CISA Issues Critical ICS Advisories for Siemens and Mitsubishi Vulnerabilities

CISA Releases Two Critical Industrial Control Systems Advisories

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published two Industrial Control Systems (ICS) advisories to address vulnerabilities in Siemens and Mitsubishi Electric products. Released on December 30, 2025, these advisories provide critical information about security flaws that could expose operational technology (OT) environments to exploitation if left unpatched.

Technical Details

**ICSA-25-364-01: Siemens RUGGEDCOM APE1808

** This advisory highlights a vulnerability in the Siemens RUGGEDCOM APE1808 industrial application platform. The flaw, tracked as CVE-2025-8342, stems from improper input validation in the device’s web interface. An unauthenticated remote attacker could exploit this vulnerability to execute arbitrary code with root privileges, potentially leading to full system compromise. The advisory notes that successful exploitation requires network access to the targeted device.

**ICSA-25-364-02: Mitsubishi Electric MELSEC iQ-R Series

** The second advisory addresses a denial-of-service (DoS) vulnerability in Mitsubishi Electric’s MELSEC iQ-R Series CPU modules. The flaw, identified as CVE-2025-8343, arises from insufficient validation of specific packets sent to the CPU module. A remote attacker could send crafted packets to trigger a DoS condition, disrupting industrial processes reliant on the affected hardware. CISA emphasizes that exploitation does not require authentication but does necessitate access to the targeted network.

Impact Analysis

Both vulnerabilities pose significant risks to critical infrastructure sectors, including energy, manufacturing, and water treatment. Exploitation of CVE-2025-8342 could enable attackers to gain control of Siemens RUGGEDCOM devices, which are commonly used for secure communication in harsh industrial environments. Meanwhile, CVE-2025-8343 could disrupt operations in facilities using Mitsubishi Electric’s MELSEC iQ-R Series, leading to potential downtime and financial losses.

CISA has assigned a CVSS v3.1 base score of 9.8 to CVE-2025-8342, categorizing it as critical. CVE-2025-8343 has been rated with a CVSS v3.1 base score of 7.5, classifying it as high severity.

Recommendations

CISA urges organizations using the affected products to:

• Apply patches immediately: Siemens and Mitsubishi Electric have released updates to mitigate these vulnerabilities. Users should refer to the vendors’ security advisories for guidance:
  • Siemens Security Advisory (SSA-892567)
  • Mitsubishi Electric Security Advisory (2025-02)
• Isolate ICS networks: Segment industrial control systems from corporate networks to limit exposure to potential attacks.
• Monitor for suspicious activity: Deploy intrusion detection systems (IDS) to identify anomalous traffic targeting ICS devices.
• Follow CISA’s ICS security best practices: Review CISA’s ICS security recommendations for additional hardening measures.

For further details, refer to the full advisories on CISA’s website:

• ICSA-25-364-01: Siemens RUGGEDCOM APE1808
• ICSA-25-364-02: Mitsubishi Electric MELSEC iQ-R Series.