CISA Issues Critical ICS Advisories for Rockwell Automation and YoSmart Vulnerabilities The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released three new advisories and updated an existing one on Tuesday, highlighting significant vulnerabilities in industrial control systems (ICS) from Rockwell Automation and YoSmart. The advisories address risks in critical manufacturing and global communications sectors, with potential impacts ranging from denial-of-service (DoS) conditions to unauthorized device control. ### Rockwell Automation Vulnerabilities 1. CVE-2025-9368 (CVSS 7.5) - Affects Rockwell Automation 432ES-IG3 Series A devices, specifically the GuardLink EtherNet/IP Interface. - The flaw stems from uncontrolled resource allocation, allowing attackers to trigger a DoS condition requiring a manual power cycle to restore functionality. - Mitigation: Users should upgrade to V2.001.9 or later; those unable to update should follow Rockwell’s security best practices. 2. CVE-2025-12807 (CVSS 8.8) - Impacts FactoryTalk DataMosaix Private Cloud (versions 7.11, 8.00, and 8.01). - The vulnerability involves SQL injection, enabling low-privilege users to execute unauthorized database operations via exposed API endpoints. - Mitigation: Update to Version 8.01.02 or later. ### YoSmart YoLink Smart Hub Vulnerabilities Multiple flaws were identified in the YoSmart YoLink ecosystem, affecting the Smart Hub, server, and mobile application (CVE-2025-59448, CVE-2025-59449, CVE-2025-59451, CVE-2025-59452), with a CVSS score of 5.8. - Exploitation Risks: - Remote device control of other users’ smart home devices. - Session hijacking and sensitive data interception due to weak authorization controls and predictable device IDs. - Cleartext transmission of data via unencrypted MQTT, exposing communications to interception or tampering. - Long-lived session tokens in the mobile app, increasing the risk of unauthorized access. - Technical Details: - The YoLink MQTT broker (through 2025-10-02) lacks sufficient authorization checks, allowing cross-account attacks if device IDs are obtained. - Device IDs are predictable, enabling attackers to gain control over any YoLink user’s devices. - API endpoints use MD5 hashing of non-secret data (e.g., MAC addresses), further weakening security. ### CISA’s Recommendations While no active exploitation has been reported, CISA advises organizations to: - Minimize network exposure for ICS devices, ensuring they are not internet-accessible. - Isolate control systems behind firewalls and separate them from business networks. - Use secure remote access methods, such as updated VPNs, when necessary. - Conduct risk assessments before deploying defensive measures. The advisories underscore ongoing risks in ICS environments, particularly in critical infrastructure sectors. Organizations are urged to apply patches and follow CISA’s Defense-in-Depth Strategies for proactive cybersecurity.