The U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released four new Industrial Control Systems (ICS) advisories. These advisories expose multiple vulnerabilities in widely used ICS equipment from Siemens, Tigo Energy, and EG4 Electronics.
ICSA-25-231-01 and ICSA-25-231-02 focus on Siemens’ Desigo CC Product Family, SENTRON Powermanager, and Mendix SAML Module—critical components used across global industrial environments.
CISA’s advisory ICSA-25-231-01 details a vulnerability (CVE-2025-47809) involving the Wibu CodeMeter, a software licensing component used in Siemens Desigo CC and SENTRON Powermanager. With a CVSS v3.1 score of 8.2, this vulnerability stems from a Least Privilege Violation (CWE-272), where users could exploit Windows Explorer through the CodeMeter Control Center without requiring a system reboot or logoff post-installation.
All versions of Desigo CC (V5.0 to V8) and SENTRON Powermanager (V5 to V8) are affected. Siemens recommends updating to CodeMeter version 8.30a and restarting the system post-installation to mitigate the issue. Siemens first disclosed this vulnerability to CISA and has further information on its ProductCERT page.
Remote Exploitation in Mendix SAML Module
In ICSA-25-231-02, Siemens’ Mendix SAML module was found to contain an Improper Verification of Cryptographic Signature (CWE-347), which could allow unauthenticated attackers to hijack user accounts in specific Single Sign-On (SSO) configurations.
Tagged as CVE-2025-40758 and scoring 8.7 on CVSS v3.1, the vulnerability affects multiple Mendix SAML versions prior to V3.6.21 (for Mendix 9.24), V4.0.3 (Mendix 10.12), and V4.1.2 (Mendix 10.21). Siemens advises enabling encryption settings and updating the module. The issue primarily impacts the critical manufacturing sector and was also reported directly by Siemens to CISA.
Tigo Energy Cloud Connect Advanced Under Active Exploitation
ICSA-25-217-02 (Update A) highlights multiple high-risk vulnerabilities in Tigo Energy’s Cloud Connect Advanced (CCA) device, essential to solar energy management systems.
With a CVSS v4 base score of 9.3, the most critical vulnerability (CVE-2025-7768) involves the use of hard-coded credentials (CWE-798), which allows unauthorized access and administrative control. Other serious issues include:
- Command Injection (CVE-2025-7769, CWE-77) with a CVSS v3.1 score of 8.8, now confirmed to be publicly exploitable.
- Predictable Session IDs (CVE-2025-7770, CWE-337), enabling attackers to bypass authentication and access sensitive functions.
These flaws affect Cloud Connect Advanced versions 4.0.1 and earlier. Tigo Energy is actively developing patches and urges users to consult its Help Center for interim security recommendations. CISA advises isolating ICS networks, restricting internet access, and using VPNs with caution due to potential vulnerabilities.
EG4 Electronics Inverters Contain Multiple Security Risks
ICSA-25-219-07 (Update A) discloses critical flaws in EG4 Electronics’ inverter systems, used in residential and commercial solar installations worldwide. Vulnerabilities include:
- Cleartext Transmission of Sensitive Data (CVE-2025-52586, CWE-319)
- Download of Code Without Integrity Check (CVE-2025-53520, CWE-494)
- Observable Discrepancy (CVE-2025-47872, CWE-203)
- Improper Restriction of Authentication Attempts (CVE-2025-46414, CWE-307)
The CVSS v4 score reaches as high as 9.2, reflecting the severity of these flaws. Attackers could intercept unencrypted commands, install malicious firmware, perform brute-force attacks on PIN codes, or access configuration settings through insecure APIs.
These vulnerabilities affect all versions of the following models:
- EG4 12kPV, 18kPV, Flex 21, Flex 18
- EG4 6000XP, 12000XP
- EG4 GridBoss
EG4 has addressed some issues through server-side fixes, including standardizing registration endpoint responses and limiting authentication attempts. However, the company is still working on firmware and hardware solutions, with new hardware expected by October 15, 2025.
CISA Urges Action from ICS Operators
CISA stresses that ICS environments are increasingly targeted by cyber actors due to their critical role in infrastructure. While there have been no confirmed large-scale exploits linked to these specific vulnerabilities (except one now publicly known in Tigo’s case), CISA recommends the following mitigation strategies:
- Isolating ICS from internet-facing networks.
- Updating devices and software to the latest secure versions.
- Performing risk assessments prior to deploying mitigation strategies.
