts for the first time.

Critical CVEs stay in the low-to-mid-200 range each year. This pattern suggests that while the most severe vulnerabilities remain a constant concern, a growing volume of “medium” issues is accumulating into significant operational risk when present at scale across fleets of devices.

The volume of ICS vulnerabilities and advisories makes it difficult to see what truly matters for a specific environment. SOCRadar’s Cyber Threat Intelligence module correlates vulnerability advisories, KEV entries, exploit activity, and vendor-specific exposure with an organization’s own asset inventory, helping security teams quickly identify which security issue should be prioritized first and why.

Spotlight on Notable ICS Vulnerabilities

Based on the CISA ICS advisories from 2024-2025, there are 29 known exploited vulnerabilities affecting industrial control systems across multiple vendors.

This vulnerability landscape is heavily dominated by Siemens, which accounts for 16 of these exploited CVEs (55% of the total). Following at a distance are Rockwell Automation and Schneider Electric, each with 3 vulnerabilities. The remaining exploited vulnerabilities are distributed among seven other vendors including Hitachi Energy, Mitsubishi Electric, Trimble, Delta Electronics, Edimax, Nice, and a group of camera manufacturers (ValueHD, PTZOptics, multiCAM Systems, and SMTAV), each with one vulnerability.

Some of the most critical vulnerabilities involve:

CVE-2025-20352 (CVSS: 7.7) – Cisco SNMP Zero-Day Vulnerability

This stack-based buffer overflow in the SNMP subsystem of Cisco IOS and IOS XE Software has been actively exploited in the wild since September 24, 2025. Cisco confirmed exploitation after local administrator credentials were compromised.

The flaw allows low-privileged attackers with SNMP credentials to cause Denial-of-Service (DoS) conditions, while high-privileged attackers with administrative access can execute arbitrary code as root. It affects both Rockwell Automation’s Industrial Data Center implementations with Cisco networking equipment and Rockwell’s Stratix industrial switches (models 5700, 5400, 5410, 5200, and 5800).

With up to 2 million devices globally potentially vulnerable and nearly 200,000 internet-accessible Cisco services exposing SNMP, the attack surface is substantial.

CVE-2023-44487 (CVSS 7.5) – HTTP/2 Rapid Reset Attack

The HTTP/2 Rapid Reset vulnerability enables record-breaking DDoS attacks by abusing the stream multiplexing feature of the HTTP/2 protocol. Cloudflare mitigated attacks reaching 201 million requests per second, while Google reported a peak of 398 million requests per second – nearly three times larger than previously recorded DDoS attacks.

The attack leverages HTTP/2’s ability to allow clients to cancel streams unilaterally without server approval, flooding servers with rapid sequences of requests and cancellations that cause resource exhaustion.

The vulnerability impacts every web server implementing HTTP/2, with multiple Siemens products in the CISA ICS advisory list (including SINEC OS, SINEC INS, SINEC NMS, SIMATIC S7-1500, and RUGGEDCOM APE1808) affected, demonstrating its broad impact across industrial control systems.

In August 2025, a related attack variant called “MADE You Reset” also emerged, showing how threat actors continue to innovate on the original Rapid Reset methodology.

CVE-2024-8956 (CVSS 9.1) – PTZOptics Camera Authentication Bypass

One of the most severe vulnerabilities affecting industrial control systems involves PTZOptics PT30X-SDI/NDI cameras, where an authentication bypass flaw allows remote attackers to access cameras without credentials, exposing usernames, password hashes, and configuration details.

The vulnerability was discovered by GreyNoise researchers while investigating a related exploit activity, and affects NDI-enabled cameras from multiple manufacturers using ValueHD PTZ firmware versions prior to 6.3.40. The flaw enables attackers not only to view sensitive data but also to modify configuration values or overwrite entire configuration files, compromising system integrity.

In February 2025, FortiGuard Labs observed attack attempts targeting PTZOptics cameras from as many as 4,000 devices, highlighting the widespread exploitation of these vulnerabilities. The cameras are commonly deployed in industrial operations, healthcare facilities, government buildings, and courtrooms, making the security implications particularly severe.

CVE-2024-3400 (CVSS 10.0) – Palo Alto Networks PAN-OS Command Injection

This critical command injection vulnerability in Palo Alto Networks PAN-OS software enables unauthenticated attackers to execute arbitrary code with root privileges on firewalls, earning a maximum CVSS score of 10.0. Importantly, public proof-of-concept exploits for CVE-2024-3400 were released within three days of disclosure by vulnerability researchers.

The vulnerability affects PAN-OS versions 10.2, 11.0, and 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal. The vendor tracks the exploitation campaign as “Operation MidnightEclipse”, attributed to a single threat actor designated UTA0218.

After the flaw’s successful exploitation, attackers downloaded additional tools to facilitate lateral movement across victim networks, targeting domain backup DPAPI keys and active directory credentials by obtaining the NTDS.DIT file. Volexity’s timeline shows the earliest exploitation attempts detected on March 26, 2024, with a second campaign launched on April 7, 2024.

