The December 2024 ICS Patch Tuesday brings advisories from the cybersecurity agency CISA, as well as several major industrial automation companies. 

Schneider Electric published three new advisories this Patch Tuesday. One advisory describes a critical flaw in Modicon controllers that can allow an unauthenticated attacker to cause disruption to operations. 

Another advisory describes a high-severity issue in Harmony and Pro-face HMI products, which could “cause complete control of the device when an authenticated user installs malicious code into the HMI product”.

The third advisory describes a medium-severity DoS bug in the PowerChute Serial Shutdown UPS management software.

Siemens has published 10 new advisories. The most serious, based on its CVSS score, is a high-severity CSRF issue in Ruggedcom ROX II devices that could allow an attacker to conduct actions on behalf of an authenticated user by tricking the target into clicking on a malicious link. 

The industrial giant has also addressed two high-severity arbitrary code execution vulnerabilities in Simatics S7 products that use TIA Portal prior to version 20.

Multiple high-severity code execution issues were addressed in Teamcenter Visualization, Solid Edge, Parasolid and Simcenter Femap. They can be exploited by getting the targeted user to open a specially crafted file.

Medium-severity issues were addressed in Sentron Powercenter (DoS), Sicam A8000 (firmware decryption), and Comos (XXE injection) products. 

As usual, Siemens has released patches for some of these vulnerabilities, but for some flaws a patch is pending or not planned at all. Mitigations and workarounds are also available.

A few days before Patch Tuesday, Rockwell Automation published an advisory to inform customers about four vulnerabilities in the Arena event simulation and automation software. The flaws have a ‘high severity’ rating and they can be exploited for arbitrary code execution using specially crafted files.

CISA published seven new ICS advisories on Tuesday, including for some Schneider Electric and the Rockwell vulnerabilities. In addition, the cybersecurity agency has informed organizations about code execution vulnerabilities discovered by researcher Michael Heinzl in Horner Automation Cscape and National Instruments’ LabVIEW product. Another advisory describes a critical default credentials flaw found by DNV researchers in MOBATIME’s Network Master Clock.

Germany-based industrial automation firm Phoenix Contact published two new advisories just before Patch Tuesday to inform customers about vulnerabilities in PLCnext firmware. The advisories describe dozens of security holes found over the past two years in third-party software.

Related: Chipmaker Patch Tuesday: Intel Publishes 44 and AMD Publishes 8 New Advisories

Related: ICS Patch Tuesday: Security Advisories Released by CISA, Schneider, Siemens, Rockwell