Feed aggregator
CISA Releases Six Industrial Control Systems Advisories
Sep 23, 2025
CISA released six Industrial Control Systems (ICS) advisories on September 23, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-266-01 AutomationDirect CLICK PLUS ICSA-25-266-02 Mitsubishi Electric MELSEC-Q Series CPU Module ICSA-25-266-03 Schneider Electric SESU ICSA-25-266-04 Viessmann Vitogate 300 ICSA-25-023-02 Hitachi Energy RTU500 Series Product (Update A) ICSA-25-093-01 Hitachi Energy RTU500 Series (Update B) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
CISA Adds One Known Exploited Vulnerability to Catalog
Sep 23, 2025
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-10585 Google Chromium V8 Type Confusion Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Widespread Supply Chain Compromise Impacting npm Ecosystem
Sep 23, 2025
CISA is releasing this Alert to provide guidance in response to a widespread software supply chain compromise involving the world’s largest JavaScript registry, npmjs.com. A self-replicating worm—publicly known as “Shai-Hulud”—has compromised over 500 packages.[i] After gaining initial access, the malicious cyber actor deployed malware that scanned the environment for sensitive credentials. The cyber actor then targeted GitHub Personal Access Tokens (PATs) and application programming interface (API) keys for cloud services, including Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure.[ii] The malware then: Exfiltrated the harvested credentials to an endpoint controlled by the actor. Uploaded the credentials to a public repository named Shai-Hulud via the GitHub/user/repos API. Leveraged an automated process to rapidly spread by authenticating to the npm registry as the compromised developer, injecting code into other packages, and publishing compromised versions to the registry.[iii] CISA urges organizations to implement the following recommendations to detect and remediate this compromise: Conduct a dependency review of all software leveraging the npm package ecosystem. Check for package-lock.json or yarn.lock files to identify affected packages, including those nested in dependency trees. Search for cached versions of affected dependencies in artifact repositories and dependency management tools. Pin npm package dependency versions to known safe releases produced prior to Sept. 16, 2025. Immediately rotate all developer credentials. Mandate phishing-resistant multifactor authentication (MFA) on all developer accounts, especially for critical platforms like GitHub and npm. Monitor for anomalous network behavior. Block outbound connections to webhook.site domains. Monitor firewall logs for connections to suspicious domains. Harden GitHub security by removing unnecessary GitHub Apps and OAuth applications, and auditing repository webhooks and secrets. Enable branch protection rules, GitHub Secret Scanning alerts, and Dependabot security updates. See the following resources for additional guidance on this compromise: GitHub: Our plan for a more secure npm supply chain Palo Alto Networks Unit 42: "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 18) Socket: Updated and Ongoing Supply Chain Attack Targets CrowdStrike npm Packages ReversingLabs: Malware found on npm infecting local package with reverse shell Disclaimer The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA. [i] Ashish Kurmi, “Shai-Hulud: Self Replicating Work Compromises 500+ NPM Packages,” StepSecurity, (September 15, 2025), https://www.stepsecurity.io/blog/ctrl-tinycolor-and-40-npm-packages-compromised; Kush Pandya, Peter van der Zee, and Olivia Brown, “Updated and Ongoing Supply Chain Attack Targets CrowdStrike npm Packages,” Socket, (September 16, 2025), https://socket.dev/blog/ongoing-supply-chain-attack-targets-crowdstrike-npm-packages. [ii] Palo Alto Networks Unit 42, “‘Shai-Hulud’ Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 19),” Unit 42, Palo Alto Networks, (September 17, 2025), https://unit42.paloaltonetworks.com/npm-supply-chain-attack/. [iii] Palo Alto Networks Unit 42, “Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 19).”
