On March 19, 2025, cybersecurity researchers revealed critical vulnerabilities affecting mySCADA myPRO, a Supervisory Control and Data Acquisition (SCADA) system utilized in operational technology (OT) environments. These flaws could potentially enable malicious actors to take control of vulnerable systems, leading to operational disruptions and financial losses. The Swiss security company PRODAFT emphasized the severity of these vulnerabilities and the risks they pose to industrial control networks.
The vulnerabilities, rated 9.3 on the CVSS v4 scoring system, include CVE-2025-20014 and CVE-2025-20061. The first flaw is an operating system command injection vulnerability that allows attackers to execute arbitrary commands through specially crafted POST requests. The second vulnerability also enables attackers to execute arbitrary commands by manipulating POST requests. Successful exploitation of either vulnerability could result in unauthorized code execution.
PRODAFT attributed these vulnerabilities to a lack of input sanitization, which facilitates command injection attacks. The company underscored the ongoing security challenges faced by SCADA systems and emphasized the importance of implementing robust defenses. Exploitation of these flaws could lead to operational disruptions, financial harm, and safety risks, underscoring the critical need for enhanced security measures in OT environments.
To mitigate the risk posed by these vulnerabilities, organizations are advised to promptly apply available patches, implement network segmentation to isolate SCADA systems from IT networks, enforce strong authentication mechanisms, and monitor network activity for signs of compromise. By following these recommendations, organizations can enhance the security posture of their SCADA systems and reduce the likelihood of successful cyber attacks.
Source link