Other Significant Vulnerabilities from 2024-2025 ICS Advisories

Beyond the known exploited vulnerabilities, several other 2024-2025 ICS advisories describe vulnerabilities with serious operational impact, even though they are not (yet) in the KEV catalog.

• Voltronic Power / PowerShield UPS monitoring software (ICSA-25-182-05) – CVE-2022-43110 (CVSS 9.8) and CVE-2022-31491 (CVSS 10.0) let unauthenticated attackers remotely change configuration and shutdown logic in ViewPower, ViewPower Pro, and PowerShield Netguard, making UPS consoles high-impact disruption points.
• Tecnomatix, SCALANCE, RUGGEDCOM, AVEVA PI (ICSA-25-072-08, ICSA-25-072-07, ICSA-24-193-11, ICSA-25-224-04) – memory-safety flaws in Tecnomatix Plant Simulation, authentication issues in SCALANCE M-800/SC-600, inherited PAN-OS bug CVE-2022-0028 on RUGGEDCOM APE1808, and upload/data-exposure flaws in AVEVA PI Integrator collectively turn engineering workstations, edge VPNs, and analytics connectors into attractive footholds.
• Siemens Wibu CodeMeter Runtime (ICSA-25-226-05) – CVE-2025-47809 (CVSS 8.2) allows local privilege escalation to SYSTEM on Windows hosts using vulnerable CodeMeter builds across Siemens engineering, HMI, building-management, and energy-monitoring products.
• Siemens Siveillance Video & Schneider EcoStruxure IT Data Center Expert (ICSA-24-289-01 / ICSA-24-289-02) – CVE-2024-3506 (CVSS 7.3) can lead to command execution on Siveillance Video recording servers, while CVE-2024-8531 (CVSS 7.2) and CVE-2024-8530 (CVSS 5.9) in EcoStruxure IT DCE enable script injection and unauthenticated access to diagnostic archives.

Together, these vulnerabilities highlight that even when exploitation has not yet been confirmed at scale, weaknesses in UPS management, engineering tools, VPN gateways, analytics platforms, licensing components, and facility systems can materially increase the risk profile of industrial environments and should be factored into prioritization decisions.

Strengthening ICS/OT Security: Key Considerations and Actions

Industrial environments now demand treating every connected device as part of the attack surface, especially with recent advisories affecting UPS tools, engineering software, and cameras. Limited patching windows make prioritizing high-severity and remotely exploitable vulnerabilities essential.

Focus areas:

• Keep a complete OT asset inventory.
• Prioritize fixes based on severity and exploitability.
• Monitor vendor ecosystems for cascading risks.

When patching isn’t possible:

• Use segmentation and access restrictions.
• Apply allowlisting or protocol filtering.

To improve response:

• Review CISA ICS advisories regularly.
• Track remediation timelines and exposure duration.
• Ensure coordination between OT, IT, and security teams.

This concise set of practices strengthens resilience and helps organizations stay ahead of rapidly emerging ICS vulnerabilities.

With hundreds of ICS advisories and thousands of CVEs to track, manual prioritization quickly becomes unmanageable. SOCRadar’s Cyber Threat Intelligence and Attack Surface Management (ASM) capabilities help security teams map advisories to their own assets, track KEV-listed issues like CVE-2023-44487 or CVE-2024-3400, and focus remediation on the vulnerabilities that pose the greatest real-world risk to industrial operations.

Conclusion

CISA ICS alerts from 2024-2025, sector breakdowns, and other trends show an ecosystem that is both more visible and more exposed than before.

• Advisory counts have climbed steadily, vulnerability totals per year continue to rise, and critical manufacturing and energy remain the most impacted sectors, followed by commercial facilities, transportation, and water.
• At the product level, issues are no longer confined to traditional PLCs and SCADA servers; industrial networking gear, engineering software, remote access solutions, cameras, and data-center tooling all appear repeatedly in CISA ICS advisories.
• The technical patterns tell a similar story. Input-validation and memory-safety weaknesses dominate, with improper validation, out-of-bounds access, and buffer overflows underpinning many of the highest-risk cases.
• Medium-severity vulnerabilities now appear in large volumes alongside critical and high-severity CVEs, showing that “moderate” flaws can accumulate into serious operational risk when distributed across thousands of devices and many vendors.

Within this landscape, known exploited vulnerabilities stand out as immediate priorities. Zero-days and widely abused bugs in HTTP/2 stacks, PAN-OS firewalls, SNMP services, industrial cameras, and Siemens ecosystems demonstrate that attackers are willing to target both generic internet-facing technologies and domain-specific ICS components. At the same time, the non-KEV vulnerabilities highlighted show that many high-impact weaknesses are already in production environments, even if exploitation has not yet been observed at scale.

For defenders, the value of CISA ICS advisories goes beyond individual patch notices. Used together with sector exposure data, vendor distributions, CWE patterns, and KEV mappings, they form a practical roadmap for prioritization. Organizations that maintain accurate OT asset inventories, monitor advisories consistently, align remediation with business impact, and apply segmentation and hardening where patching lags are in a much better position to prevent real-world disruption.