CISA Releases Advisory on Lessons Learned from an Incident Response Engagement
Sep 23, 2025
Today, CISA released a cybersecurity advisory detailing lessons learned from an incident response engagement following the detection of potential malicious activity identified through security alerts generated by the agency’s endpoint detection and response tool. This advisory, CISA Shares Lessons Learned from an Incident Response Engagement, highlights takeaways that illuminate the urgent need for timely patching, comprehensive incident response planning, and proactive threat monitoring to mitigate risks from similar vulnerabilities. The advisory also outlines the tactics, techniques, and procedures (TTPs) employed by cyber threat actors, including exploitation of GeoServer Vulnerability CVE-2024-36401 for initial access. By understanding these TTPs, organizations can enhance their defenses against similar threats. CISA recommends organizations take the following actions: Prioritize Patch Management: Expedite patching of critical vulnerabilities, particularly those listed in CISA’s Known Exploited Vulnerabilities catalog, with a focus on public-facing systems. Strengthen Incident Response Plans: Regularly update, test, and maintain incident response plans, ensuring they include procedures for engaging third-party responders and deploying security tools without delay. Enhance Threat Monitoring: Implement centralized, out-of-band logging and ensure security operations centers continuously monitor and investigate abnormal network activity to detect and respond to malicious activity effectively. CISA urges organizations to apply these lessons learned to bolster their security posture, improve preparedness, and reduce the risk of future compromises. For additional details, review the full cybersecurity advisory.
SonicWall Releases Advisory for Customers after Security Incident
Sep 22, 2025
SonicWall released a security advisory to assist their customers with protecting systems impacted by the MySonicWall cloud backup file incident. SonicWall’s investigation found that a malicious actor performed a series of brute force techniques against their MySonicWall.com web portal to gain access to a subset of customers’ preference files stored in their cloud backups. While credentials within the files were encrypted, the files also included information that actors can use to gain access to customers’ SonicWall Firewall devices. CISA recommends all SonicWall customers follow guidance in the advisory,[1] which includes logging into their customer account to verify whether their device is at risk. Customers with at-risk devices should implement the advisory’s containment and remediation guidance immediately. [1] Sonicwall.com, MySonicWall Cloud Backup File Incident, accessed September 22, 2025, https://www.sonicwall.com/support/knowledge-base/mysonicwall-cloud-backup-file-incident/250915160910330.
CISA Releases Nine Industrial Control Systems Advisories
Sep 18, 2025
CISA released nine Industrial Control Systems (ICS) advisories on September 18, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-261-01 Westermo Network Technologies WeOS 5 ICSA-25-261-02 Westermo Network Technologies WeOS 5 ICSA-25-261-03 Schneider Electric Saitel DR & Saitel DP Remote Terminal Unit ICSA-25-261-04 Hitachi Energy Asset Suite ICSA-25-261-05 Hitachi Energy Service Suite ICSA-25-261-06 Cognex In-Sight Explorer and In-Sight Camera Firmware ICSA-25-261-07 Dover Fueling Solutions ProGauge MagLink LX4 Devices ICSA-25-191-10 End-of-Train and Head-of-Train Remote Linking Protocol (Update C) ICSA-24-030-02 Mitsubishi Electric FA Engineering Software Products (Update D) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
CISA Releases Malware Analysis Report on Malicious Listener Targeting Ivanti Endpoint Manager Mobile Systems
Sep 18, 2025
Today, CISA released a Malware Analysis Report detailing the functionality of two sets of malware obtained from an organization compromised by cyber threat actors exploiting CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (Ivanti EPMM). The Malware Analysis Report, Malicious Listener for Ivanti EPMM Systems, provides guidance to help organizations detect and mitigate these threats, including indicators of compromise and YARA and SIGMA rules. Mitigations include highlighting the need to upgrade Ivanti EPMM systems to the latest version and to treat mobile device management systems as high-value assets with strengthened monitoring and restrictions. For more information, visit https://www.cisa.gov/news-events/analysis-reports/ar25-261a.
