CISA Issues Two New ICS Advisories Addressing Exploits and Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) escalated its cybersecurity alerts on February 18, 2025, releasing two critical Industrial Control Systems (ICS) advisories targeting vulnerabilities in Delta Electronics’ CNCSoft-G2 and Rockwell Automation’s GuardLogix controllers.

These advisories flagged under ICSA-24-191-01 (Update A) and ICSA-25-035-02 (Update A), address high-severity flaws that could enable remote code execution and denial-of-service attacks across industrial environments.

Delta Electronics CNCSoft-G2 Vulnerabilities Expose Systems to Remote Exploitation

CISA’s ICSA-24-191-01 advisory highlights six critical vulnerabilities in Delta Electronics’ CNCSoft-G2, a human-machine interface (HMI) software widely used in manufacturing and CNC machining systems.

The flaws, rated with a CVSS v4 score of 8.4, affect versions 2.0.0.5 through 2.1.0.16 and stem from memory corruption weaknesses:

1. CVE-2024-39880: A stack-based buffer overflow allows attackers to execute arbitrary code by tricking users into opening malicious files or visiting compromised web pages.
2. CVE-2024-39881: An out-of-bounds write vulnerability permits memory corruption under similar attack vectors.
3. CVE-2024-39882: An out-of-bounds read flaw enables attackers to leak sensitive data or crash processes.
4. CVE-2024-39883: A heap-based buffer overflow in version 2.0.0.5 allows code execution.
5. CVE-2024-12858: Affecting versions up to 2.1.0.16, this heap overflow could grant full system control.
6. CVE-2025-22880: Versions 2.1.0.10 and prior are vulnerable to heap-based overflows via malicious files.

CISA emphasized that all vulnerabilities require minimal attack complexity, with no privileges needed for exploitation.

Successful attacks could disrupt manufacturing processes, compromise intellectual property, or enable lateral movement within operational technology (OT) networks.

Rockwell Automation GuardLogix Controllers at Risk of Denial-of-Service Attacks

The second advisory, ICSA-25-035-02, focuses on Rockwell Automation’s GuardLogix 5380 and 5580 controllers, critical components in industrial safety systems.

The vulnerability CVE-2025-24478 (CVSS v4: 7.1) stems from improper exception handling, allowing unprivileged remote attackers to trigger major faults and denial-of-service conditions. Affected firmware includes:

• GuardLogix 5580 (SIL 3) versions before V33.017, V34.014, V35.013, and V36.011
• Compact GuardLogix 5380 SIL 3 versions pre-dating the same updates

Exploitation could halt safety-critical processes in sectors like energy, pharmaceuticals, and automotive manufacturing, risking operational shutdowns and safety incidents.

CISA urges organizations using Delta Electronics CNCSoft-G2 to upgrade to patched versions immediately.

For Rockwell Automation systems, firmware updates to GuardLogix 5380/5580 controllers beyond the affected versions are critical. Temporary mitigations include:

• Segmenting OT networks from corporate IT environments
• Restricting file execution and web access on HMIs
• Monitoring for anomalous traffic to PLCs and safety controllers

Delta Electronics and Rockwell Automation have released patches and workarounds through their security portals.

CISA’s advisories underscore the growing risks to ICS environments, where outdated software and interconnected systems amplify attack surfaces.

With industrial infrastructure increasingly targeted by nation-states and cybercriminal groups, these advisories serve as a stark reminder of the urgent need for proactive vulnerability management.

Organizations must prioritize patch deployment, network segmentation, and continuous monitoring to safeguard critical operations.

Review CISA’s advisories ICSA-24-191-01 and ICSA-25-035-02 on the official CISA.gov repository for full technical details.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here