Listen to this Post
Introduction:
The industrial control systems (ICS) and operational technology (OT) environment faced a significant barrage of new threats in the final week of August 2025. With four new and four updated CISA ICS advisories, alongside 11 independent vendor disclosures, the attack surface for critical infrastructure expanded dramatically across energy, manufacturing, healthcare, and transportation systems. This article provides a technical deep dive into the vulnerabilities and equips security professionals with the commands and methodologies needed to detect, mitigate, and defend against these specific threats.
Learning Objectives:
- Identify and understand the critical CVEs disclosed for major ICS vendors like Mitsubishi Electric, Delta Electronics, and Schneider Electric.
- Implement immediate detection and mitigation strategies using verified command-line tools and scripts.
- Develop a proactive hunting methodology for similar vulnerabilities within OT/ICS environments.
You Should Know:
- Reconnaissance for Vulnerable Schneider Electric EcoStruxure and PLCs
Nmap NSE script for Schneider Electric discovery
`nmap -p 502 –script modbus-discover `
`nmap -p 4910,4911,4912,4913 –script schneider-ecostruxure-info `
Schneider Electric vulnerabilities often reside in their EcoStruxure platform and Modbus-enabled PLCs. The first step is identifying these assets on your network. The `modbus-discover` NSE script will identify devices listening on the standard Modbus TCP port (502) and extract basic unit information. For a more specific probe targeting EcoStruxure, scan the common ports 4910-4913 and use the `schneider-ecostruxure-info` script to gather detailed system information, which can be cross-referenced with advisory versions to confirm susceptibility.
- Detecting Exposed INVT and Delta Electronics Industrial Protocols
Python script to probe for INVT PLCs
`!/usr/bin/env python3
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(3)
try:
s.connect((‘TARGET_IP’, 502))
s.send(b’\x00\x00\x00\x00\x00\x05\x00\x03\x00\x00\x00\x01′)
data = s.recv(1024)
if data: print(f”INVT PLC likely present: {data.hex()}”)
except:
pass
s.close()`
Delta Electronics and INVT devices use proprietary protocols often layered over Modbus. This simple Python socket script attempts a Modbus connection and sends a benign read command (Function Code 03). A response indicates an active device. For Delta Electronics’ configuration tools, search for associated processes and files: `Get-Process -Name “DIA” | Select-Object Path` on Windows or use `lsof -i :5555` on Linux to check for open ports used by their software.
- Interrogating Siemens SIMATIC S7 PLCs for Firmware Versions
s7-info Metasploit auxiliary module
`use auxiliary/scanner/scada/siemens_s7_info`
`set RHOSTS 192.168.1.0/24`
`set RPORT 102`
`run`
While not listed in this specific week’s advisories, Siemens S7s are perennial targets and their interrogation is a fundamental skill. The Metasploit `siemens_s7_info` module connects to port 102 and extracts detailed metadata, including the firmware version, module type, and system name. This information is critical for comparing against disclosed CVEs in other advisories and establishing a baseline for asset management and patch prioritization.
- Validating Johnson Controls iSTAR Access Control Panel Configurations
SSH command to check iSTAR firmware
`ssh admin@ “show version”`
Johnson Controls iSTAR panels, cited in the advisories, are network-connected access control systems. A primary step in hardening is to ensure they are not running default credentials and to validate their firmware version. Using SSH, an administrator can connect to the panel’s IP and run the `show version` command. This output must be compared against the patched versions listed in the Johnson Controls advisory. Always ensure SSH access is restricted to management VLANs.
- Querying CISA’s Known Exploited Vulnerabilities (KEV) Catalog via CLI
curl command to fetch the CISA KEV catalog
`curl -s “https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json” | jq -r ‘.vulnerabilities[] | select(.dateAdded >= “2025-08-25”) | .cveID’`
Staying current with actively exploited vulnerabilities is paramount. This one-liner uses `curl` to fetch the official CISA KEV catalog in JSON format and pipes it to `jq` to parse and extract only the CVE IDs added since August 25th, 2025. This list should be integrated into daily threat intelligence briefings and cross-checked against your asset inventory. Automation of this check can be set up via a cron job.
6. Network Segmentation Check for OT Protocols
Windows PowerShell command to check listening ports
`Get-NetTCPConnection -State Listen | Where-Object {$_.LocalPort -in (502,20000,2404,4910,4911,4912,4913,102)} | Select-Object LocalAddress, LocalPort, OwningProcess`
A core mitigation for many ICS vulnerabilities is strict network segmentation, preventing unauthorized access to sensitive industrial protocols. This PowerShell command queries all currently listening TCP ports on a Windows system and filters for well-known OT/ICS ports (e.g., Modbus 502, CIP 44818, S7 102). Identifying processes (OwningProcess) listening on these ports helps confirm if intended industrial software is running or if an unauthorized application is exposed.
- Building an ICS-Specific CANVAS Dashboard for Asset Tracking
Kibana query for ICS device discovery
`event.dataset:zeek. AND (tags:”industrial” OR protocol:”modbus” OR protocol:”dnp3″ OR service:”s7comm”)`
Leveraging a security information and event management (SIEM) or analytics platform like Elasticsearch is key for visibility. This sample query for an Elastic (Kibana) dashboard filters network traffic data (provided by a tool like Zeek) for industrial protocols. By creating alerts on new devices using these protocols or on traffic crossing segmentation boundaries, teams can detect unauthorized devices or communications that could indicate an attempt to exploit the vulnerabilities detailed in the advisories.
What Undercode Say:
- The volume and diversity of advisories highlight a persistent and widespread lack of secure-by-design principles in ICS development.
- Immediate action is required for asset identification and segmentation, as patching in OT environments often involves complex downtime.
- The absence of these specific ICS CVEs in CISA’s KEV catalog should not breed complacency; threat actors may be exploiting these vulnerabilities before public disclosure.
Analysis:
The weekly summary from the ICS Advisory Project is not merely a list of patches; it is a map of the evolving attack surface of global critical infrastructure. The concentration of vulnerabilities in fundamental components like protocol configuration tools (Delta), gateways (Welotec, iND Co.), and access control systems (Johnson Controls) reveals a strategic targeting of choke points. An adversary compromising any one of these devices can gain a foothold to move laterally, disrupt processes, or deny access to physical spaces. The technical commands provided are essential for moving from passive awareness to active defense. The focus must shift from simply applying patches to implementing robust detection capabilities, as the window between vulnerability disclosure and exploit weaponization continues to shrink. The fact that these particular CVEs are not yet on the KEV catalog is a temporary state, not an all-clear signal.
Prediction:
The vulnerabilities disclosed this week, particularly in solar inverters (SMA Solar), building management systems (ABB, Johnson Controls), and medical imaging software (Changing Information Tech), will be rapidly integrated into the playbooks of both state-sponsored and financially-motivated threat actors. We predict a rise in targeted ransomware campaigns against the energy and healthcare sectors, leveraging these flaws for initial access and lateral movement within OT networks. Within 12-18 months, the automation of exploits for these types of ICS vulnerabilities will become commonplace in penetration testing toolsets, further lowering the barrier to entry for less sophisticated attackers. The industry must accelerate the adoption of zero-trust architectures within OT environments to mitigate this inevitable trend.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Danricci14 Week – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