CISA Releases Eight Industrial Control Systems Advisories
Sep 16, 2025
CISA released eight Industrial Control Systems (ICS) advisories on September 16, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-259-01 Schneider Electric Altivar Products, ATVdPAC Module, ILC992 InterLink Converter ICSA-25-259-02 Hitachi Energy RTU500 Series ICSA-25-259-03 Siemens SIMATIC NET CP, SINEMA, and SCALANCE ICSA-25-259-04 Siemens RUGGEDCOM, SINEC NMS, and SINEMA ICSA-25-259-05 Siemens OpenSSL Vulnerability in Industrial Products ICSA-25-259-06 Siemens Multiple Industrial Products ICSA-25-259-07 Delta Electronics DIALink ICSA-25-140-07 Schneider Electric Galaxy VS, Galaxy VL, Galaxy VXL (Update A) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
CISA Adds One Known Exploited Vulnerability to Catalog
Sep 11, 2025
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-5086 Dassault Systèmes DELMIA Apriso Deserialization of Untrusted Data Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CISA Releases Eleven Industrial Control Systems Advisories
Sep 11, 2025
CISA released eleven Industrial Control Systems (ICS) advisories on September 11, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-254-01 Siemens SIMOTION Tools ICSA-25-254-02 Siemens SIMATIC Virtualization as a Service (SIVaaS) ICSA-25-254-03 Siemens SINAMICS Drives ICSA-25-254-04 Siemens SINEC OS ICSA-25-254-05 Siemens Apogee PXC and Talon TC Devices ICSA-25-254-06 Siemens Industrial Edge Management OS (IEM-OS) ICSA-25-254-07 Siemens User Management Component (UMC) ICSA-25-254-08 Schneider Electric EcoStruxure ICSA-25-254-09 Schneider Electric Modicon M340, BMXNOE0100, and BMXNOE0110 ICSA-25-254-10 Daikin Security Gateway ICSA-25-035-06 Schneider Electric Modicon M340 and BMXNOE0100/0110, BMXNOR0200H (Update A) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
CISA Releases Fourteen Industrial Control Systems Advisories
Sep 9, 2025
CISA released fourteen Industrial Control Systems (ICS) advisories on September 9, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-252-01 Rockwell Automation ThinManager ICSA-25-252-02 ABB Cylon Aspect BMS/BAS ICSA-25-252-03 Rockwell Automation Stratix IOS ICSA-25-252-04 Rockwell Automation FactoryTalk Optix ICSA-25-252-05 Rockwell Automation FactoryTalk Activation Manager ICSA-25-252-06 Rockwell Automation CompactLogix® 5480 ICSA-25-252-07 Rockwell Automation ControlLogix 5580 ICSA-25-252-08 Rockwell Automation Analytics LogixAI ICSA-25-252-09 Rockwell Automation 1783-NATR ICSA-24-296-01 Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products (Update A) ICSA-25-058-01 Schneider Electric Communication Modules for Modicon M580 and Quantum controllers (Update B) ICSA-25-219-07 EG4 Electronics EG4 Inverters (Update B) ICSA-25-233-01 Mitsubishi Electric Corporation MELSEC iQ-F Series CPU Module (Update A) ICSA-25-226-31 Rockwell Automation 1756-ENT2R, 1756-EN4TR, 1756-EN4TRXT (Update A) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
CISA Adds Three Known Exploited Vulnerabilities to Catalog
Sep 4, 2025
CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-38352 Linux Kernel Time-of-Check Time-of-Use (TOCTOU) Race Condition Vulnerability CVE-2025-48543 Android Runtime Unspecified Vulnerability CVE-2025-53690 Sitecore Multiple Products Deserialization of Untrusted Data Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CISA Releases Five Industrial Control Systems Advisories
Sep 4, 2025
CISA released five Industrial Control Systems (ICS) advisories on September 4, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-247-01 Honeywell OneWireless Wireless Device Manager (WDM) ICSA-25-217-01 Mitsubishi Electric Iconics Digital Solutions Multiple Products (Update A) ICSA-25-105-07 Delta Electronics COMMGR (Update A) ICSA-25-205-03 Honeywell Experion PKS (Update A) ICSA-25-191-10 End-of-Train and Head-of-Train Remote Linking Protocol (Update B) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
CISA, NSA, and Global Partners Release a Shared Vision of Software Bill of Materials (SBOM) Guidance
Sep 3, 2025
CISA, in collaboration with NSA and 19 international partners, released joint guidance outlining A Shared Vision of Software Bill of Materials (SBOM) for Cybersecurity. This marks a significant step forward in strengthening software supply chain transparency and security worldwide. An SBOM is a formal record detailing the components and supply chain relationships used in building software. SBOMs act as a software “ingredients list” providing organizations with essential visibility into software dependencies, enabling them to identify components, assess risks, and take proactive measures to mitigate vulnerabilities. The guidance highlights the benefits of SBOM adoption for software producers, purchasers, operators, and national security organizations. Key advantages include reducing risks, improving vulnerability management, and enhancing overall software security practices. By promoting transparency, aligning technical approaches, and leveraging automation, SBOM adoption strengthens the resilience of the global software ecosystem. This guidance urges organizations worldwide to integrate SBOM practices into their security frameworks to collaboratively address supply chain risks and enhance cybersecurity resilience. For more information on SBOM, visit: https://www.cisa.gov/sbom. For leadership statements from co-authoring organizations, visit: Statements of Support on A Shared Vision of SBOM for Cybersecurity.
