Critical infrastructures: attacks on industrial control systems possible

Attackers can attack critical infrastructures with industrial control systems (ICS) from Delta Electronics, Fuji Electric, Hitachi, and SunPower. In the energy sector, for example, successful attacks can have far-reaching consequences for the population. Accordingly, administrators should promptly install the security updates that have so far only been partially available.

The US security authority Cybersecurity & Infrastructure Security Agency (CISA) points out the security gaps and the dangers they pose in an article.

Secure KRITIS

The most dangerous is a "critical" vulnerability (CVE-2025-9696) in the SunPower PVS6 solar plant monitoring system, for which there is currently no security patch. Due to hard-coded access data, attackers can completely compromise devices within Bluetooth range and set up remote access via SSH, for example. CISA states that they are not aware of any attacks to date. Versions up to and including 2025.06 build 61839 are affected. It is not yet clear when an update will be released.

Hitachi Energy Relion 650, 670 and SAM600-IO are susceptible to DoS attacks (CVE-2025-2403 "high"). At this point, attackers should be able to paralyze critical functions such as Line Distance Communication Module (LDCM). The security updates are listed in a warning message.

Malicious code attacks (CVE-2025-9365 "high") are possible on Fuji Electric FRENIC-Loader 4. The version from 1.4.0.1 is protected against this. Delta Elcetronics EIP Builder can leak sensitive information (CVE-2025-57704 "medium"). Version 1.12 contains a security update.

(des)