mySCADA myPRO RCE Vulnerabilities Expose ICS Devices to Remote Control

Supervisory Control and Data Acquisition (SCADA) systems play a pivotal role in managing critical infrastructure across sectors like energy, manufacturing, and more.

However, this digital transformation also brings with it a heightened vulnerability to cyber threats.

Recent research by our security team at PRODAFT has identified critical vulnerabilities in the mySCADA myPRO system, a widely used SCADA management solution headquartered in the Czech Republic.

These vulnerabilities could compromise industrial control systems if exploited, leading to significant operational disruptions and financial losses.

The identified vulnerabilities are detailed in the table below:

Vulnerability	CVE	CVSS Score	Affected Products
mySCADA myPRO Manager OS Command Injection via Email Parameter	CVE-2025-20061	9.8 (CVSS v3.1), 9.3 (CVSS v4)	myPRO Manager – Versions prior to 1.3
mySCADA myPRO Manager OS Command Injection via Version Parameter	CVE-2025-20014	9.8 (CVSS v3.1), 9.3 (CVSS v4)	myPRO Manager – Versions prior to 1.3

Vulnerabilities Details

These vulnerabilities exist due to the improper sanitization of inputs in the myPRO Manager application.

An attacker can exploit these weaknesses by sending specially crafted POST requests containing either email or version parameters to a specific port.

Once executed, these requests can inject system commands, leading to Remote Command Execution (RCE), which allows attackers to execute arbitrary code on the system.

CVE-2025-20061 Details:

• Impact: Remote Command Execution (RCE)
• CVSS v3.1 Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
• CVSS v4 Score: 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

CVE-2025-20014 Details:

• Impact: Remote Command Execution (RCE)
• CVSS v3.1 Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
• CVSS v4 Score: 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N)

Both vulnerabilities are categorized under CWE-78, highlighting the application’s failure to properly neutralize special elements used in OS commands.

Affected Products

The vulnerabilities affect the following mySCADA products:

• myPRO Manager: Versions prior to 1.3
• myPRO Runtime: Versions prior to 9.2.1

These vulnerabilities underscore the persistent security risks associated with SCADA systems and the need for robust defense mechanisms.

 Exploitation could lead to severe operational disruptions, financial losses, and safety hazards.

To address these vulnerabilities effectively, organizations should consider the following strategies:

• Apply Patches: Immediately install vendor-issued updates for affected products.
• Network Segmentation: Isolate SCADA systems from IT networks to reduce attack surfaces.
• Access Controls: Implement strong authentication measures, including multi-factor authentication (MFA).
• Monitoring: Utilize IDS and SIEM solutions to detect and respond to threats in real-time.
• Incident Response: Develop and test comprehensive incident response plans for rapid containment and recovery.

As threats against SCADA systems evolve, proactive security research and robust defense strategies remain crucial in securing critical infrastructure.

Please replace the hypothetical CVEs (CVE-2025-20061 and CVE-2025-20014) with the actual CVE identifiers once they are available.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free