CISA Adds Two Known Exploited Vulnerabilities to Catalog
Sep 3, 2025
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2023-50224 TP-Link TL-WR841N Authentication Bypass by Spoofing Vulnerability CVE-2025-9377 TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CISA Adds Two Known Exploited Vulnerabilities to Catalog
Sep 2, 2025
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2020-24363 TP-link TL-WA855RE Missing Authentication for Critical Function Vulnerability CVE-2025-55177 Meta Platforms WhatsApp Incorrect Authorization Vulnerability These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CISA Releases Four Industrial Control Systems Advisories
Sep 2, 2025
CISA released four Industrial Control Systems (ICS) advisories on September 2, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-245-01 Delta Electronics EIP Builder ICSA-25-245-02 Fuji Electric FRENIC-Loader 4 ICSA-25-245-03 SunPower PVS6 ICSA-25-182-06 Hitachi Energy Relion 670/650 and SAM600-IO Series (Update A) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
CISA Adds One Known Exploited Vulnerability to Catalog
Aug 29, 2025
CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2025-57819 Sangoma FreePBX Authentication Bypass Vulnerability This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information. Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
CISA Releases Nine Industrial Control Systems Advisories
Aug 28, 2025
CISA released nine Industrial Control Systems (ICS) advisories on August 28, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS. ICSA-25-240-01 Mitsubishi Electric MELSEC iQ-F Series CPU Module ICSA-25-240-02 Mitsubishi Electric MELSEC iQ-F Series CPU Module ICSA-25-240-03 Schneider Electric Saitel DR & Saitel DP Remote Terminal Unit ICSA-25-240-04 Delta Electronics CNCSoft-G2 ICSA-25-240-05 Delta Electronics COMMGR ICSA-25-240-06 GE Vernova CIMPLICITY ICSA-24-135-04 Mitsubishi Electric Multiple FA Engineering Software Products (Update D) ICSA-25-140-04 Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products (Update B) ICSA-25-184-01 Hitachi Energy Relion 670/650 and SAM600-IO series (Update A) CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.
CISA and Partners Release Joint Advisory on Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage Systems
Aug 27, 2025
CISA, along with the National Security Agency, Federal Bureau of Investigation, and international partners, released a joint Cybersecurity Advisory on People’s Republic of China (PRC) state-sponsored Advanced Persistent Threat (APT) actors targeting critical infrastructure across sectors and continents to maintain persistent, long-term access to networks. This advisory builds on previous reporting and is based on real-world investigations conducted across multiple countries through July 2025. While the activity observed overlaps with industry reporting on the group known as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor, among others, the advisory refers to them generically as APT actors to focus on the behavior, not the alias. These APT actors are exploiting vulnerabilities in the large backbone routers of telecommunications providers—specifically provider edge and customer edge routers that often lack visibility and are difficult to monitor—to gain and maintain persistent access, particularly in telecommunications, government, transportation, lodging, and defense networks. They often modify router firmware and configurations to evade detection and establish long-term footholds. CISA and authoring partners strongly urge network defenders, particularly those in high-risk sectors, to hunt for malicious activity and implement the mitigations outlined in this advisory. For more detailed information, review the full advisory and CISA’s People’s Republic of China Cyber Threat Overview and Advisories web page.